Somebody in government realises that the Australian data breach notification regime is “bloody useless”. Hardly a revelation.

October 2, 2022 |

Politics and cyber security continue to occupy the same field in the Optus Data Breach now saga.  In ‘Bloody useless’: Companies could be forced to report data breaches after hacks the Home Minister Clare O’Neil has expressed exasperation about the weakness, if not uselessness, of the data breach notification regime.  It has hardly been a secret.  Right at the outset the weaknesses of the data breach notification scheme were obvious.  It has hardly been a surprise. I have been writing on this for ages. 

The story provides:

Cyber Security Minister Clare O’Neil has opened the door to compelling companies to report data breaches and reconnect services after a hack, declaring the current laws were “bloody useless” in dealing with the Optus attack.

The Albanese government is frustrated at the previous government’s much-hyped critical infrastructure laws in responding to the Optus breach of 9.8 million Australians by an anonymous hacker.

O’Neil, who is also Home Affairs Minister, said the laws – which were passed in 2018 but were significantly overhauled earlier this year –were important and would over time “do a lot to help Australia prevent successful cyberattacks in critical sectors”.

“But in trying to use this law to help us manage an emergency cyber incident – which it is absolutely meant to do – it was completely bloody useless,” she said.

The Coalition never included telecommunications in the Security of Critical Infrastructure Act, although this was rectified by Labor in July.

But the bigger issue for Labor has been a concern that the act primarily gives the government powers to step in during a cyberattack, yet its powers are limited once the hacker is out of the company’s computer network. The government was alerted to the Optus breach only after the hacker was out of the system.

The hacker stole names, birth dates, phone numbers, addresses, passport, healthcare and driver’s licence details from Optus.

Potential law reforms could include ensuring all companies need to alert their own customers, as well as other affected companies, after a data breach. For example, this could involve forcing a water company to urgently notify every household that’s affected after a cyberattack.

O’Neil said the critical infrastructure laws were “not just about data” and could include compelling companies to resume their services.

“One example from the states has been the need to compel utilities to continue to provide services within a specific date,” she said.

O’Neil also accused former Liberal communications minister Paul Fletcher of doing a “sweetheart deal with the telecommunications companies that kept them out” of the critical infrastructure laws.

Fletcher last week defended his actions, saying the laws now applied to the telco sector which included “tough powers that the minister for home affairs can exercise”.

The government has also flagged a major overhaul of privacy laws within months, with Attorney-General Mark Dreyfus questioning why Optus kept customers’ personal document identification numbers for years, even after they had left the telecommunications giant.

The reforms could include forcing companies to cut back the vast amounts of sensitive data they retain about their customers.

Retired major general Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said there were a number of measures in the previous government’s original proposal for critical infrastructure laws that could also be revisited.

He said this included “measures that put more positive obligations on companies to take this seriously”.

Thompson, now a strategic adviser with cybersecurity firm Paraflare, said areas of reform could also include broadening out the critical infrastructure laws to more sectors.

“[The Security of Critical Infrastructure Act] is just about those 11 industry sectors. We’ve got a good chunk of our economy outside those 11 industry sectors,” he said.

“So what happens if next time it’s a big company that is not defined by one of those 11 industry sectors?”

In the wake of the Optus attack, hackers are taking advantage of the publicity to sell old data on the dark web.

In a recent post on a dark website, a hacker claimed they had hundreds of thousands of NAB and Telstra accounts including email addresses, names and account numbers.

However, the hack was actually of a third-party firm called Pegasus which the two companies had used some years ago for their employee rewards programs. The hackers appear to have only dated information about staff and do not have any information about NAB or Telstra customers.

Leave a Reply

Verified by MonsterInsights