Optus data breach, Federal Government continues criticism of Optus through other ministers
September 27, 2022 |
Optus continues to be the target of criticism, if not direct political attack, from Federal Government ministers, the Attorney General Mark Dreyfus and Defence Minister Richard Marles states that the data breach should never have occurred as reported in the Australian’s ‘Data breach should never have happened’: Dreyfus, which provides:
Attorney-General Mark Dreyfus has doubled down on the government’s criticism of Optus in allowing the massive breach of customer data.
“Australians expect that when they hand over their personal data, every effort will be made to keep it safe from harm,” he said.
“We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach that should never have happened.
“It involves the release of Australian citizens’ names, date of birth, phone numbers, email addresses, residential addresses and, for some customers, passport numbers and driver’s license numbers being apparently for sale on the dark web.”
Mr Dreyfus said the government was concerned by reports that personal information from the Optus data breach also included Medicare numbers.
“Medicare numbers were never notified as forming part of the breach,” he said.
“I can say that Optus has a clear obligation to notify affected customers, affected individuals, which of course includes both past customers of Optus and present customers of Optus.
“Optus has a clear obligation to notify both the affected individuals and the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. Consumers have also got a right to know exactly what individual personal information has been compromised in Optus’s communications to them.”
Acting Prime Minister Richard Marles said the breach was “a wake-up call for corporate Australia”.
“I know now that cyber security is right there in the top echelon of issues … and we need to be doing everything we can to make sure protections are in place,” he said.
Yesterday the Home Affairs Minister, Clare O’Neil was making her displeasure with Optus known in her interview with Rafael Epstein in ABC Radio in Melbourne. It is set out below:
RAFAEL EPSTEIN: I’m joined now by Clare O’Neil. She is, of course, the ALP MP for the seat of Hotham here in Melbourne and she is Minister for Home Affairs and Cybersecurity. Good afternoon.
CLARE O’NEIL: Good afternoon, Raf, thanks for having me on the show.
RAFAEL EPSTEIN: How much of a mistake is this by Optus? How much are they to blame?
CLARE O’NEIL: It’s a very significant error on Optus’s part and they are to blame. The truth is that the nature of the cyber hack that was undertaken here was not particularly technologically challenging and one of the great disappointments for me as Cybersecurity Minister is that we had a large telecommunications provider in our country which left open a vulnerability of this size. And I can tell you that on behalf of Australians, the Albanese Government is incredibly angry because what they have done is left a security risk for Australians that has affected a very large share of the entire Australian population and we, of course, now need to do whatever we can to support those Australians to protect themselves.
But if you’re asking who’s at fault here, there’s a single answer to that and that’s Optus.
RAFAEL EPSTEIN: If you’re incredibly angry, do they cop a fine?
CLARE O’NEIL: Well, Raf, you opened talking about some of the policy issues here that this has really illuminated, and that is absolutely one of them. So, if this occurred in a number of countries around the world, Optus would be fined to the tune of hundreds of millions of dollars. We don’t have a legislative regime of that nature in Australia, so there will be – I’m sure this is going to be a very costly incident for Optus, but at this stage the Government doesn’t have the capacity to fine them, and this is something we will be looking at in the wake of the incident.
RAFAEL EPSTEIN: I’ll come to some of the details at the moment, but are they open – do you think they’re liable to be hit with a class action, they’d lose?
CLARE O’NEIL: Look, I can’t answer that question. We need to – you know, we haven’t got a class action in place at this stage, but I would just say Slater & Gordon are looking at this and anyone listening who’s an Optus customer, watch out for the news on that front.
RAFAEL EPSTEIN: Does Optus know precisely what was taken?
CLARE O’NEIL: So, Optus do, and they’ve provided the Government information on what’s been taken. So, I talked earlier today – we know that 9.8 million Australians have had some information about them revealed and then for 2.8 million Australians very significant amounts of personal data have been revealed, and it’s that latter 2.8 million Australians that I’m most concerned about at the moment. For many people who are in that category, the information that’s in the public realm amounts to 100 points of ID check, and because we live in this modern digital age, there’s vast amounts of data available about all of us online and combined with what’s been leaked and hacked through Optus, there is a significant issue that we now face.
And so, the Australian Government is doing everything it can to try to protect Australians, and that’s going to involve working with banks and financial institutions and also within government to make sure that we are stepping up protections for people.
RAFAEL EPSTEIN: So, if there are 2.8 million people with 100 points out there, I mean, I haven’t received an email, but it could be me so if I gave them say my licence and my passport to prove my identity, 2.8 million people have got all of that data out there, so it includes things like licence numbers and passport numbers?
CLARE O’NEIL: I mean, it’s – I don’t want to scare people unnecessarily, so in most cases you need a physical document to, you know, undertake to open new bank accounts and these sorts of things, so I don’t want to terrify people that financial crime is right around the corner, but I also don’t want to underestimate how significant and serious this is. This is an unprecedented cyberattack in Australia’s history. We have had plenty of incidents where information has become available, but the specificity and the detail that’s been provided about so many people is unprecedented and that is why the Government has stepped up and is undertaking some quite substantial work to try to help people protect themselves.
RAFAEL EPSTEIN: And has Optus told that close to three million people that they’re in that group?
CLARE O’NEIL: Raf, I’m not sure about that actually. I know Optus, as I understand it, has informed all of the customers who are affected and the emails that I have seen illuminate for customers a whole list of data about them that may have been made public. I’m not sure if Optus has told customers which category, they –
RAFAEL EPSTEIN: And do you think they’ve done enough to tell their customers?
CLARE O’NEIL: Look, how can they? I mean, Optus’s obligations here are so vast. I just think we’ve got people – I’m sure you’ve got them dialling into your text line –
RAFAEL EPSTEIN: Lots of questions –
CLARE O’NEIL: I’ve had hundreds of emails, literally hundreds of people coming to me as a local member of Parliament asking, “What’s been taken about me? How do I protect myself?” So, there are very significant obligations on Optus here to try to repair some of the damage that’s been done.
RAFAEL EPSTEIN: Is it data they are legally required to keep?
CLARE O’NEIL: Look, I’ve seen that reported and I think we need to go through a proper discernment exercise here. So, one of the things that’s very common in the wake of a significant cyberattack like this is for many falsehoods to be put into the public realm and I’m not sure if that is true. One thing I do know is that given the very sensitive and important role telco companies play in our overall security framework in Australia, and because they hold so much data, then there should have been much better cyber protection of the telecommunications company. So, whatever data requirements are put on telcos, they’re going to hold a significant amount of data about you and me and all of their other customers. For me, the main issue here is: why was a very large telco provider in this country not properly protecting customer data that it did hold?
One of the things that your listeners might be interested in is the former Government put in place a very significant new law to try to help us manage cybersecurity as essentially a national security issue, acknowledging that when something like this happens with Optus, this affects not just customers at a private level, but actually creates problems for the whole of our community. So, they created this new law but excluded telecommunications companies from that law. So, I as Cybersecurity Minister will have the power to set minimum cybersecurity standards for lots of sectors of the economy –
RAFAEL EPSTEIN: But you can’t for telcos?
CLARE O’NEIL: Exactly. Yes. So, I actually do think this is a real issue that the Albanese Government is going to be looking at in the wake of this to ask ourselves: is it appropriate? Telecommunications companies kept themselves out of that law saying that they didn’t need it, that their standards were high enough as is and that they’re regulated under sufficient other laws. I don’t think that’s demonstrated by what we’ve seen in the previous couple of days.
RAFAEL EPSTEIN: Clare O’Neil is the Cybersecurity Minister, part of Anthony Albanese’s Government. It’s 16 minutes after five o’clock. It’s a Singaporean company. Could they face any sanction under their laws?
CLARE O’NEIL: I’ll have to look into that one, Raf, and I have to say I am flat out trying to manage the operational risk to Australians at the moment so these are policy questions that will have their important moment, but right now there’s 10 million people out there whose data’s been breached and my focus is trying to provide them better protections.
RAFAEL EPSTEIN: I’m going to use me as an example just because I know what communications I’ve received. I got an email on Friday. I haven’t received one today. I have no idea what information they do or don’t have of me. What should I do?
CLARE O’NEIL: So, look, the most important thing is to watch for any type of suspicious activity. So, what you’ll see in some of these instances is, you know, emails that look a bit odd that might be using some personal information about you, any text messages that come to you that look unusual. Certainly, any information that you might get that flags a bank transaction that you’re not familiar with or anything along those lines you just get on the phone to your bank straightaway. So, I think just be on high alert for any activities.
One of the things that I have publicly asked Optus to do today, and they have agreed, is to provide credit monitoring for the customers who are most affected by the breach. So, what that means is Optus will put in place a special process that watches your credit accounts, essentially, that takes all the information available about you financially that they can find and they will alert you if something happens, and that will assist people in protecting themselves against identity theft, and I want to thank Optus publicly for undertaking to do that.
RAFAEL EPSTEIN: So, do everyone who’s receiving that service, do you know if they’ve been told about that?
CLARE O’NEIL: They won’t have been told about that yet. Optus has made the announcement literally a couple of hours ago that they are intending to put that in place.
RAFAEL EPSTEIN: Should people change their licence or their passports?
CLARE O’NEIL: We are working with State Governments and with the part of the Federal Government that deals with passports to try to manage how this might be made possible –
RAFAEL EPSTEIN: Oh, really?
CLARE O’NEIL: Yes. So, Raf, one of the things that is just, you know, noteworthy about this incident is all these different touchpoints with licences have – they have regulatory issues, and they have technical issues attached to them, which are –
RAFAEL EPSTEIN: You can’t re-issue millions of passports and licences, can you?
CLARE O’NEIL: Exactly. So, this is the task that Optus – this breach has left to us, and we are trying to find reasonable ways that we are going to help people provide better protections. I mentioned to you before we are working very closely at the moment with the banks to try to get information to them that will help them protect their customers, and passports and IDs is something that we’re looking at. Now, I’m not sure if that is something that’s going to be possible, but it’s something that certainly a lot of affected customers have raised with me and something we are trying to look at.
RAFAEL EPSTEIN: So, somehow the Government could step around the privacy protections and the Government could take all the Optus information and tell all the banks; is that something you’re looking at doing?
CLARE O’NEIL: What we would like to do is to support the banks to provide protection to people whose data has been breached, and again, the people of most concern here are the 2.8 million customers for whom quite significant amounts of information have been made public. So, we are looking at this at the moment. It sounds like perhaps to your listeners something that would be technically and legally straightforward. It’s absolutely not, but we are trying to do that because as an Australian Government, although this is a breach in the private sector affecting customers that belong to a particular organisation, we absolutely recognise that a breach of this size and nature obviously requires action on behalf of Government, and I can tell you there is a tower of work happening in the Australian Government to try to provide better appreciates.
RAFAEL EPSTEIN: Finally, is the hack, the claim for the million dollars, is that legitimate? Do you know if that’s real?
CLARE O’NEIL: It’s not appropriate for me to talk about that, Raf. Yep, not appropriate at this time.
RAFAEL EPSTEIN: Thanks for your time.
CLARE O’NEIL: Thanks, Raf. Much appreciated.
RAFAEL EPSTEIN: Clare O’Neil’s the Minister for Home Affairs and Cybersecurity. There’s a lot there. They’re going to try and link to your bank if your data’s been breached, but that’s not easy for them to do. They’re looking at whether or not you might be able to replace your licence or your passport. Again, that’s not easy to do. They would like to have legislation that would allow them to fine a company like Optus. Doesn’t look like they can. Whether or not they’re covered by Singaporean law – don’t know. Government is incredibly angry with Optus. I don’t know what that anger actually means or what it can translate to or how it can help you either. If you’re one of those who is texting me saying you tried to contact Clare O’Neil’s office, she’s getting hundreds of those messages. I don’t have anything for you other than keep an eye on everything. Keep an eye on your bank accounts. I don’t know how they change or alter three or four million passports or licences.
The ministers displeasure morphed into anger when she issued a very pointed media statement aimed squarely at Optus regarding whether it was sufficiently candid with her. The statement provides:
I am incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom.
Medicare numbers were never advised to form part of compromised information from the breach.
Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.
I want to re-assure Australians that the full weight of cyber security capabilities across government, including the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police are working round the clock to respond to this breach.
In my experience companies are reluctant to be candid about the nature of a data breach, at least initially. In cases of breaches involving a small number of individuals they can sometimes brazen it out. But given the size of the breach and the profile of Optus being miserly with the truth was a bad move. And Optus has made bad move after another; not coming clean on the cause of the breach (at least in general terms), being slow in contacting customers, not offering free credit monitoring from the outset and being pro active in helping customers when they contacted its offices.
Optus’s media releases reveal it’s ineptitude in handling this data breach. They provide:
Optus update on cyberattack – 26.09.2022 PM
At Optus our priority has been to communicate with customers whose information was compromised because of a cyberattack.
We are now taking a further step to help reduce the risk of identity theft. Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft. No passwords or financial details have been compromised.
The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost. Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams.
Optus update on cyberattack – 26.09.2022 AM
Optus has now sent email or SMS messages to all customers whose id document numbers, such as licence or passport number, were compromised because of the cyberattack.
We continue to reach out to customers who have had other details, such as their email address, illegally accessed.
We understand and apologise for the concern that this has caused for our customers.
Payment detail and account passwords have not been compromised as a result of this attack.
Optus update on cyberattack – 25.09.2022
Optus is working with a number of organisations to protect customers whose information was compromised because of a cyberattack.
The Australian Cyber Security Centre has provided advice for those current and former customers who have been impacted on their website, cyber.gov.au. The ACSC’s 1300 CYBER1 hotline also provides advice and referral information to those impacted.
Those impacted by the incident are also advised to contact reputable sources for information such as?Moneysmart, ID Care?and the?Office of the Australian Information Commissioner.
Optus wishes to reiterate to customers that our email and SMS notifications will not have hyperlinks. If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click on any such links.
The attack is being investigated by the Australian Federal Police, and they have advised Optus not to provide comment on certain aspects of the investigation, including verifying the authenticity of customer information published on the internet.
If customers feel they’ve suffered any loss as a result of the cyberattack, they should contact us 133 937.
Optus update on cyberattack – 24.09.2022
Optus is contacting all customers to notify them of the previously announced cyberattack’s impact, if any, on their personal details. We will begin with customers whose ID document number may have been compromised, all of whom will be notified by today. We will notify customers who have had no impacts last.
No passwords or financial details have been compromised.
We are not sending links in SMS or emails. If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click on any links.
If you have any queries regarding your account or about any email or SMS you might have received, please reach out to Optus via your My Optus App or on 133 937.
As the cyberattack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident. We are cooperating with all relevant authorities to find the criminals behind it.
Optus shut down the attack as soon as it was discovered.
We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals seeking to benefit financially, including through:
-
- Phishing scams via calls, emails and SMS.
- Offering illegitimate customer details for sale.
Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings.
Once again, we apologise. We will provide further updates as new information comes to hand.
Optus update on cyberattack – 22.09.22
Following a cyberattack, Optus is investigating the possible unauthorised access of current and former customers’ information.
Upon discovering this, Optus immediately shut down the attack. Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” said Kelly Bayer Rosmarin, Optus CEO.
“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”
Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers. Payment detail and account passwords have not been compromised.
Optus services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
“Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”
To help protect against fraud, customers are encouraged to look to reputable sources such as:
For customers believed to have heightened risk, Optus will undertake proactive personal notifications and offer expert third-party monitoring services.
The most up to date information will be available via optus.com.au. For customers who have specific concerns, they can contact Optus via the My Optus App (which remains the safest way to interact with Optus) or by calling 133 937. Optus will not be sending links in any emails or SMS messages.