Optus and its system crash highlights the need for a plan to explain, empathise and explain some more when things go wrong. A basic part of a response when there is a data breach which is usually ignored or messed up
November 9, 2023 |
The 12 hour collapse of Optus’s services showed that it has learnt little on how to respond to a catastrophic event, at least in talking to its customers. Optus executives effectively made themselves into a ball and hoped 10 million customers were happy to have the day off. The by product of this major fail was the reports about how it has not learnt from its data breach fiasco where the information flow was slow and sparse. The Australian’s article Has Optus learned from the cyberattack playbook? is fairly typical. It is quite amusing to read columnists lately stumble upon this basic need to be transparent with customers.
The thing is that issuing statements of bad news following a data breach has become a sophisticated exercise in the United States and should be treated seriously in Australia. Unfortunately it isn’t. I have been writing on the importance of this for years. Unfortunately the culture in Australia is all about releasing as little as possible and hoping the caravan moves on. That has become less and less tenable given the impact of the loss of personal information.
The article provides:That Optus has caused another major scare for its owner Singapore Telecommunications in a little over a year, serious heat will now certainly be put on Kelly Bayer Rosmarin who heads the accident-prone Australian offshoot.
The massive network outage is another reputational test for Optus and comes just as the nation’s second biggest telco was attempting to get back on its feet by putting last September’s massive cyber attack behind it.
Once again Optus and Bayer Rosmarin are in the political firing line with senior government ministers including Home Affairs Minister Clare O’Neil and Communications Minister Michelle Rowland demanding to know how millions of customers and critical infrastructure could be offline for more than 10 hours. And it was telling that Optus couldn’t say – even late in the day.
The scale of the outage was enormous. Millions of Optus customers were directly impacted, businesses were put offline and it is entirely unacceptable that a hospital communications network also went down.
The timing for Optus couldn’t be worse. The Singtel board including chairman Lee Theng Kiat have been in Australia since Monday.
This had been a long-scheduled visit that has also taken in meetings with major corporate customers and comes ahead of the release of Singtel’s half-year results on Thursday morning.
Singtel’s Singapore-listed shares were off nearly 5 per cent on Wednesday in a flat market. This mean questions over what is being done about Optus will be part of a bigger investor discussion. In Australia, rival Telstra shares were up nearly 2 per cent, also defying a flat market.
Australian directors on the Singtel board are corporate lawyer John Arthur and former Westpac boss Gail Kelly, who saw first-hand the anger linked to last year’s cyber attack.
Network fallout
From past cyber attacks including Medibank and even in the case of Optus, Australians are forgiving when something goes wrong. But it’s how the aftermath is handled that tests the relationship.
And Optus’ confused response during the outage shows the key lesson from its cyber attack hasn’t been learned. It’s all about communication.
Optus rightly came under criticism last year when it was slow off the mark to let nearly 10 million customers know the extent of the data breach on its network. Valuable information linking customer names, date of birth and phone numbers, were stolen. Some customers also had high level data stolen including driver’s licence and passport details. This resulted in a costly reissue of licences and passports with intense anger aimed at Optus.
When the Albanese government later increasing maximum penalties against companies hit with serious data breaches including fines of up to $50m, Optus argued it too was also the victim in the ransomware attack. However, that approach did little to win over customers. Optus is yet to come clean on what exactly happened in that attack.
Medibank for its part came under pressure but drew a line in the sand. Chief executive David Koczkar stared down the cyber hackers despite the cost. Before the attack the health insurer had run through numerous drills and how to respond. And it showed. Medibank saw customer numbers start to grow within months after the attack. Optus too saw a rebound after three months, however it has come at a cost to profit margins.
While the human impact is not on the scale of a cyber breach, outages can also have serious financial implications. After all they go to the heart of reliability and network strength. And that is a big driver of whether customers choose to go with one telco over another.
It took Vodafone years to recover from its Australian network failures a decade ago and even now this still haunts the telco that has since merged with broadband player TPG.
A string of network failures at Telstra almost brought former chief executive Andy Penn unstuck early in his tenure. Penn had to issue a personal apology and pledged to spend hundreds of millions of additional funds to fix the problems to head off any loss of market share.
In today’s world telecommunications is just as important as electricity. Businesses are built around offsite communications and the digital services are embedded into every part of our daily lives. From payments to catching an Uber, it all happens silently and seamlessly in the digital world – and this is why it catches us so offguard when it doesn’t work.
In most cases, network outages are usually contained to a specific geography and are quickly back online.
A catastrophic failure of this scale taking in both mobile and broadband services is rare, and strongly suggests a problem was in Optus’ core network. Essentially this is the most critical piece of telco infrastructure, or the brains that run the entire network.
An outage in the core usually occurs if there’s a router failure or equipment is being replaced or upgraded. But these processes should normally be protected by redundancy which means something has gone horribly wrong.
In the dark
Optus issued a short statement earlier Wednesday after its network had been out for three hours, but it gave no indication to customers it knew what the outage was, or what it was doing to fix it. Customers remained in the dark hours later with limited information just dribbling through.
The national impact means the incident is arguably one of the biggest for the telco industry yet. It was only early afternoon that the network had started coming back online.
During the outage Bayer Rosmarin spoke to Sydney radio (via social app WhatsApp) but was unable to say what exactly went wrong, which add to the confusion. “We don’t have line of sight into the root cause,” she said, although there was a “pathway” to restoring the whole network. This just compounds the perception among customers that the people at the top of the telco were not across the issues. If there is nothing substantial to say early, it is far better for an operational executive to do the talking and take the heat. Save the chief executive to deliver the real news.
Optus last year commissioned Deloitte to undertake a forensic review of what happened in the cyber attack and while it committed to share recommendations it later decided against this approach. The fate of the Deloitte report is now in the courts with class action lawyers attempting to secure its release. This only adds to the view the telco may have something to hide.
Last year Optus had the biggest lift in complaints issued to the Telecommunications Industry Ombudsman, most of this were linked to the data breaches but the trend too is a worry. While Telstra had the biggest number of complaints by volume, Optus’ complaints jumped 30 per cent. Telstra’s complaints fell 35 per cent over the year.
The outage follows Optus’ stunning win earlier this year when it managed to convince the competition regulator it could be a viable force in rural and regional Australia. Here it argued Telstra and TPG should not be allowed to share network capacity in the bush. The decision to block the network sharing deal was the ACCC’s, but those living in rural Australia would be wondering if this decision was really the right call.
It’s now going to be another long road for Optus to win back trust. And this time it is going to be harder and potentially more costly, given it looks as though the number one lesson of last year’s cyber attack — keeping customers onside — is yet to fully sink in.