Peter A Clarke

At the end of this debacle it is likely that there will be changes of personnel at Optus.  And that would not just be the Chief Executive feeling some pressure to find greener pastures.  The head of IT, the in house media unit, the privacy officer, the head of the in house legal team and probably anyone who had any role in installing and operating cyber security should all be put under some scrutiny.  All of them would have some role in preventing the data breach and then remediating the damage.  The latter has just been dreadful.  But calling for the head of the Chief Executive at the moment is counterproductive and is a reversion to form in this field, short term hits which distracts from the boring hard graft of fixing the problem.  It takes months and sometimes longer to resolve the problem, technical, reputational and legal.  And lots and lots of money.  Losing a chief executive or any other high level manager for that matter gives politicians something to crow about, some customers some satisfaction and the media plenty of ink to spill upon.  But it is most likely counterproductive for the company and the victims of the hack.

Both the Government and the Opposition have increasingly wielded the knife in the public discourse.  The Opposition Cyber Security Spokesman has been frenetically releasing posts attacking the Government’s response and  telling it to make cyber security a priority. The data breach is primarily Optus’s problem to fix.  Clearly Government resources are being put to use in fixing that problem however it is bad policy for the government to step into Optus’s shoes or even have that option. In the Age’s Optus boss digs in over cyberattack as government fury grows it is clear that responding to the data breach is not confined to the lost personal information.  The Government has moved from being a party that can assist to a more adversarial role, at least Read the rest of this entry »

Optus continues to be the target of criticism, if not direct political attack, from Federal Government ministers, the Attorney General Mark Dreyfus and Defence Minister Richard Marles states that the data breach should never have occurred as reported in the Australian’s ‘Data breach should never have happened’: Dreyfus, which provides:

Attorney-General Mark Dreyfus has doubled down on the government’s criticism of Optus in allowing the massive breach of customer data.

“Australians expect that when they hand over their personal data, every effort will be made to keep it safe from harm,” he said.

“We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach that should never have happened.

“It involves the release of Australian citizens’ names, date of birth, phone numbers, email addresses, residential addresses and, for some customers, passport numbers and driver’s license numbers being apparently for sale on the dark web.”

Mr Dreyfus said the government was concerned by reports that personal information from the Optus data breach also included Medicare numbers.

“Medicare numbers were never notified as forming part of the breach,” he said.

“I can say that Optus has a clear obligation to notify affected customers, affected individuals, which of course includes both past customers of Optus and present customers of Optus.

“Optus has a clear obligation to notify both the affected individuals and the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. Consumers have also got a right to know exactly what individual personal information has been compromised in Optus’s communications to them.”

Acting Prime Minister Richard Marles said the breach was “a wake-up call for corporate Australia”.

“I know now that cyber security is right there in the top echelon of issues … and we need to be doing everything we can to make sure protections are in place,” he said.

Yesterday the Home Affairs Minister, Clare O’Neil was making her displeasure with Optus known in her interview with Rafael Epstein in Read the rest of this entry »

The Optus Hacker has upended the script.  Traditionally a hacker steals data or locks up the data of a hapless organisation and demands payment for return/non publication of the data or the key to the locked data. And that is how it was playing out until today.  After the release of personal information relating to 10,000 individuals with a demand that if a ransom of $1.5million is not paid then a further release of information would be forthcoming the hacker changed his (and it almost is a man) mind and deleted links to the released personal information and apologised for attempting to sell the data. In addition to the personal data of customers the hacker had email addresses from the defence and prime minister’s office.

The Guardian cover this extraordinary twist in Read the rest of this entry »

The question of whether the hackers who stole personal information of almost 10 million current and former Optus customers were criminals motivated by money or state based operatives has been resolved.  It was criminals.  The hackers have released personal information of 10,000 individuals and have promised to release details of 10,000 more people each day for the next four days until the hackers demands have been met.  It is reported in the Australian at Details of 10,000 Optus customers released.  It Read the rest of this entry »

Optus’s woes continues.  This time the Minister for Home Affairs has taken issue with Optus over its cyber security and response to the data breach in a none too subtle answer to a Dorothy Dixer in the House of Representatives today.  It is hardly surprising.  Optus has handled a particularly difficult situatio particularly badly.  For an organisation of its size and no doubt understanding of what happens in other parts of the world its response to the data breach has been ponderous, vague, defensive, apparently aggressive when dealing with frustrated consumers and lacking transparency.  If there was a data breach response plan it was thrown out the window late last week and replaced with not much at all.

The Hansard of Ms O’Neil’s answer Read the rest of this entry »

Rolling out a data breach response is something of a art form in the United States where mandatory data breach notification laws  have been part of the regulatory landscape in most states of the Union.  Certain types of data breaches, notably involving health information, attract mandatory notifications.  Letters to customers and plans to remediate damage are carefully drafted.  Australia has no such long term history of being required to respond to data breaches and even under the Breach Notification Regime in Australia notices to clients/consumers/members is not mandatory.  It might not even be mandatory to notify the Information Commissioner.  The organisation has to make that determination based on the list of factors in Part IIIC of the Privacy Act,

So far Optus is demonstrating how a data breach should not be handled.  It dawdled in sending notices, the notice itself was poorly drafted and provided no assistance beyond suggesting customers keep a look out and check various sites.

The media is reporting on annoyance and frustration by customers with the Sydney Morning Herald reporting Frustrated Optus customers get the run around, 2GB’s Optus struggles to explain their data breach in trainwreck interview and Optus customers frustrated after compensation requests denied, phone number change not possible.  All of this suggests that Optus either had no or an inadequate data breach notification plan and if it did it didn’t test it with simulations.  Data breach plans or incident plans are very important in competently dealing with a data breach.  Having a team which can put into place a response is critical.

The examples Read the rest of this entry »

Over the many years I have written about privacy and cyber security (as well as commercial and defamation law) I have never cease to be amazed how organisations blithely accept the risk of a data breach through poor privacy and cyber security practices given the jaw dropping costs of remediation after such a breach. Bringing in a range of experts to assess the damage, locate the cause of the breach, work with the regulators and then deal with litigation by those regulators or disgruntled customers can run up a cost of hundreds of thousands of dollars and often millions.

IBM’s Cost of a Data Breach Report for 2022 highlights the poor state of readiness of many companies with Read the rest of this entry »

When hackers steal data they commonly do it for a reason.  The days of student hackers breaching cyber defences for the fun of it are long gone.  They have been more a product of Hollywood than reality, with some notable long ago exceptions.  Similarly white hat hackers don’t find vulnerabilities and then steal data.  They typically find the vulnerability and then notify the company.  The Optus breach is more in line with either criminals aiming to turn the product of their theft into money or state based hackers whose aims and motivations are more complicated; disruption, obtaining intelligence data on individuals, data to be used for identity theft and for use in conjunction with other data.  State based actors take a much longer view than criminals. There is some evidence that the data, or at least some of it, is being offered for sale on the dark net.

The data breach story has now moved into its second phase, where interested parties use it to push their agendas.  The Telcos are making its clear that their compliance obligations in retaining meta data are contributing to privacy breaches.  Doubtful.  They may contribute to compliance costs and definitely make the consequences of a data breach more significant. So much more to steal (if not properly protected that is).  But they do not weaken cyber security defences in and of themselves.  There is a real issue about excessive legal requirements to obtain and retain personal information.  And the meta data retention laws require telcos to retain masses of data for longer than they would need them not to mention these laws are a continuing pernicious blight on liberal democracy, giving agencies a right to access meta data without a warrant.  There is also the general preference for companies to collect and store more personal information than they need and for as long as they can as the Age notes in an opinion piece No, Optus doesn’t need to keep your sensitive information for so long.   But none of that is not a cyber security issue, as in protecting personal information from criminal actors. While there may be some regulatory overload on telcos any sympathy must be tempered by the fact that cyber security is a separate issue. The protection of  data (even that retained reluctantly) is possible with proper cyber security systems, proper protocols and adequate training.  None of which is in abundant supply.  Companies give too little emphasis on privacy and spend the bare minimum, often less. Unlike the United States and the United Kingdom, data breaches in Australia do not bring a serious regulatory response by way of civil proceedings, fines or enforceable undertakings. If the worst case scenario from a data breach is a tepid and muted regulatory response and some reputational damage what is the incentive for a company to seriously get its house in order.

According to the ABC the Government is going to legislate to require financial institutions of data breaches.  The Australian runs a similar story as well.  This is dealing with symptoms not problems and makes a complicated but ineffective privacy regime even more cumbersome.

The ABC story provides:

The Home Affairs Minister is soon expected to announce several new security measures following the massive Optus data breach that saw hackers steal the personal details of up to 9.8 million Australians.

On Saturday, Clare O’Neil and several of her federal ministerial colleagues met with the Australian Signals Directorate and the Cyber Security Centre to discuss the fallout from the devastating cyber-hack.

Under the changes to be announced in coming days, banks and other institutions would be informed much faster when a data breach occurs at a company like Optus, so personal data can’t be used to access accounts.

The ABC has been told the first step to occur will be directing Optus to hand over customer data to the banks so financial institutions can upgrade security and monitor customers who’ve had their personal details stolen. Read the rest of this entry »

Every data breach is different.  There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences.  What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything.  What is not made clear is what defences behind the firewall were in place and were they working.  Did Optus have programs running which detected unusual activity within the system?  What about defences protecting the data itself.  Was there any detection of exfiltration?  A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.

The breakdown of the breaches, in broad terms are:

• exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
• dates of birth, email addresses and phone numbers of another 7 million customers.

Optus’s response to the data breach has been something of a curate’s egg; good in parts.

Optus has adopted a personal approach in response to the breach.  A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017.  It provides:

Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.

It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.

“[I feel] terrible,” Ms Bayer Rosmarin told reporters.

“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers. Read the rest of this entry »

Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data.  Optus released a media release about it yesterday.  The compromised data included names, dates of birth, drivers licences and passport numbers.  The sort of information which would allow a hacker to attempt identity theft.  Very saleable data on the dark web.

A curious aspect of this incident is that some of that data related to former customers.  It will be interesting to see how far back that data goes.  Why it is necessary to hold onto former customers of many years back?  That may be a breach of the Australian Privacy Principles.

With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected.  The breach did not include payment details and account passwords.

Optus has notified the Information Commissioner.  One issue to resolve is what notification will be provided to affected Optus customers.  Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states.  Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support.  That is good business.

In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan.  In my experience Australian organisations put less than optimal effort into preparing for a data breach.  Similarly the response to a data breach is too often marked by improvisation than following a plan.

Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information.  It Read the rest of this entry »