Australians had their personal data held to ransom following a cyberattack that exposed the records of 9.8 million current and former customers at Optus, the country’s second-largest mobile phone network provider.
The fallout from the breach is ongoing and involves not just Optus and its Singapore-based parent company, Singapore Telecommunications, trying to calm public nerves and find out what happened and how. A range of Australian federal and regional government agencies are attempting to fight fires and reassure citizens their health insurance, passport information, and driver’s license details are either safe or will be so again.
On Sept. 22, Optus issued its first public statement about the cyberattack that exposed customers’ names, dates of birth, phone numbers, and email addresses. For some customers, addresses, driver’s license details, and passport numbers were also exposed; Optus has since confirmed the government identification numbers of 2.1 million customers were compromised.
Payment details and account passwords were unaffected in the attack.
At first, the statement was a good example of what companies should do in a crisis. Optus said it informed and was cooperating with national law enforcement and regulatory agencies, including the Australian Cyber Security Centre, the Australian Federal Police, and the Office of the Australian Information Commissioner. The company also notified financial institutions to warn of potential fraud attempts.
Optus added it would carry out “proactive” personal notifications and offer a 12-month free subscription to Equifax Protect, a credit monitoring and identity protection service, for customers believed to have “heightened risk.”
Despite these initial efforts to calm the situation, Optus soon found itself struggling to keep on top of the crisis.
On Sept. 26, the hacker released the details of more than 10,000 Optus customers online to force payment. The company has said it did not pay the ransom. On Sept. 30, Optus issued an update to alert potential victims of the subsequent police effort—known as “Operation Guardian”—to catch the perpetrator.
On Oct. 3, Optus said it commissioned Big Four firm Deloitte to lead a forensic review of the cyberattack and how it happened, as well as examine Optus’s security systems, controls, and processes and why they were inadequate.
In a statement, Optus Chief Executive Kelly Bayer Rosmarin said the review “will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus.”
Rosmarin added she hoped the review “may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”
On Oct. 6, police arrested a 19-year-old in Sydney for the hack and for trying to demand AUD$1 million (U.S. $638,000) from the company in cryptocurrency. The unnamed suspect was accused of trying to extort 93 Optus customers via SMS messages to each pay him AUD$2000 (U.S. $1,280) to prevent him exposing their data on the internet.
On Oct. 7, Optus revealed the hack included healthcare and insurance data—some 17,000 valid, unexpired Medicare ID numbers and a further 26,000 numbers that had expired.
The debacle has prompted the Australian federal executive government to announce changes to its telecommunications data laws so companies that are hacked can share information and better coordinate their response with financial institutions and federal and state government agencies.
Other legislative changes are highly probable.
Separately, the government hopes to make changes to the country’s outdated Privacy Act before the end of the parliamentary session in four weeks, which would include increased penalties for companies with lax cybersecurity controls and procedures and limits on the type, amount, and duration of data companies hold.