Optus, One of Australia’s biggest telecommunications companies, had a data breach last week and personal information of millions of customers was held to ransom.
Optus said this was a “sophisticated” attack, but the federal Home Affairs Minister Clare O’Neil said Optus “left the window open” for what was a pretty “basic” breach.
The account which claimed to be the hacker since apologised and said they deleted it all — after they leaked the data of at least 10,000 people on Monday, mind you, but there’s no way of knowing so the 10 million victims are now pretty much on their own.
So how did the Optus hack happen and what’s the likelihood of it happening again?
We asked a couple of experts about cybersecurity practices and Australian privacy laws.
What exactly is a data breach and why do hackers do it?
Every time you sign up for a service you’re required to hand over a certain amount of personal data, whether that’s identifying data like name, address or driver’s licence, or contact details like a phone number or email. This is actually a legal requirement.
For example, anti-money laundering laws say companies must be able to prove their customers are in fact real and are who they say they are to ensure the business isn’t a front for illegal activity.
“The law requires [companies] to keep that data while someone remains a customer,” Associate Professor in Computing and Information Systems at the University of Melbourne Toby Murray told PEDESTRIAN.TV.
“That data’s valuable to thieves or people who want to commit fraud … you can use it to open a bank account in someone’s name or take out a loan or extort them for money. So there’s a financial motive.”
Data breaches are pretty common worldwide — it happened to MyGov in 2020 when hackers sold people’s personal data on the dark web and Telstra in 2021 — but the Optus data breach was unprecedented.
Why was the Optus data breach so bad?
The Optus data breach was the biggest in Australian history, according to Dr Brendan Walker-Munro, a Senior Research Fellow with the University of Queensland’s Law and the Future of War research group.
“This has obviously been horrible for each individual who’s been affected but when you look at it at the macro level this has been an unprecedented event in Australian history and what happens from here on is going to have pretty significant ramifications on how we deal with our information,” he told PEDESTRIAN.TV
About 2.8 million of the 10 million victims were several affected by the breach and left particularly vulnerable to identity theft or even violent crime. The amount of identifying data of theirs that was stolen amounted to 100 points of identification.
Walker-Munro said it’s likely government officials or police were part of the 2.8 million whose home addresses and identities were now compromised which could threaten their safety.
“Survivors of domestic violence could’ve had their identities exposed and the new addresses they’ve moved to are now out there in the world,” he said.
How did the Optus hack happen?
Optus CEO Kelly Bayer Rosmarin said last week it was a sophisticated attack from multiple locations in Europe, but a day later a senior Optus source told the ABC a mistake had occurred that allowed the hack. That claim was quickly walked back by the company which denied “human error” was a factor.
Optus hasn’t said any more publicly about how the cyberattack happened, but cybersecurity experts and government authorities have ideas.
“Often they result from a fairly simple problem with the systems that are storing all this data,” Murray said.
“They had a system that was storing all this sensitive information … which was connected to the internet and seemingly anyone could access this.”
Murray said a system like this allowed anyone, anywhere in the world, to send it a request for a customer’s details, without being logged in or having to verify their authority to access the data.
“The customer would just be a number, and by putting in different numbers you got different details of different customers. The attackers doing this 10 million times ended up getting the details of 10 million customers,” he said.
“In a good system, you have access control which makes sure people are only able to view the data they need to for their job or as a customer, and you also have proper authentication that someone [has to prove] who they are claiming to be.
He also said systems should be designed to get rid of data they no longer need, and should be carefully tested with specialist technology available to make sure there are no vulnerabilities.
What are the current Australian laws around data protection and are they adequate?
Most companies’ data protection practices are bound by requirements of the Privacy Act.
“Obligations [are] in relation to how companies can collect personal information and then how they have to store it, how they have to treat it, and then at the end of that lifecycle what companies that are finished with that information should do in terms of destruction or deidentifying or getting rid on information they no longer need,” Walker-Munro said.
“Telecommunications laws also impose specific requirements. Telcos have to make their best efforts to prevent unauthorised interference or access to information the telecommunications company has.”
Penalties for breaking these laws are usually fines, but Walker-Munro said our fines aren’t “enough to make a company like Optus sit up and take notice”.
The Home Affairs Minister said in other jurisdictions, a breach of a similar size would result in fines of hundreds of millions of dollars. In the European Union, fines are percentages of the company’s annual income instead of blanket rates.
But Walker-Munro argued reactionary punishments don’t always incentivise companies to implement the proper protections in the first place.
How likely is it another major cyberattack will happen in Australia?
To put it simply: very likely.
“Unfortunately these things are going to happen and the laws need to be there to ensure companies are taking their best steps before [they do],” Walker-Munro said.
But he also said Australia’s cybersecurity laws were changing regularly and can be difficult for companies to understand.
“There’s a part for government to play here where they really need to be coming in and providing transparency and clarity to companies and saying ‘these are the standards we require you to meet, if you’re not going to meet them, don’t operate in Australia’.
“It’s probably the uncomfortable conversations we should be having.”
Nevertheless, businesses will no doubt be scrambling to make sure their data is properly protected right now so it’s a good day to be in the cybersecurity business.
