The Optus management team will soon be the standout case study on how not to handle a crisis
The dramatis personae – from the hacker who can’t spell to the Optus execs who will soon be the standout case study on how not to handle a crisis – is an unholy mess, writes Samantha Maiden.
Opinion
Don't miss out on the headlines from Opinion. Followed categories will be added to My News.
Whoever and wherever the Optus hacker is right now, whether they are hiding in a basement in a hoodie overseas, or buying some Wizz Fizz in Australia, there’s an amateur-hour vibe to the hacking crime of the year.
The impact is very real. And expensive.
The dramatis personae – from the hacker who can’t spell to the Optus management team who will soon be the standout case study on how not to handle a crisis – is an unholy mess.
When one customer complained this week that the telco giant had applied a “Band-Aid for a stab wound”, it was not only a colourful turn of phrase, it was accurate.
In the days after the data breach emerged an anonymous hacker claimed responsibility and a $1m ransom before offering a bizarre apology.
“Too many eyes. We will not sale (sic) data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” an account claiming to be a hacker posted online.
The hacker was “very sorry”.
“Australia will see no gain in fraud, this can be monitored,” the post read. Understandably, it’s not an assurance that the Australian Federal Police or the FBI, who have been brought in to investigate, is reassured by.
Meanwhile, long-suffering Optus chief executive Kelly Bayer Rosmarin is experiencing a trial by fire.
“I think most customers understand that we are not the villains, and that we have not done anything deliberate to put any of our customers at risk,’’ Ms Bayer Rosmarin said.
“In fact, quite the contrary. We’re doing everything we can to prevent that from happening.
“What I can say, that hopefully should help people understand, is that it’s not as being portrayed. Our data was encrypted and we have multiple layers of protection. So it is not the case of having some sort of completely exposed APIs sitting out there.”
The illegally obtained information includes passport and driver’s licence numbers, dates of birth, addresses and, it would now seem, Medicare details.
While Optus was busy refusing to answer journalists’ questions about whether or not Medicare data was involved – citing police requests not to discuss the data hack – the federal government all but confirmed the hacker is the real deal.
Health Minister Mark Butler said after the alleged hacker released material including Medicare details that the government is now examining whether new Medicare cards will need to be issued to protect the customers from identity fraud.
“We’re particularly concerned that we weren’t notified of the breach of Medicare data until the last 24 hours,’’ Mr Butler said.
The Foreign Affairs Department is already dealing with a growing queue of Optus customers trying to update passports.
“Well, all of this data is obviously of potential value to criminals, and that’s why consumers are rightly so concerned, almost 10 million of them, at the loss of that data from this huge breach of Optus’s data held,’’ Mr Butler said. “As I say, obviously, it’s deeply unfortunate that we were only notified that Medicare details were included within that data breach in the last 24 hours or so.
“At the state level, state governments are looking at the consequences for driver’s licences and so on. We’ll have more to say about that as soon as we can.”
Liberal Senator Simon Birmingham wants the government to act to ensure victims of the Optus cyber hack don’t have to wait for a new passport.
“While Optus must take responsibility for what may be the largest data breach in Australian history, the Albanese government has a responsibility to help Australians take steps to protect their personal information and security,’’ he said.
Mr Butler said federal officials were working to develop the best response to this breach of passport data.
“I know state governments are considering a response to the loss of driver’s licence data, and as soon as we’re able to respond to that, we will,’’ he said.
But Covid-19-related delays mean that some motorists may need to wait months to replace driver’s licences, increasing anxiety for those impacted.
Of course, these attacks are nothing new. Just last month, Uber revealed an 18-year-old hacker reportedly breached its internal network, including its Slack server, technology systems, Amazon Web Services, Google clouds, and VMware systems.
The company was alerted when Uber employees got a Slack message that read: “I announce I am a hacker and Uber has suffered a data breach,” The New York Times reported.
A lone hacker claiming responsibility for the breach told The New York Times he was 18 years old and decided to compromise Uber because the company had weak security.
If the spelling is anything to go by, the Optus hacker could be of a similar vintage.
Goers: Old-school lunches have a lot to teach us
In a national canteen crisis, apparently kids are only supposed to eat pies, pasties and buns twice per term. I would’ve starved, writes Peter Goers.
Cornes: Power and the pressure, can Hinkley make out the year?
Ken Hinkley must be supremely confident in his own skin to agree to this succession plan, or maybe it’s just ornery stubbornness, writes Graham Cornes.