Government plans big changes to security measures amid Optus hacking fallout
The Federal government is expected to announce big security changes after millions of Optus customers had their personal data stolen.
The Federal government is reportedly preparing to introduce new security measures after hackers stole the personal data of millions of furious Optus customers.
On Thursday, Optus revealed that about 9.8 million Australians had potentially been impacted by the security breach, which resulted in past and present customer’s having their names, emails, phone numbers, date of births, addresses and in some cases even drivers’ licence and passport numbers stolen.
Now, it appears the Albanese government is planning to make some big changes as a result of the cyber attack, according to the ABC.
Joined by several of her colleagues, the publication reported Home Affairs Minister, Clare O’Neil, met with the Australian Signals Directorate and the Cyber Security Centre on Saturday to discuss the impact of the breach.
Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >
Under several new changes being pursued by the government, which will reportedly be announced in the coming days, it would become a requirement for banks and other institutions to be notified quickly in the event of a security breach.
At the moment, privacy protections prevent banks from being immediately notified when a cyber breach occurs that impacts their customers.
The ABC reported Optus will also be directed to hand over customer data to the banks so they can monitor the accounts of customers who have had their data stolen in the cyber attack.
On Saturday, Ms O’Neil posted a tweet claiming she would have “more to say” about the Optus security breach over the coming days.
I want to pay credit to world-class Australian government agencies such as the @asdgovau, the @cybergovau and the @ausfedpolice who are working through the night and all weekend to support our response to the attack.
— Clare O'Neil MP (@ClareONeilMP) September 24, 2022
Customers rage at Optus’ response to hacking
Optus has received major backlash in the wake of the cyber attack, with customers blasting the telco for its response to the situation.
On Friday, it was revealed that Optus knew about the breach on Wednesday, though they didn’t release an official statement until Thursday afternoon, after The Australian had already published an article about the cyber attack.
Optus CEO Kelly Bayer Rosmarin said she first found out about the attack “less than 24 hours before we went live to the press”.
“It was only late that night that we were able to determine that it was of a significant scope. I think that was sort of a late night call. And by 2pm the next day we had notified everybody and tried to get all our ducks in a row,” she said.
On Friday, 2GB’s Ben Fordham questioned why the telco only released a statement after the story had already been broken.
Optus Regulatory and Public Affairs Vice President Andrew Sheridan said Optus was preparing to issue a media release when the story went live.
“You knew about it on Wednesday. You didn’t reveal it on Wednesday, you didn’t reveal it on Thursday morning, you didn’t reveal it Thursday lunchtime,” Fordham said.
“It was only after The Australian newspaper splashed the story on their website that you put out a statement. If you are interested in protecting your customers, why didn’t you alert them the moment you were aware of this potential breach?”
Mr Sheridan claimed there were a “number of steps” that need to be taken in these situations, claiming Optus had actually acted “very, very quickly”.
“I’ve got to call you out Andrew, I don’t think you’ve acted quickly at all,” Fordham said.
Customers have also been complaining about the lack of support they received from Optus in the days following the cyber attack.
In one case, Optus refused to compensate a customer for running a $15 credit check and in another, a young mum has discovered that she is unable to change her mobile phone number to better protect herself without copping a fee of about $1000 to switch providers.
James*, who preferred to stay anonymous, learned he had been impacted by the data breach and raced to protect his identity and his money.
But the Sydneysider, 35, said the response he received from Optus was “despicable” after being “forced to set up” an identify theft monitoring account via credit checking agency Equifax, which costs $15 per month.
But when he requested that Optus cover the cost, a worker told him he wasn’t entitled to any compensation.
“It’s a pretty despicable act as a company to allow for a breach to occur and then refuse to assist customers protect themselves when they exposed those customers to the risk,” he told news.com.au.
Hacker’s $1.5m demand as other telcos warned
A nefarious online character claiming to have obtained sensitive information of millions of Australians is demanding Optus pay them US$1 million (A$1.5 million) in cryptocurrency.
The ransom demand appeared on a forum early on Saturday morning and experts say so far it appears legitimate.
The so-called hacker claims to have important data about 11.2 million Optus customers, including their names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses and ID document numbers such as driver’s licence or passport numbers.
“Optus if you are reading! price for us to not sale data is 1.000.000$US We give you 1 week to decide,” part of their message reads on the forum.
The hacker showed a sample of the dataset to prove their authenticity, which cyber security researcher and writer Jeremy Kirk from ISMG Corp said aligned with the breach and indicated they may indeed be the person behind the breach.
“I just ran 13 email addresses from the first batch of sample data from the alleged Optus leak through Haveibeenpwned [a website that shows if your email or phone number has been involved in a breach]. Six come back as unique (not in another breach indexed in HIBP).
“Again, another strong sign that the Optus data is real,” he wrote on Twitter.
On Friday, Delia Rickard, Deputy Chair of the Australian Competition and Consumer Commission (ACCC), warned that other telcos could be vulnerable to similar attacks.
“In this day and age cybercrime is huge and whilst most agencies are spending a fortune to protect themselves you can’t say that anyone is 100 per cent safe,” Ms Rickard told Nine’s Today.
Ms Rickard labelled the whole situation “very concerning”.
– with Alex Turner-Cohen