This was published 2 years ago
Optus was set to dine out on its success. Then the hack happened
By Nick Bonyhady and Zoe Samios
The invitations were sent. The venue was set. More than 100 business leaders, government figures and major customers were to attend an “evening of culinary delights and meaningful dialog [sic]” hosted by Optus and its parent company SingTel Group at the Art Gallery of NSW on September 27.
Optus’ chief executive Kelly Bayer Rosmarin and chairman Paul O’Sullivan would be leading the festivities to “celebrate how our partnerships enable us to unlock future value for consumers, businesses and communities”.
But five days before the soirée, news broke that Optus had experienced the biggest cybersecurity breach in Australian corporate history, allowing criminals to download the details of almost 10 million customers. Despite the unfolding events and a growing customer backlash, there was no sign of the event being cancelled.
Over the ensuing days, the public response to the stolen data grew more vociferous. As Optus’ handling of it came under the microscope, the company copped a barrage from the media and the federal government. At 10pm the night before the dinner, Optus pulled the pin on the event.
The whiplash with the event resembles other parts of Optus’ response as it slowly realised the full extent of the consumer anger it faced. The events of the last 16 days have dominated discussion in boardrooms around the country and will be grist for business school case studies for years to come.
What started with Optus disclosing a cyberattack, as a raft of other companies have done to little fanfare, quickly metastasised into a full-blown political crisis. The size of the breach, customers’ desperation to know what documents they needed to replace, questions about Optus’ transparency and disputes with the federal government all combined to turn a big story into what one telecommunications industry executive called a “dumpster fire of s--t”.
From the outside, Optus seems a well-oiled machine: the country’s second-largest telecommunications company, with $7.8 billion in annual revenue, a third of the mobile contract market and about $2 billion in earnings before some common costs. The billions it spends on its mobile network, which has been rapidly upgraded from 3G to 4G to 5G, makes Optus a crucial competitive counterbalance to the dominance of Telstra. And its cheerful brand is backed to the hilt by its owner, the mammoth SingTel conglomerate, based in the famously efficient one-party ruled city-state of Singapore.
But several former Optus senior employees saw a different side to the company. They described Optus as a company strong on branding - with celebrity figureheads such as Formula 1 driver Daniel Ricciardo holding the title of Chief Optimism Officer and former tennis star Ash Barty recently appointed Chief of Inspiration – but underequipped in areas such as compliance, government relations, communications and security. Some former employees labelled Optus’ leadership – before Bayer Rosmarin started with the company – as “cheapskates” who allowed major outsourcing and followed decisions from Singapore.
“Everything is decided by Singapore,” one former employee said.
Many roles in human resources, customer care, finance, accounting and network maintenance have been outsourced during SingTel’s ownership; though Optus still has staff on the payroll across the various divisions. Several of the former staff, who all spoke on condition of anonymity to avoid jeopardising current roles, also said some of Optus’ Singaporean leaders preferred not to hear of the problems. An attitude that, the former staff added, filtered down to Australia.
Optus has a history of privacy issues, as well. In 2014, it confessed to accidentally releasing the names of about 122,000 customers to the phone directory, even though they had asked to be excluded, a service often used by people like domestic violence survivors. At the time Optus blamed a system error, as opposed to a hack, and apologised. But in 2019, it admitted to putting another 50,000 people in the phone directory without their permission. Again it apologised and blamed a “system error”. The matter is under investigation by the privacy commissioner. And in 2018 it endured the high profile “Floptus” saga where its online World Cup broadcast failed for many fans, triggering a further apology.
Optus has defended its cybersecurity investment and practices. All of its staff do required training on security and compliance. The company did not directly answer questions for this story, but provided a statement from its regulatory and public affairs boss, Andrew Sheridan, which said it deeply appreciated the support it had received from government.
“We are working closely with government, including through the recently established federal government working group on the all-of-government response to the cyberattack,” Sheridan said. “We have been working closely with more than 20 government agencies and authorities on the cyberattack. The engagement could not have been more constructive.”
Optus’ structure flows upward to Singapore through an advisory committee that includes an array of eminent Australians. David Gonski, John Morschel and Paul O’Sullivan, none of whom have direct responsibility for cybersecurity, are among them. None have commented publicly on the hack, though SingTel has issued a general statement emphasising its commitment to cybersecurity, its customers and the Australian leadership team, including chief executive Bayer Rosmarin.
Optus’ business and enterprise boss Gladys Berejiklian, who has responsibility for government relations, and its chief information officer Mark Potter have also been silent.
Bayer Rosmarin, who several former Optus insiders described as ambitious, determined and exacting, has been the face of the response. Educated at Stanford University, she got her start working in software companies but came to Australia and climbed rapidly within the Commonwealth Bank during a 14-year tenure.
Once seen as a contender for the bank’s chief executive role, Bayer Rosmarin lost out to current boss Matt Comyn and then left along with a host of her colleagues as the bank came under scrutiny from the royal commission into financial services. But she still has supporters in the financial world. The bank’s former boss Ian Narev was full of praise for her in a 2021 Sydney Morning Herald and Age profile, describing Bayer Rosmarin as brave, smart and a “disruptive thinker”. In 2019, she was appointed deputy chief executive at Optus and a year later ascended to the top job, her first CEO role, where she had a relatively low profile before the hack.
While Bayer Rosmarin’s character is the kind that is prized in the top ranks of corporate Australia, people familiar with her suggest it could also help explain Optus’ decision to clash with government, media and experts over the details of the hack rather than taking a purely apologetic and collaborative line.
On September 28, the media analyst and reporter Tim Burrowes said for the crisis to still be front-page news six days after the hack became public was a communications failure. It would be a case study in crisis management courses, Burrowes wrote in his Unmade newsletter.
But six days after that, the saga remained just as prominent after Bayer Rosmarin did another round of testy interviews. She continued to suggest people describing the hack as “basic”, a group which included Home Affairs Minister Clare O’Neil, were “not speaking from a position of knowledge”.
(Most cybersecurity experts believe O’Neil’s version of events but a full report by Deloitte that Optus has commissioned has not been completed. It will not be made public for security reasons. Other ways through which the nature of the hack could be publicly confirmed, such as lawsuits or an investigation by the privacy commissioner, could take years.)
Optus picked another battle when it let it be known it felt blindsided by a broadside on October 2 from O’Neil and Government Services Minister Bill Shorten over its tardy transfer of information on people whose Medicare, Centrelink and passport numbers had been taken.
The company’s view was that it had until October 4 to get the data across, which the government has not disputed. Some of the company’s defenders agree, seeing it as the victim of premature barbs from a government hoping to ride the wave of popular discontent and avoid scrutiny of whether it was doing enough to assist Australians. But its approach still sparked a rebuke from Shorten, who saw the company’s communication with his department as lacking until Optus bowed to public pressure.
“When you’ve got a problem, just reach out and get the help you need,” Shorten said in public comments directed explicitly at Optus’ senior leadership team. “Listen to the lawyers later. Listen to the people telling you how to cover your backside later. The problem is the horse has bolted.”
Two cybersecurity professionals, who did not want to speak publicly to avoid jeopardising relationships in Canberra, questioned whether the government fury directed at Optus was wise, even if it was factually correct. They feared it would discourage other companies from reporting cybersecurity breaches, even though there are laws requiring many corporations to report them. Others saw O’Neil and Shorten as being justified in their annoyance.
Optus has also been gazumped by the federal government. In one example, on September 26, O’Neil called on Optus to provide free credit monitoring to customers, something the company was already working on. The move meant Optus could not claim full credit. It has also had to wrangle millions of customer records and deal with more than 20 state and federal agencies as it tried to work out which people, whose personal ID numbers were taken in the hack, had to replace their cards. And it has had to communicate with customers and the media about those actions while the federal police and other law enforcement agencies try to find the hacker, which Bayer Rosmarin maintains has limited what she can say publicly.
A week ago, Optus began to take the steps communications experts had recommended for days. It bought full-page apology ads in national newspapers and brought in experienced crisis relations professionals, boosting the company’s comparatively small corporate relations team led by Sheridan.
Its main and much larger rival, Telstra, has a fleet of lobbyists at external firms and an extensive government relations team. Optus, by contrast, has no external registered lobbyists. It is a strategy that some former insiders said would make sense in Singapore, where SingTel’s primary owner Temasek is the state wealth fund and impeccably well-connected, but unusual for a big company in Australia. For its part, Optus believes using its own government affairs division is a more effective way of lobbying.
But in other ways Optus appears to be getting along with parts of the government. On Friday, Bayer Rosmarin joined a discussion with a working group of nine state and federal agencies. The day before, Communications Minister Michelle Rowland and Attorney-General Mark Dreyfus unveiled changes to telecommunications privacy rules to let phone companies share more information with banks and government to help stop fraud. That fixes a problem that Optus had identified, Rowland said on ABC radio.
Optus’ relations with the unions, which can be a way of companies forming ties with Labor, are limited, however. Shane Murphy, who as national divisional president of the Communications Union represents workers at telecommunications firms, draws a comparison between the two big phone companies. Acknowledging that Telstra, which has more unionised staff, had a huge head start from its days as the government monopoly, Murphy said the company was “still much more sophisticated, better set up, better at what they do”: “It’s not perfect industrially – we’ve had many battles, including industrial action – but the way they’re operating at the moment is far different to Optus.”
For years, Australia’s third-largest phone network, Vodafone, carried a heavy cross. The 2012 “Vodafail” moniker it earned for network unreliability would not go away. One executive at another telecommunications company said the breach is just as bad a blow for Optus. “We’ve seen a 30-times increase in people from Optus applying for roles,” the person said.
So far, the financial cost to Optus of the breach is unquantifiable, as is how long it will live in customers’ memories. With most phone contracts lasting two years, Bayer Rosmarin and Optus will be hoping memories are short.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.