Be careful laying into Optus as data hack could happen anywhere, says Telstra chairman John Mullen
John Mullen says the company’s own data breach proved no one was immune to criminal behaviour.
Telstra chair John Mullen says its easy to criticise Optus for a major data breach which has mired it in controversy – but a similar attack could affect any company.
Mr Mullen, speaking at the Telstra annual meeting, said: “Let me be blunt and say that it’s very easy to be critical when it isn’t you in the firing line, and we should all avoid hubris because no one can afford to be complacent.”
The disclosure of the breach at Telstra’s largest rival, first reported by The Australian, led two commonwealth watchdogs to launch investigations into Optus on Tuesday. The Office of the Australian Information Commissioner and the Australian Communications & Media Authority separately said they would review why the telco had kept such extensive data on its customers.
In a statement late on Tuesday, Optus regulatory and public affairs vice-president Andrew Sheridan. told The Australian the telco would work with regulators as it responded to the attack.
“Optus is committed to working with governments and regulators as we respond to the impacts of the cyber attack. We will engage fully with the OAIC and the ACMA as they undertakes their inquiries,” he said. Its parent, Singtel, made a similar statement to the Singapore Exchange.
Serious or repeated breaches could result in the OAIC seeking civil penalties through the Federal Court of up to $2.2m for each contravention. The investigation will partly consider whether the information collected and retained by Optus was necessary to carry out their business.
Asked about Telstra’s own breach – in which the personal information of 30,000 current and former employees were posted online – Mr Mullen said: “You could get from anywhere.”
Telstra staff were notified of the breach on October 1. Mr Mullen said his data, as well as that of new chief executive, Vicki Brady, had been exposed in the breach.
“The pegasus breach that happened was not actually Telstra – it was a third party provider with some data people could get from anywhere,” he said. “I was on the list and so was Vicki, and it was just my name and email – and it definitely wasn‘t a breach of our systems,” he told shareholders.
Mr Mullen likened the possibility of being hacked to a recent plumbing job in which he handed his personal details to a tradesman. “Unfortunately, every one of us are exposed to that every day, and so the ability for us to say unequivocally you will never have an issue, we just can’t do that,” he told investors. “We can never give 100 per cent guarantees. It’s just not possible.”
Asked why Telstra and Optus kept so much customer data, Mr Mullen said it was largely for legal reasons and that a review was welcomed by the company.
That view was echoed in a blog post published by the company early in the afternoon which said that retaining data was “the law and we comply with it as a necessary part of doing business”.
“To help law-enforcement agencies combat fraud and other criminal activity, telecommunications service providers are required to retain data used for identification purposes while an account is active, and for two years after it is closed,” the statement said. “Importantly, the retained data must be encrypted and protected from unauthorised interference and access.
“Once we know who you are, and we have an ongoing way of verifying who you are (eg through biometrics like face ID or fingerprints that you control), there should be very few reasons to retain your ID data.”
Telcos should put aside their differences to combat the risks of cyber attacks, Mr Mullen said. “The threat and sophistication of the attackers grows every day, and to address the threat business needs to put aside competitive rivalry and work constructively across industries, with government, and with the community to protect Australia from this modern scourge,” he said.
At the meeting on Tuesday, Mr Mullen formally flagged his retirement from the board.
Shareholders also approved a restructure of the company – part of Telstra’s T22 strategy – which would result in it being split into four separate entities under a new holding company so that it could better find external investment in its infrastructure assets.
The company will have four subsidiaries, one each for its mobile towers, Amplitel, its fixed line assets, InfraCo Fixed, its spectrum, ServeCo, and its international operations. Telstra has sold a 49 per cent in Amplitel to a consortium led by the Future Fund in a $2.8bn deal last year.
Analysts at JP Morgan expect a 49 per cent stake in Telstra InfraCo could be worth between $12bn and $17bn, which the company could use to pay down debt.
“Under the different valuation scenarios we estimate $10.5bn to $15.5bn could be returned to shareholders,” the investment bank’s analysts said. “A monetisation of the infrastructure assets could be one of the most significant events for Telstra since the creation of the NBN Co,”
More Coverage
iPhone 16 review: Apple faces its ‘Barbie moment’
Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.
Meta urged to regulate youth data use
Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.