‘Optus to blame’: Home Affairs minister Claire O’Neil scathing of telco
Home Affairs Minister lashes the company and suggests the cyber security requirements placed on large telcos are not ‘fit for purpose’.
Companies that fail to prevent major data breaches will face steep new penalties under the Albanese government’s response to the Optus hacking crisis, which Home Affairs Minister Clare O’Neil is blaming squarely on the company.
As class action lawyers consider a case against the telecommunications giant, Ms O’Neil flagged “substantial reform”, highlighting the “hundreds of millions of dollars” in fines the company would have faced if the breach occurred in countries with stricter data security requirements. Australian companies responsible for failing to protect customers’ data currently face penalties of just $2.2m, while in the US, a credit agency was fined $US575m in 2019 over a major data breach.
Optus on Monday offered their most affected customers a year’s subscription to credit monitoring service Equifax, which would provide notifications of potentially fraudulent activity conducted in the customer’s name.
The government is furious with Optus over its loss of 9.8m customer records, seeing the incident as a major corporate failure and an urgent warning sign that tougher penalties are required.
It is working on a new penalty regime and will also make regulatory changes to allow hacked companies to rapidly provide details of affected customers to banks and financial institutions to prevent unauthorised access to customers’ accounts.
Ms O’Neil was scathing over Optus’ culpability, suggesting the cyber security requirements placed on large telcos were not “fit for purpose”.
“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” she told parliament.
“I also noted that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”
Ms O’Neil said a major multi-agency effort was now under way to protect Australians affected by the breach, and prevent similar data losses in the future.
Law firm Slater and Gordon said while the circumstances of the incident were yet to be confirmed by Optus, the consequences could be significant for some customers and the firm was assessing their legal options.
“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” class actions senior associate Ben Zocco said.
“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.”
“Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’ advice to be on the lookout for scam emails and text messages. Very real risks are created by the disclosure of their personally identifiable information, such as addresses and phone numbers.”
A purported hacker has published samples of alleged Optus customer data and demanded $US1m in cryptocurrency to prevent the information being released publicly.
The Australian Federal said on Monday it was working closely with overseas counterparts to try and trace those responsible for the hack.
“Operation Hurricane has been launched to identify the criminals behind the alleged breach and to help shield Australians from identity fraud,” Assistant Commissioner Justine Gough said.
She said the AFP had “diverted significant resources to the investigation” and was working with the Australian Signals Directorate, but warned the investigation would be “extremely complex and very lengthy”.
“We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,” Assistant Commissioner Gough said.
“Criminals, who use pseudonyms and anonymising technology can’t see us but I can tell you that we can see them.”
The Optus hackers stole details of primary identity documents, such as passport and driver licence numbers, from 2.8m of the telco’s customers, along with their phone numbers, email and home addresses and dates of birth.
A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen.
Australian Strategic Policy Institute Cyber Policy Centre director Fergus Hanson said the penalties for significant data breaches were “still not well enough aligned either to consumer protection or to the wider national interests of Australia”.
He pointed to a case in May in which a financial service firm was fined just $750,000 for failing to adequately manage its cyber risks, after the loss of thousands of clients’ personal information.
“This was an important first in Australia. However, it raises the questions about the strength and consistency of our framework for ensuring there are consequences for cyberattacks,” he said. “There should be consequences for companies if it’s found that they were deficient in protecting consumers’ data.”
In 2017, US-based credit agency Equifax lost the personal and financial information of nearly 150 million people due to an unpatched database. Two years later, it agreed to pay at least $US575m, and up to $US700m, in a settlement with US consumer protection authorities for its “failure to take reasonable steps to secure its network”.
More Coverage
Mental health a key poll issue
The violence at Bondi Junction in April has changed the national conversation on mental health care, research shows, with voters increasingly prioritising care policies.
Perth’s ‘Baby Reindeer’ jailed for stalking lawyers
Kobi Langshaw has been sentenced to five years behind bars having been found guilty of multiple stalking charges, in a case that drew parallels with the hit Netflix series.