Has Optus learned from the cyberattack playbook?
The outage is a reputational disaster for Optus and its boss Kelly Bayer Rosmarin, and comes just as the telco was attempting to put last year’s massive cyber attack behind it.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
That Optus has caused another major scare for its owner Singapore Telecommunications in a little over a year, serious heat will now certainly be put on Kelly Bayer Rosmarin who heads the accident-prone Australian offshoot.
The massive network outage is another reputational test for Optus and comes just as the nation’s second biggest telco was attempting to get back on its feet by putting last September’s massive cyber attack behind it.
Once again Optus and Bayer Rosmarin are in the political firing line with senior government ministers including Home Affairs Minister Clare O’Neil and Communications Minister Michelle Rowland demanding to know how millions of customers and critical infrastructure could be offline for more than 10 hours. And it was telling that Optus couldn’t say – even late in the day.
The scale of the outage was enormous. Millions of Optus customers were directly impacted, businesses were put offline and it is entirely unacceptable that a hospital communications network also went down.
The timing for Optus couldn’t be worse. The Singtel board including chairman Lee Theng Kiat have been in Australia since Monday.
This had been a long-scheduled visit that has also taken in meetings with major corporate customers and comes ahead of the release of Singtel’s half-year results on Thursday morning.
Singtel’s Singapore-listed shares were off nearly 5 per cent on Wednesday in a flat market. This mean questions over what is being done about Optus will be part of a bigger investor discussion. In Australia, rival Telstra shares were up nearly 2 per cent, also defying a flat market.
Australian directors on the Singtel board are corporate lawyer John Arthur and former Westpac boss Gail Kelly, who saw first-hand the anger linked to last year’s cyber attack.
Network fallout
From past cyber attacks including Medibank and even in the case of Optus, Australians are forgiving when something goes wrong. But it’s how the aftermath is handled that tests the relationship.
And Optus’ confused response during the outage shows the key lesson from its cyber attack hasn’t been learned. It’s all about communication.
Optus rightly came under criticism last year when it was slow off the mark to let nearly 10 million customers know the extent of the data breach on its network. Valuable information linking customer names, date of birth and phone numbers, were stolen. Some customers also had high level data stolen including driver’s licence and passport details. This resulted in a costly reissue of licences and passports with intense anger aimed at Optus.
When the Albanese government later increasing maximum penalties against companies hit with serious data breaches including fines of up to $50m, Optus argued it too was also the victim in the ransomware attack. However, that approach did little to win over customers. Optus is yet to come clean on what exactly happened in that attack.
Medibank for its part came under pressure but drew a line in the sand. Chief executive David Koczkar stared down the cyber hackers despite the cost. Before the attack the health insurer had run through numerous drills and how to respond. And it showed. Medibank saw customer numbers start to grow within months after the attack. Optus too saw a rebound after three months, however it has come at a cost to profit margins.
While the human impact is not on the scale of a cyber breach, outages can also have serious financial implications. After all they go to the heart of reliability and network strength. And that is a big driver of whether customers choose to go with one telco over another.
It took Vodafone years to recover from its Australian network failures a decade ago and even now this still haunts the telco that has since merged with broadband player TPG.
A string of network failures at Telstra almost brought former chief executive Andy Penn unstuck early in his tenure. Penn had to issue a personal apology and pledged to spend hundreds of millions of additional funds to fix the problems to head off any loss of market share.
In today’s world telecommunications is just as important as electricity. Businesses are built around offsite communications and the digital services are embedded into every part of our daily lives. From payments to catching an Uber, it all happens silently and seamlessly in the digital world – and this is why it catches us so offguard when it doesn’t work.
In most cases, network outages are usually contained to a specific geography and are quickly back online.
A catastrophic failure of this scale taking in both mobile and broadband services is rare, and strongly suggests a problem was in Optus’ core network. Essentially this is the most critical piece of telco infrastructure, or the brains that run the entire network.
An outage in the core usually occurs if there’s a router failure or equipment is being replaced or upgraded. But these processes should normally be protected by redundancy which means something has gone horribly wrong.
In the dark
Optus issued a short statement earlier Wednesday after its network had been out for three hours, but it gave no indication to customers it knew what the outage was, or what it was doing to fix it. Customers remained in the dark hours later with limited information just dribbling through.
The national impact means the incident is arguably one of the biggest for the telco industry yet. It was only early afternoon that the network had started coming back online.
During the outage Bayer Rosmarin spoke to Sydney radio (via social app WhatsApp) but was unable to say what exactly went wrong, which add to the confusion. “We don’t have line of sight into the root cause,” she said, although there was a “pathway” to restoring the whole network. This just compounds the perception among customers that the people at the top of the telco were not across the issues. If there is nothing substantial to say early, it is far better for an operational executive to do the talking and take the heat. Save the chief executive to deliver the real news.
Optus last year commissioned Deloitte to undertake a forensic review of what happened in the cyber attack and while it committed to share recommendations it later decided against this approach. The fate of the Deloitte report is now in the courts with class action lawyers attempting to secure its release. This only adds to the view the telco may have something to hide.
Last year Optus had the biggest lift in complaints issued to the Telecommunications Industry Ombudsman, most of this were linked to the data breaches but the trend too is a worry. While Telstra had the biggest number of complaints by volume, Optus’ complaints jumped 30 per cent. Telstra’s complaints fell 35 per cent over the year.
The outage follows Optus’ stunning win earlier this year when it managed to convince the competition regulator it could be a viable force in rural and regional Australia. Here it argued Telstra and TPG should not be allowed to share network capacity in the bush. The decision to block the network sharing deal was the ACCC’s, but those living in rural Australia would be wondering if this decision was really the right call.
It’s now going to be another long road for Optus to win back trust. And this time it is going to be harder and potentially more costly, given it looks as though the number one lesson of last year’s cyber attack — keeping customers onside — is yet to fully sink in.
johnstone@theaustralian.com.au
Originally published as Has Optus learned from the cyberattack playbook?