Australia's privacy rules look set to be overhauled, as the fallout from the massive data breach at Optus continues.

Nick Wood

September 26, 2022

4 Min Read
data spy security hack

Australia’s privacy rules look set to be overhauled, as the fallout from the massive data breach at Optus continues.

Prime Minister Anthony Albanese had his say on Monday, telling Brisbane radio station 4BC that the Optus hack represents “a huge wake-up call for the corporate sector” when it comes to data protection.

Last week it emerged that around 9 million current and former Optus customers had their personal information – including names, dates of birth, phone numbers, email addresses and in some cases, postal addresses, and driver’s licence and passport numbers – stolen in one of Australia’s biggest ever hacks.

“This is a massive breach that has occurred,” said Albanese in his wide-ranging interview. “We know that in today’s world there are actors, some state actors but also some criminal organisations, who want to get access to people’s data.”

Indeed, on Friday someone claiming to be the hacker responsible posted on a data-breach forum that they were in possession of 11.2 million Optus user records, 3.8 million of which include some form of identity document number. To back up their claim, the hacker made available a sample of 100 records. Telecoms.com took a quick look at the sample, which was uploaded to text-hosting Website Pastehub, and while there is a lot of garbled information, there does also appear to be personal data including names and email addresses, and details about whether the customer is an active subscriber, whether they are a postpaid or prepaid customer, and so-on.

In a separate report by cybersecurity intelligence firm ISMG, researcher Jeremy Kirk said the sample of leaked data appears to be the real thing.

The hacker said they will delete the stolen data in return for US$1 million worth of the cryptocurrency Monero. They gave Optus a week to decide, after which they will begin selling the data.

Optus-breach-screenie-1024x956.jpg

Unfortunate as they are, data breaches are a regular enough occurrence these days that they usually warrant little more than lip service on the part of lawmakers. However, the Optus hack appears to be high-profile enough to have stirred politicians into genuine action.

Albanese hinted on Monday that he wants some kind of mechanism that informs banks of a data breach so that they can they can take appropriate measures to protect affected customers from financial loss.

Albanese’s Cyber Security minister Clare O’Neil already seems to be on the case.

She told the Australian Parliament on Monday that “a very substantial reform task is going to emerge from a breach of this scale and size,” adding that she hopes to work collaboratively with opposition MPs to update legislation.

Australia’s Privacy Act of 1988 defines 13 Australian Privacy Principles (APPs) to which regulated entities – including telcos like Optus – are required to adhere. Number 11 stipulates that organisations take measures to protect personal information from loss and unauthorised access. It also requires that information that is no longer needed – such as data pertaining to ex-customers, for example – be deleted. The law is enforced by the Office of the Australian Information Commissioner (OAIC). Regulated entities are required to notify the OAIC of any data breach likely to cause serious harm.

O’Neil questioned whether current cybersecurity requirements are fit for purpose, and fired a warning shot across Optus’s bows:

“I also note that in other jurisdictions, a data breach of this size would result in fines amounting to hundreds of millions of dollars,” she said.

For its part, Optus is cooperating with all the relevant authorities and supporting current and former customers that have fallen victim to the breach.

“We are now taking a further step to help reduce the risk of identity theft. Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft,” the telco said in a statement on Monday, reiterating that no passwords or financial details were accessed.

“The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost. Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams.”

 

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.

About the Author(s)

Nick Wood

Nick is a freelancer who has covered the global telecoms industry for more than 15 years. Areas of expertise include operator strategies; M&As; and emerging technologies, among others. As a freelancer, Nick has contributed news and features for many well-known industry publications. Before that, he wrote daily news and regular features as deputy editor of Total Telecom. He has a first-class honours degree in journalism from the University of Westminster.

You May Also Like