top of page

The effects of the Optus data breach highlight how widespread cybercrime is

Following a hack that exposed the data of 9.8 million current and past customers at Optus, the second-largest mobile phone network provider in the nation, Australians had their personal information held to ransom.

The impact from the breach is still going on, and it is not only Optus and Singapore Telecommunications, which is its parent company, who are attempting to assuage public anxiety and determine what happened and how. Several federal and regional government organizations in Australia are working to put out fires while assuring the public that their personal information, including that related to their health insurance, passport, and driver's license, is secure or will remain so.

The first public announcement from Optus on the breach that made customer names, dates of birth, phone numbers, and email addresses available was made on September 22. Optus has recently verified that the government identity numbers of 2.1 million users were accessed. For certain consumers, residences, driver's license information, and passport numbers were also exposed.

Passwords to accounts and payment information were not impacted by the hack.

The declaration was initially a fantastic illustration of what businesses ought to do amid a crisis. The Australian Cyber Security Centre, the Australian Federal Police, and the Office of the Australian Information Commissioner are among the national law enforcement and regulatory organizations that Optus said it notified and was collaborating with. In order to alert them of suspected fraud efforts, the business also alerted banking institutions.

For clients considered to be at "heightened risk," Optus stated that it will send "proactive" personal notifications and provide a free 12-month membership to Equifax Protect, a program that monitors credit reports and protects against identity theft.

Despite these initial attempts to diffuse the issue, Optus quickly discovered that it was unable to stay on top of the emergency.

To compel payment, the hacker published the personal information of more than 10,000 Optus customers online on September 26. According to the business, it did not pay the ransom. Optus sent an update on September 30 to inform prospective victims of the ensuing police pursuit of the offender, known as "Operation Guardian."

On October 3, Optus said that it had hired Big Four company Deloitte to conduct a forensic investigation into the breach and how it occurred as well as a review of Optus's security controls, procedures, and systems to determine why they were insufficient.

Optus CEO Kelly Bayer Rosmarin said in a statement that the investigation "will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus."

In the public and private sectors, where sensitive data is maintained and there is a danger of cyberattack, Rosmarin expressed the hope that the assessment "may also help others."

On October 6, police in Sydney detained a 19-year-old for the hack and for attempting to demand AUS$1 million (US$638,000) in bitcoin from the business. The anonymous suspect is accused of attempting to extort AUS$2000 (U.S. $1,280) from each of 93 Optus customers via SMS texts in exchange for him not disclosing their personal information online.

On October 7, Optus said that the attack had exposed insurance and healthcare information, including 26,000 expired Medicare ID numbers and 17,000 valid, active Medicare ID numbers.

Due to the scandal, the Australian federal executive government has announced reforms to its telecommunications data regulations, allowing for greater information sharing and response coordination between compromised corporations and financial institutions as well as federal and state government authorities.

Other legislative amendments are almost certainly coming.

Separately, the government wants to update the outdated Privacy Act of the nation before the four-week parliamentary session comes to an end. The changes would include stiffer fines for businesses with lax cybersecurity controls and procedures and restrictions on the kind, quantity, and duration of data companies can keep.



bottom of page