- by Anna Pha
- The Guardian
- Issue #2027
Photo: www.bluecoat.com – flickr.com (CC BY-SA 2.0)
Millions of angry Optus customers are horrified and concerned that the security of their personal details was breached in a cyberattack on the company. Optus’ failure to protect their private and sensitive data is just one of many cybersecurity breaches that are on the rise.
As of writing, according to Optus the data of up to 9.8 million people was accessed and that of 10,000 people were exposed by the theft. Names, drivers’ licence numbers, ID numbers, email and physical addresses, passport numbers (150,000), and Medicare numbers (37,000) were stolen and exposed. The data had been stored for up to six years, including that of former customers.
Questions need answering: How did the second largest telecommunications company in Australia let it happen? Why was Optus storing so much data for six years? What should victims of the attack do?
Up to forty per cent of the adult population is affected, making it one of, if not, the largest, corporate cybersecurity breaches ever in Australia.
Those responsible claim they have destroyed the data after initially seeking and then abandoning a ransom of US$1 (AU$1.55m), apparently unable to work out how to be paid without identification, but there is no way confirming this.
OPTUS RESPONSE
The security breach was publicly reported on 23rd September. A few days later, Optus began sending messages to customers referring to the “disclosure” of certain information. Optus later followed up with another message indicating what information had been “exposed.” The items listed as disclosed and exposed were not necessarily the same. The difference in terminology or why the list of ID items in the two messages was different was not explained.
Optus took out full-page “We’re Deeply Sorry” ads in the weekend newspapers desperately attempting to reassure current and former customers that it is doing everything possible to protect them and working with authorities to find who is responsible. The police, various government agencies and the US policing and surveillance agency the FBI are involved in the investigation.
Optus has offered a year of free credit monitoring and said it will pay for the cost of replacing passports. The company alleges their system was “hacked,” but cybersecurity experts say otherwise, that Optus left the door wide open to the theft of data. There have also been suggestions that Optus had a stingy approach to cybersecurity: implementing safety measures impinges on profits. It’s profits first, last, and always.
GOVT RESPONSE
Cybersecurity Minister, Clare O’Neil, did not hold back in lambasting the company and dismissing Optus’ claims that it was a “sophisticated attack.” She also accused the company of “effectively leaving the window open for data of this nature to be stolen” – an assertion that Optus CEO Bayer Rosmarin objected to: “We are not the villains.”
Attorney-General Mark Dreyfus said the government was considering whether the penalties under the Privacy Act are adequate and how long companies could hold consumer data. The government is expected to bring in legislation before the end of the year or early next year.
Optus claims that it is legally required to keep records for six years. The Australian Privacy Foundation (APF) disputes this, saying that under Telecommunications Consumer Protections Code, it is only required to keep it for “up to six years prior to the date the information is requested.” Name, account and reference number should be sufficient.
There is another telecommunications act which requires metadata to be kept for two, not six years. “The big problem with Australia’s data retention laws is that there’s really no limit how long a company can keep personal data,” the APF said.
Government departments, credit agencies, welfare agencies, job network providers, rental agencies, insurance and finance companies, social media outlets, retailers, and a multitude of other enterprises collect and hoard personal information.
“Consumer data is big business. Companies are collecting – and keeping – much more personal information than they need without a truly legitimate commercial or legal purpose,” the APF said.
DATA IS GOLD
Trying to take the high ground, Dreyfus said, “For too long, we’ve had companies solely looking at data as an asset that they can use commercially. We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians.”
Hackers profit from data by such means as fraud and identity theft. One hundred points of your ID could be used to take out a bank loan or credit card in your name. In the case of health data, insurance companies could use it to refuse claims, adjust policy premiums or deny cover.
Data theft is not the only means by which data can be accessed by third parties without your knowledge let alone consent.
When you make an online purchase, visit a website, search the internet, take out a loan, make an application to rent a home, or numerous other transactions, your personal information is being harvested and stored. This is sold directly or through data brokers to third parties for their use without your knowledge.
Corporations provide their privacy policies, usually online, which contain pages and pages of information which very few people read before “accepting” them. Even if someone attempts to read all the detail, it can at times be extremely vague. For example, a company says it “may” share your data with “trusted partners.” Who are they? What does that mean? Can these “trusted partners” then share it with their “trusted partners.” It’s like signing a blank cheque for sharing, including selling, your personal details.
Customers have no idea that data brokers are trading their personal data, that organisations are collecting this data, and developing profiles of people to target for advertising or other more sinister purposes. It can be an unnerving experience to go online to purchase a product and then for days later be subjected to ads for the same product when going online.
When companies request acceptance of a privacy policy, any use beyond the minimum required to provide a product or service should be the very minimum required to do so and meet the law – any other should be on an opt-in basis.
OTHER CYBER ATTACKS
CTARS is a cloud-based provider for NDIS, disability services, out-of-home care, and children’s services. Its customers are service providers, and it holds the personal information of its clients, staff, carers and other third-party suppliers. In May 2022, it reported that a sample of its data had been posted on the deep web. (Deep websites are unidentifiable by common search engines.)
The data included personal information relating to customers and their clients and carers. This information is extremely sensitive and its misuse by unauthorised parties is potentially extremely damaging to NDIS participants.
Other organisations and companies that have been hacked include Uber, myGov, Service NSW, Fremantle Football Club, TikTok, DoorDash, Cisco, Woolworths (Everday Rewards hacked), Deakin University (47,000 student details), Transport for NSW, Samsung, and Coca Cola. (webbeinsuance.com.au has long lists of data breached by year.)
TOUGHER LEGISLATION
The funding of the Office of the Australian Information Commissioner, the national regulator for privacy and freedom of information, has been cut by more than sixty per cent in the three years 2020-21 to 2022-23.
The Privacy Act and penalties for breaches are well past their use-by date in today’s digital society.
A well-resourced regulator is needed, with far larger penalties and teeth to enforce a strengthened Privacy Act. There also needs to be redress for the victims of cyberattacks.
“It is long past time the Australian government acted to protect our privacy instead of constantly passing laws that require more and more private data to be collected, stored, and inevitably stolen. This is a systemic problem that only they can do something about,” Electronics Frontier Australia, a digital rights organisation, said.
EFA call for amendments to the Privacy Act to prevent organisations from collecting and storing information to be sold on. Ironically, Optus’ submission to the Attorney-General’s Department’s long-running review of the Privacy Act proposed weakening privacy protections!
At present, the maximum fine for “serious interference with privacy” is $444,000 for individuals and $2.2 million for companies – peanuts for a company like Optus. This is compared with anyone who buys stolen information facing up to ten years in jail.
Stronger laws with far larger penalties that act as a real deterrent are required.
