Shortcuts / 06 October 2022

Cybersecurity and the Optus data breach

Whether you’re an Optus customer or not, you might have heard the news of one of Australia’s worst-ever data breaches that left millions of peoples’ data exposed. So in this Squiz Shortcut, we take a look at how it happened, what the federal government is doing to try to stop history from repeating, and why a lot of Aussie businesses will be stepping up their cyber game.

That Optus hack really was something…
It sure was – the personal information of 9.8 million Aussies was potentially compromised, including millions of names, dates of birth, and even driver’s licences, passports and Medicare numbers.

Yep, it’s really shattered the idea that our details are safe with a big company. We’ve all gotten so used to handing over information every time we buy something that it’s easy to get a bit complacent.

But it’s not like customers really have a choice in the matter…
That’s right – if you want a new phone plan you need to provide 100 points of ID and that includes handing over Medicare cards and passports.

How could a company as big as Optus not have proper protections in place?
It’s a good question and there will be plenty more to come on that. As well as the federal agencies that are all over this, Optus has called in Deloitte to run a big review. Optus is maintaining it was a sophisticated attack – but there is serious dispute about that.

Says who?
Home Affairs Minister Clare O’Neill reckons it was like Optus had left a window open in their house, and other internal sources within the company suggest the data didn’t require authorisation or authentication to access and that really anyone with a solid knowledge of internet addresses could have cracked it.

And it’s not like cyber attacks are anything new
That’s right – previous federal governments have been warning us about this for years and telling businesses to harden up their defences. And going back to when Malcolm Turnbull was PM, 2 pretty interesting things happened…

Go on…
The first was when he publicly confirmed in 2016 that the Bureau of Meteorology had been the victim of a big attack. Until then, governments didn’t confirm or deny when so-called malicious states tried to get access to our systems – so he was changing tact to shine a light on the problem.

What was the 2nd thing?
Turnbull actually said cyber security was the new “frontier of warfare” and he directed our intelligence agencies to get on the offensive – so not just to sit back and defend our systems but actively “disrupt” and “deter” organised cyber criminals.

So cyber attacks have been a big problem for years?
Yep – there were some 47,000 incidents in 2017. That’s defined as anything that might compromise a business’s activities, whether it’s a scam email, someone trying to steal intellectual property, or just maliciously taking them offline.

What’s the government doing to stop history from repeating itself?
There are a few things… When it comes to penalties, the fine for a data breach is currently capped at $2.2 million. That’s petty cash for a multi-billion dollar company and the government says it needs to be much bigger.

How much bigger?
Probably in the hundreds of millions – other countries have fines that big. The Opposition seems pretty supportive of that measure, so it looks like that will happen.

What other measures are on the table?
One big question people are asking after the Optus breach is why the telco has been holding onto the data of former customers. So it looks like there will be changes to the Privacy Act so companies can’t hold on to data unless it’s explicitly required by the government for some reason.

Such as…
It would mostly have to do with counterterrorism. Governments don’t want criminals to be able to get burner phones and leave no trace – which is why telecommunications laws require companies to hang on to the information used to identify people while their account is active and for 2 years afterwards.

Still, why was Optus holding on to so much data for so long?
Well, the cyber experts are still flummoxed as to why… But they also agree the laws could be a lot clearer. Data retention laws in Oz require some data to be kept for 2 years and other data for 5 or 7 years – so it’s no wonder some businesses default to the position of keeping everything.

Is anything else likely to change?
The government has also flagged mandatory reporting laws – so if this happens again, any company with a suspected data breach has to notify its customers in a pretty short time frame.

Right. Wasn’t that a problem in the Optus saga?
It sure was. The government’s had some pretty cranky words for Optus this week about the fact it has taken out ads but hasn’t actually directly and personally notified customers if their Medicare or driver’s licence details were part of the breach.

So if cyberattacks are such a big thing, why are we only talking about these law changes now?
To be fair, it’s not like previous governments have done nothing. We’ve had 2 big Cyber Security Strategy documents – one in 2016 and another in 2020.

What were they about?
So in 2016, the Turnbull government invested more than $200 million in cybersecurity and it set up a new agency called the Australian Cyber Security Centre. It’s aimed at helping companies strengthen their cybersecurity and the Albanese government is really leaning on it with this Optus case.

Why’s that?
Well, the telcos actually fought against the feds imposing mandatory cyber security standards on them a couple of years ago. Minister O’Neill said she has powers to set minimum standards for a whole range of sectors – but not telcos. They had argued that they already had tougher defences and it would stifle their innovation and be a cost burden.

And that turned out well… So what’s the dollar figure on these cyberattacks in Oz?
The experts say that when you add up the attacks on businesses every day around the country – it could be costing the economy billions.

That’s a lot…
It sure is – a study from the Australian Institute of Criminology last year found around a 3rd of Aussies had experienced some form of cybercrime. They reckon that in a single year the cost to the economy was $3.5 billion – about $2 billion of that was directly lost by victims and $1.4 billion was spent on trying to prevent it.

So it’s a widespread problem?
Yep – the cyber attacks on big business and government agencies get all the media coverage, but the truth is nearly half of these are happening to small or medium-sized businesses that don’t have big IT departments to help them.

So they’re pretty vulnerable?
That’s right. The Council of Small Business is worried about how unprepared the sector is – even with the basics like being able to withstand a ransomware attack. So that can happen if you click on an unknown pop-up or open emails or files from unknown sources. It can then lock up a business’s files and requires a ransom payment to unlock it.

And that’s a pretty common scam?
Yep – in just 2 years from 2020 to 2022, more than double the number of businesses said they’d been targeted by a ransomware attack.

You can say that again. Alexi Boyd from the Small Business Council says more assistance is needed. She says the problem is that small business is caught up in concerns about worker shortages and paying electricity bills. Cybersecurity just isn’t a priority – until it’s too late.

So what do they need to do?
There are some real basics they need to get on top of. The Australian Cyber Security Centre has what it calls the ‘Essential 8’ – that’s 8 strategies for all businesses to help mitigate the cyber risk. It’s just not enough people actually get around to doing it.

Hopefully the Optus saga is the wake-up call we all need…
And on that note, I’m going off to change my email password right now…

Squiz recommends:

The government’s Essential Eight checklist is a must-do to keep on top of cybersecurity for all your devices.

Two Blokes Talking Tech podcast

Squiz Shortcuts - A weekly explainer on a big news topic.

Get the Squiz Today newsletter

It's a quick read and doesn't take itself too seriously. Get on it.