Government says telecommunications giant ‘left the window open’ for unsophisticated attack that could lead to European-style privacy laws
When Amy Hunting* first heard about one of the biggest cyber attacks in Australian history, she immediately checked to see if her personal details had been compromised.
She realised that, as a customer of the country’s second largest telecommunications provider, Optus, there was a fair chance she was one of about 10 million people whose information had been hacked – but at first, there was no communication. Eventually she got an email saying she had been caught up in the breach, which exposed one in three Australians to the risk of identity theft or financial fraud.
With millions of others, she went about trying to change her driver’s licence. She even had a bar put on her own credit report, to stop anyone from trying to open a new account in her name.
“We’re really careful about our data,” she says.
“I was really frustrated. They’re a big tech company. It’s frustrating and surprising that they’re so laissez faire with their data. Also, that they took their time in informing us.”
The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.
Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.
Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.
The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.
It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.
An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.
“We are businessmen,” Optusdata wrote in an online forum. “1.000.000$US is a lot of money and will keep to our word.”
That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.
As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.
“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”
Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’
Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.
Rachael Falk, chief executive of the Cyber Security Cooperative Research Centre, said while much was still unknown about the attack “sometimes even amateurs get lucky”.
“There are outstanding hackers, often nation states who are really, really good at this and, invariably, it doesn’t take much to find a weakness, a vulnerability, a soft spot,” she said.
“[Or] they can literally be a person in a basement, a person who likes to tinker on the side.”
The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.
She also scoffed at the idea the hack was sophisticated.
“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”
On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.
“Australian companies should do everything they can to protect your data,” Albanese said.
“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”
The Australian Information Commissioner is also investigating. Commissioner Angelene Falk said companies “must take reasonable steps to destroy or de-identify the personal information they hold”.
“Collecting and storing unnecessary information breaches privacy and creates risk,” she said.
Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.
In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.
On Friday, the Australian federal police announced a special operation to protect the identity of the 10,000 victims whose details were already published online.
AFP assistant commissioner Justine Gough said the operation would “supercharge” their protection against identity crime and financial fraud.
In its recently published annual report, Optus’s parent company, Singtel, touted its ability to protect against data theft and cyber attacks.
“We value the privacy of our customer data stored within our networks and systems as they may be harmed if their data is compromised or misused,” Singtel said.
“We have in place appropriate safeguards and controls to ensure the security and protection of our customer data.”
*Names have been changed.