October 1, 2022
Nick Bonyhady
The Sydney Morning Herald
Saturday 1 October 2022
Nine years ago, the US retailer Target suffered a data breach. First the company announced credit card information had been taken from 40 million people. Then it said 70 million had personal information stolen/ Then it clarified the two were seperate but overlapping, taking the likely total towards 100 million.
Relative to the national population, the Target breach was about the same size as the Optus hack that has gripped Australia's attention since it was revealed at 2pm on the public holiday called to mourn the Queen last Thursday.
Target's chief executive, Gregg Steinhafel, whose business has no connection to the Australian retailer of the same name, clung on for months. He apologised to customers. He said he would "get to the bottom" of the hack. He authorised a 10 per cent store-wide discount to try to regain goodwill. But five months later, after congressional hearings and revelations of disastrous cybersecurity at Target, Steinhfael resigned. Now, all eyes are on Optus chief executive Kelly Bayer Rosmarin, who has vowed to stay on and lead the company's response, to see if she will do the same.
She got off to a good start. On Wednesday last week, someone at Optus noticed something was not right. The concern travelled up to the Chief information officer, Mark Potter, who called Bayer Rosmarin. "At that stage [Potter] did not understand the extent of it, just that we were sure something had occurred," Bayer Rosmarin later told a press conference. "It was only late that night that we were able to determine that it was of a significant scope. I think that was sort of a late-night call."
By Thursday the company had alerted the press, albeit after The Australian newspaper had published a story, disclosing a breach. The names, addresses and contact details of about 9.8 million people had all been exposed. Almost 3 million customers' passport and license numbers too. A perfect toolkit for cybercriminals to impersonate Australians and lift bank balances. Bayer Rosmarin fronted the press the next day, earning plaudits for showing she understood the emotional gravity of the breach. "I'm very sorry, and apologetic,' she said. "It should not have happened."
But it did happen, Bayer Rosmarin said, because it was "a sophisticated attack. And we will not be releasing further details at this stage." The company's justification was that the Australian Federal Police were investigating.
Meanwhile, the federal government was quiet. Home Affairs Minister Clare O'Neil, who is also cybersecurity minister, was tweeting about the AFL and NRL finals. It irked her opposite number, Liberal cybersecurity spokesman James Paterson, who shot back that she should be telling Australians what the government was doing about the breach.
Over the weekend the story grew. Researchers who monitor the shadier parts of the internet found a forum user called "Optusdata", with a default profile picture of an anime woman, claiming to have data from Optus on more than 10 million Australians and personal identity document numbers from about 4 milllion. They wanted a $US1 million ($1.54 million) ransom in cryptocurrency called Monero in seven days, or else the cache would be sold to cyber criminals for $US300,000. They posted a sample of 200 customer records to substantiate their claims.
