September 23, 2022
.png)
PATRICIA KARVELAS: James Paterson is the Shadow Minister for Cyber Security and our guest this morning. James Paterson, welcome.
SENATOR JAMES PATERSON: Good morning, Patricia.
KARVELAS: Our intelligence agencies are working with Optus to work out who's behind this attack. Is there any likely source for this cyber breach?
PATERSON: Patricia, I do not want to wildly speculate about who it is, but there are a range of actors who are interested in data like this, which range the full spectrum from state-based actors to more criminally motivated gangs. Typically, when there are personal details harvested on a very significant scale it is most often people who have a criminal or economic motivation in doing so. But I'll wait and see what our intelligence agencies and Optus have to say when they get further into their investigations.
KARVELAS: Okay. How will we work out if it was a foreign actor that is responsible or a criminal network?
PATERSON: That's a great question, Patricia. It's part art and part science. There are some indicators of the way in which people enter into a network, seek to breach a network, which are tell-tale signs of particular actors. And sometimes it's possible to reverse engineer the pathway that they got into a network. But in other times, if you're dealing with a really sophisticated adversary, they're very effective at masking their entry. Other times, they out themselves. Ransomware gangs often say, we have conducted a ransomware attack and you have to pay money to us in this account. Or they say, if you don't give us money, we're going to sell these details on the dark web.
KARVELAS: Ten million people could have had their personal data breached. How does that compare to other cyber attacks here in Australia?
PATERSON: It would be the most significant breach of Australians’ user data in any recent cyber attack. There's certainly been other Australian based companies that have been attacked, but none who hold so much personal detail of Australian users. And it is the nature of the information which appears to have been stolen which is particularly concerning. It's personally identifiable, identifying information like people's names, their phone numbers, their email addresses, their home addresses and in some cases even identification document numbers like passport numbers. And the worrying thing about that is that that is the building blocks for engaging in identity theft, and it could be used to victimise those people to further crimes.
KARVELAS: How serious is it? And have you requested a briefing from the government about it?
PATERSON: It's very serious, and I'll be writing to the government today to seek a briefing from them, because it's important that the Opposition is able to make a contribution to this discussion in an informed way. And because I'm interested to understand both how Optus has handled this, but also how the government has handled this. I've got no doubt that the professional people working at the Cyber Security Centre and the Signals Directorate are doing everything they can to assist Optus. But I do have questions about what steps the government took and when. Under the critical infrastructure reforms which we passed when we were in office, it gives the Home Affairs Minister very significant powers to require systemically important businesses like Optus to properly invest and protect themselves against cyber attacks. And I don't know what has happened and what powers have been exercised.
KARVELAS: The Optus CEO has apologised and described the breach as absolutely devastating. What is your assessment with the amount of information we have? Could this have been avoided?
PATERSON: I don't want to victimise Optus too much. It may be that they have been done over by a very sophisticated operator, but it is the obligation of all businesses, particularly those who hold large amounts of information to adequately invest to protect themselves against these attacks. There are people out there constantly probing businesses like Optus and others looking for weaknesses and chinks in the armour which allow them to get in. And it will be important to understand how this access occurred and who the attacker was, to understand whether Optus' preparations were adequate. But ultimately, we have to get to a situation where Australians can trust their service providers to adequately protect their information and to prevent them from coming victims of mass identity theft.
KARVELAS: Optus spokesperson Andrew Sheridan told 2GB radio that they knew about the cyber breach on Wednesday, but we only heard about it yesterday, James Paterson. Is there any excuse for keeping this information quiet for a day?
PATERSON: I'll be very interested to see the detailed timeline of events when it is available, because it is important that companies are upfront and public when these things happen, that they inform their users. Because sometimes the most important thing we can do to protect ourselves is at the individual level. Users can change their passwords. They can start to monitor for suspicious activity on their accounts. But if they are not informed, then they don't have the opportunity to do that. So, it will be important to understand the chain of events at Optus, including when they chose to inform the regulators, law enforcement bodies and our cyber intelligence operatives.
KARVELAS: Yeah, but on face value and as you say, you want to know about the timeline. I understand you're trying to collect the information, but we know based on their own admission that they knew on Wednesday. But we found out yesterday. We know companies work very much on public relations, as do governments and how to share information. Is it appropriate when it's that many Australians and their private data?
PATERSON: Well, it will depend on what time the attack occurred on Wednesday and when it was identified. But I would say, generally speaking, that within 24 hours is good practice. There have certainly been other instances where companies have sat on this information for much longer than 24 hours and that is not adequate. So subject to seeing the full timeline, I think 24 hours of disclosure is a reasonable starting point.
KARVELAS: And so what's next in your view? Obviously, there are many people right now listening to this show who are Optus customers, either currently or formally and are probably very worried about what situation this puts them in. What can the government and the company do to assuage those concerns?
PATERSON: Well, those users are absolutely right to be concerned and the best thing that they can do is things they can do themselves. So firstly, they need to really closely monitor their accounts. If there's any suspicious activity, particularly on any of their bank accounts, they should immediately contact their bank and notify them that because they can then take steps to protect them. They also need to really be very diligent about any incoming communications that is suspicious in nature. Any text messages or emails that they might receive or even phone calls they might receive, which will try to get them to click on a suspicious link or try to get them to hand over further information such as the passwords. Don't trust any suspicious communications. And then finally, you might want to consider changing their passwords on potentially affected accounts, particularly the email address that was associated with the account or even the banking password if necessary.
KARVELAS: Thank you so much for joining us this morning.
PATERSON: Thanks, Patricia.
ENDS
