September 23, 2022
DANICA DE GIORGIO: And for more on this breach, I'm now joined by the Shadow Minister for Cyber Security, James Paterson. Thank you very much for your time. How would you describe what has occurred here?
SENATOR JAMES PATERSON: Good morning, Danica. Well, if the media reports are to be believed that up to 9 million Optus users have been affected, then this would represent one of the largest ever and most significant cyber attacks on an Australian business in terms of the number of Australians affected and in terms of the severity of the data that has been stolen.
I'm very concerned on behalf of Optus users and the particular concern that I have is that this could lead to a mass identity theft exercise on behalf of the people who have stolen this data or who they may choose to sell it to. And so, Optus customers need to be very wary, particularly in the coming days and weeks, about any suspicious activity around their accounts. Any suspicious contact they receive via text message, email or phone, and should be really closely monitoring all their accounts and contacting their banks or their or Optus if they notice anything suspicious.
DE GIORGIO: It's been confirmed by Optus this morning that it took 24 hours to notify customers of this data breach. Do you believe that the telco has handled this situation appropriately?
PATERSON: Look, it remains to be seen and I'll be looking forward, when the dust settles, to a full explanation for Optus. Understandably, they're in the middle of the crisis and dealing with that at the moment. It is appropriate that they have publicly notified their users and it is appropriate that they appear to be notifying and cooperating with both regulators, law enforcement agencies and also the Australian Cyber Security Centre, who are our preeminent cyber intelligence agency in Australia for dealing with these domestic matters and will be very good at getting on top of these issues. So, I'm pleased that they've done that.
But I think there are some questions for Optus to answer. Firstly, how did this happen? When do they make a decision to notify their users? And why is it that the media is widely reporting the number of users affected but Optus has still not yet confirmed the number of users affected? They are the holder of that information and if they know it, they should tell their users and be upfront and public about it straight away.
DE GIORGIO: We're talking about Optus here. But given the situation, are other telecommunication companies at risk as well?
PATERSON: Well, the truth is there are criminal ransomware gangs and other malign cyber actors who are constantly seeking vulnerabilities, constantly seeking opportunities, constantly testing and probing. Anyone really who holds a large amount of data, whether that's a telecommunications organisation or a bank or anyone else. It's one of the reasons why, when the Coalition was in government, we passed a series of reforms to critical infrastructure which gave the Minister for Home Affairs significant powers to impose obligations and to make requirements of companies just like Optus and other significant operators like it, to do things to protect themselves so this doesn't happen. So, there will be some questions when the dust settles as well for the government to answer whether or not they have fully utilised the critical infrastructure reforms that we passed, whether or not the Minister has promptly utilised those powers will be very important questions for them to answer.
DE GIORGIO: As you mentioned, we're talking a number of sensitive documents here, passports, driver's license, real private information. What should customers do? What should they be looking out for?
PATERSON: Yes, it is very concerning the nature of the data that at least some Optus users appear to have been exposed online, including not just home addresses and email addresses and names and date of birth, but also, as you say, personal identification numbering at least on passports, for example. What's concerning about that is that it is the building blocks for someone to take advantage of someone in a case of identity theft. They can use those things either to try and access your existing accounts, including your bank accounts, or potentially to, if they have enough information to create a new account in your name and effectively defraud you as a legal entity, as a person by spending money on your behalf, which you can't get back. So, it's very important that people are vigilant, particularly around contact they receive. You should always be sceptical about text messages that you receive.
Don't click on links in them unless you trust them. You should always be sceptical about emails you receive and any phone calls you receive. Optus will never contact you and ask you for your password. You should never give it to anyone. You might like to consider changing the passwords on some of your accounts, particularly your email address that was linked to your Optus account and potentially your password for accessing your online banking. It does appear that Optus has notified the banks of this data breach as well so that their systems can be looking for suspicious activity. But I would encourage Optus users to monitor their bank accounts and identify any unusual transactions and immediately notify your bank if there have been any, because then the bank can take steps to protect you from any further fraud.
DE GIORGIO: Some good advice. James Paterson, appreciate you joining us. Thank you very much.
PATERSON: Thanks Danica.
ENDS
