News

|

National Security

Scramble to save millions

September 28, 2022

Ben Packham and David Swan
The Australian
Wednesday 28 September 2022

Nearly 10 million Australians remain in the dark over the security of their personal information as Optus, the banks and state and federal governments scramble to protect victims of the telco’s massive data breach from a wave of identity theft and online scams.

The Australian can reveal Optus resisted multiple federal government efforts to tighten ­cyber-security obligations for big companies before 9.8 million of its customers’ details were stolen last week, complaining new data laws would impose unnecessary costs on its operations.

As an individual claiming to be the Optus hacker apologised and declared the stolen information had been deleted, the federal government was preparing to launch a major review of the nation’s ­cybersecurity legislation.

The NSW, Queensland and Victoria governments offered low- or no-cost licence replacement for those affected by the Optus cyber attack, to prevent their identities being stolen.

Foreign Minister Penny Wong said the government would consider waiving fees for those who wanted to replace their passports because of the Optus hack.

Banks will also receive details of customers whose information has been compromised in coming days under federal government measures to prevent their ­accounts being hijacked.

Attorney-General Mark Dreyfus revealed on Tuesday that the US Federal Bureau of Investigations was among the international agencies helping Australian authorities to investigate the massive data breach.

The purported hacker claimed he or she had abandoned a $US1m ransom demand, saying there were “too many eyes” examining the theft. “We will not sale [sic] data to anyone. We cant (sic) if we even want to: personally deleted data from drive (only copy),” the alleged hacker said on online discussion forum BreachForums.

The hacker claimed to have ­released the data of 10,000 Optus customers, but then said they had deleted the data. Cybersecurity experts expressed scepticism over the claimed backdown, with one suggesting that the telco’s parent company Singtel had quietly paid the ransom demand without telling its Australian subsidiary. Optus denied the claim.

Other cyber experts said the hacker could have already sold the data or be sitting on it to sell later.

The development came amid growing pressure on Optus, with sources saying the number of the telco’s customers with extensive records stolen was more than the 2.8 million it originally disclosed.

Law-enforcement sources said they were continuing to investigate the data theft.

Mr Dreyfus suggested negligence by the telco, declaring Australians’ data should never have been exposed in such a way. “We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach which should never have happened,” he told parliament.

He said the government was alarmed to discover that Optus customers’ Medicare details had also been exposed in the breach, which the telco failed to disclose.

Mr Dreyfus said the Australian Federal Police was devoting “huge effort” to investigating the breach with the support of other agencies and the FBI. His comments followed those of Home Affairs Minister Clare O’Neil on the ABC’s 7.30, declaring the breach was not a sophisticated cyberattack.

“We should not have a ­telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,“ Ms O’Neil said.

Optus chief executive Kelly Bayer Rosmarin defended the company’s actions, saying: “We are not the villains. It’s clearly not as simple as has been ­written in the press, but what I can say is our customer data is encrypted and there are multiple levels of security.”

The NSW government has issued instructions for customers to apply for a replacement driver’s licence, with Customer Service Minister Victor Dominello saying Optus will notify customers in coming days if their licence number was stolen in the hack.

To apply, residents with a digital driver’s licence should head to the Service NSW app to be immediately issued an interim card number, which can be used instead of a plastic licence card.

Transport and Roads Queensland will replace licences free of charge to its residents impacted by the hack.

Victorians affected will be eligible for a new driver’s licence, with Optus expected to reimburse the cost.

In evidence to the parliamentary joint committee on intelligence and security last year, Optus pushed back against proposed laws to strengthen protection of critical infrastructure, saying they would add to “high commercial stresses on the communications industry”.

The telco said the security objectives of the proposed legislation “should be balanced against the financial and administrative burden on the regulated entities which own and operate critical infrastructure”.

In its response to the 2020 Cyber Security Strategy review, the telco also resisted legislated penalties for cyber failures.

Former committee chairman James Paterson said Optus was “one of the loudest stakeholders complaining about the regulatory burden” of critical infrastructure changes last year that placed additional responsibilities on telcos to protect their networks.

“The committee and the government rightly ignored their pleading for special treatment and ensured they were subject to robust cyber security obligations,” Senator Paterson said.

Senator Paterson’s successor as chairman, Labor’s Peter Khalil, said the Coalition had “failed to turn on any cyber-security obligations for the telecommunication sector”. He said Labor switched on the cyber-security obligations under telecommunications laws in July “because we saw this massive gap”. He said the Albanese government would undertake an immediate review of cybersecurity laws.

The Australian Strategic Policy Institute’s Fergus Hanson said the likely perpetrator of the data breach appeared to be a “rank amateur” who “freaked out” after realising they were over their head. CyberCX chief strategy officer Alastair MacGibbon, a former Australian Cyber Security Centre head, said Ms O’Neil was “100 per cent correct” when she said the breach was unsophisticated.

Recent News

All Posts