Australia’s seismic telecom breaches
The big data security story in the news these last few weeks is the hack of Optus, Australia’s second largest telecom firm. One unusual twist to the standard plot is the alleged hacker retracting their ransom demands and offering an actual apology for the incident. You don’t often see that. Perhaps the situation got too hot, since they deleted their posts and claimed to have deleted the only copy of the Optus data. Regardless, it was a case of too little, too late, as around 10 million Optus customers had their data exposed, including drivers’ licenses, passport numbers and home addresses.
In the weeks that have followed the initial reporting, the uproar has been ubiquitous. The Australian government quickly demanded answers, as well as payment for replacing the compromised passports. Prime Minister Anthony Albanese has asserted the unfairness of making taxpayers pay for the company’s mistakes.
Optus claimed the breach was the result of a sophisticated, multi-layered attack, while local reporting asserted rather that an online API (application programming interface) was just sitting there, out on the open internet, without need for authentication or authorization to access the data. Optus also announced that they had commissioned Deloitte to conduct an external investigation, in conjunction with offering a year’s worth of free credit monitoring with Equifax (cough cough) for all affected customers. More recently, it was revealed that customers’ Medicare numbers were also compromised
Nor did it end there. Optus, as Australia’s second largest telecom, was shortly joined in data breach quagmire by the largest in the nation, Telstra, which announced that a third-party had been breached and exposed limited amounts of Telstra employee data. Though the incident was not a breach of Telstra’s own systems, thousands of staff members still had their data uploaded to the dark web. Compared to the Optus breach, this one might seem to take second place, but the opportunity seized by hackers in the wake of the larger breach is noteworthy.
Australian regulators have moved rapidly, and have already announced new privacy rule changes, to implement stronger safeguards for government-issued identification documents.
When an organization leaves its valuable data unprotected, exposed to the elements of cybercrime, the result is inevitable unfortunately. The worst part is it ultimately affects you, the individual who has put their faith in the company. Even with all the federal and state compliance regulations that have been (and will keep being) passed for the foreseeable future, these “mistakes” keep happening. Perhaps it’s time to increase the fines put on companies who disregard the need for securing your data.