The Optus data breach is a reminder to everyone that cyber attacks can impact any organisation or individual. It is also a timely reminder that all Australian organisations need to prioritise improving their cyber security posture, put in place systems to minimise the chance of an attack occurring, and be prepared with policies and procedures to mitigate the impact if a cyber incident occurs. We outline the attack, its implications, lessons learned and what steps organisations can take to ensure they are not the subject of a similar attack.
On 22 September 2022, Optus announced that the personal information of an estimated 9.8 million customers had been exfiltrated from its systems in arguably the biggest cyber attack in Australian history. Aptly put by the Australian Prime Minister – this is a ‘huge wake-up call for the [Australian] corporate sector’.
The wake-up call referred to by the Prime Minister means that organisations in Australia need to do more than they are doing. To put this in context, there is general consensus among company directors that cyber risk is a major risk facing businesses. However, according to leading cybersecurity and incident response expert Paul Pratley from CrowdStrike, Australian companies are not well-placed to handle the sophisticated cyber attacks being perpetrated against many of our organisations. This view is consistent with a 2022 report by leading technology company Cisco, which found that 77% of Australian Chief Information Security Officers believed they were unprepared to deal with a targeted cyber attack, an increase from 56% in the previous year.
How did the Optus breach happen?
While the nature, extent and cause of the incident has not been made public, based on information known it is understood that a threat actor was able to access an Optus application programming interface (API) (a system that allows two or more applications or systems to talk to each other), which was not properly secured and did not require credentials to access it. That means that the threat actor did not need to phish, acquire or steal any Optus username or password to access the API.
Once the threat actor gained access to the API, it was able to write a code that allowed it to exfiltrate the personal information of at least 9.8 million Australian customers, all without being detected.
During an apology about the incident, Optus CEO Kelly Bayer Rosmarin stated that the data breach was the result of a sophisticated attack. That characterisation has been strongly refuted by the Cyber Security and Home Affairs Minister, Clare O’Neil, who instead has stated in the Federal Parliament and on the ABC that Optus ‘effectively left the window open for data of this nature to be stolen’. Minister O’Neil’s view is consistent with cybersecurity experts we have discussed the Optus breach with.
What type of data is impacted?
As part of approaching the media about the incident, Optus initially acknowledged that significant amounts of personal data was stolen in the attack, including names, addresses and dates of birth. For around 2.8 million impacted customers, data stolen included driver’s licence numbers or passport numbers. Inexplicably, on 27 September 2022, some six days after Optus discovered the data breach, it disclosed that some Medicare numbers were included in the attack, much to the chagrin of Minister O’Neil, who stated that Optus had not advised the government of that fact.
Under the Privacy Act 1988 (Cth), an organisation who has suffered an eligible data breach (as Optus has suffered) has a legal obligation to tell customers as soon as practicable what type of personal information has been compromised. Based on the type of data compromised, Optus customers have been warned that they could be targeted for identity theft or credit fraud – typically the type of risk that could result in serious harm to impacted individuals.
The ransom demand
Shortly after the attack was announced, users on Twitter reported that the threat actor had issued a ransom demand that Optus pay $US1 million within seven days to have the dataset deleted and avoid the data being published. While statistics vary on the number of organisations who pay ransoms after cyber attacks and it is difficult to assess because organisations do not have a legal obligation to report ransom payments, some leading experts estimate that just under 50% of companies pay.
In a classic tactic employed by cyber criminals, the threat actor threatened to release the data of 10,000 users per day if the ransom was not paid. In its demand, the threat actor referenced that Optus’ annual revenue was approximately $9 billion (Optus reported revenue of $7.8 billion for the financial year ending 31 March 2022), emphasising that ‘we are businessmen’ and promised to ‘keep…our word’.
Putting to the side the legality of and risks associated with paying a ransom, what is different about the Optus breach compared with many other cyber attacks is that usually the main leverage possessed by the threat actor is that the incident is private, and the victim organisation does not want the attack to become public. In the case of Optus, the breach is so public, and the Australian Government is already so heavily involved that the prospect of Optus paying the ransom was effectively zero.
Curiously, after releasing the data of the first 10,200 users and giving Optus a final five days to pay the US$1 million ransom, the threat actor published a further blog picked up by Twitter users, which apologised to Optus and the users whose data had been published and stated that the data had been deleted. A copy of the post is below:
While Optus and its customers should act carefully and assume that the compromised personal information is still with the threat actor, this may be (and hopefully is) a positive development in what is otherwise a disappointing and frustrating incident for all involved.
What are the implications of this cyber attack?
There are various wide-ranging implications about the Optus cyber attack.
Optus is facing significant losses
These may include the costs of:
- investigating the incident;
- upgrading the security of IT systems;
- obtaining legal advice in connection with the incident;
- compensating affected customers by providing credit monitoring and identity protection services;
- compensating affected customers who are required to change government identification cards (ie driver’s licences, passports and Medicare); and
- compensating affected customers who suffer harm as a result of the incident, which under the Privacy Act can include serious physical, psychological, emotional, financial or reputational harm.
Some analysts have estimated that incident response and compensation could cost Optus in excess of $100 million (or even up to $2 billion) in addition to the costs of and compensation payable from potential class actions and loss of customers.
In a positive development, various State governments appear to be assisting impacted individuals obtain new identification cards, with NSW setting up a helpline at ID Services NSW.
Optus may be facing an investigation by the Office of the Australian Information Commissioner (OAIC)
The Privacy Act contains 13 Australian Privacy Principles (APP) which organisations (that are not ‘small businesses’) must adhere to in relation to the collection, use, disclosure, storage and management of personal information. These include obligations to take steps that are reasonable in the circumstances to protect the personal information held from misuse and unauthorised access or disclosure (APP 11 – security of personal information).
Based on known information, it is difficult to see how Optus will avoid a finding that it has breached APP 11.1 in relation to protecting information from unauthorised access.
APP 11.2 creates a legal obligation requiring organisations to take steps that are reasonable in the circumstances to destroy or de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed, unless there is a legal obligation to retain it.
In the case of Optus, we expect there to be debate about whether Optus had a legal obligation to retain identity information about customers once an account had been opened. While Optus may have an argument that it needed to retain that information for a period of time in case it is questioned about accounts that have been opened, it is difficult to see why that data needed to be retained online and not ringfenced in an offline and inaccessible archive.
Currently, the OAIC can seek penalties of up to $2.22 million for an organisation’s ‘serious and/or repeated’ interference with privacy. While the OAIC has to date been judicious in pursuing penalties against organisations that suffer cyber attacks, given the enormity of impacted individuals in this circumstance, it may not be surprising to see the OAIC seek a monetary penalty.
Australian Privacy Commissioner Angelene Falk told ABC Radio about the Optus breach:
‘We all need to provide our data every day in order to receive goods and services. We need to be able to expect that organisations keep that data safe and when they don’t, that they will face significant penalties for failing to do so.’
Helpfully, the OAIC has created a webpage to assist impacted individuals and provide advice on the Optus data breach.
Privacy reform may be expedited
There has been much discussion about reforms to the Privacy Act. Proposed changes include expanding the definition of personal information, removing the small business and employee records exemptions, introducing a right to erasure, increasing OAIC enforcement mechanisms and introducing an individual right of action.
The major change, however, is a proposal to significantly increase the maximum penalty that can be levied under the Privacy Act from $2.22 million to the greater of
- $10 million;
- three times the benefit of the misconduct; or
- 10% of the organisation’s annual domestic turnover.
Increasing the maximum penalty for breaches of the Privacy Act to 10% of an organisation’s annual domestic turnover would have, in our opinion, the single most significant impact of any reform in respect of changing organisational behaviour around cyber risk. This is because fines of that magnitude could materially impact the financial viability or profits of organisations.
In this case, such a change would effectively empower the OAIC to pursue a penalty against Optus of up to $780 million for the incident rather than the $2.22 million it is able to under the current privacy regime.
The Australian Government is acutely aware of this issue. Minister O’Neil said the Optus cyber attack has underlined the need for much harsher penalties for organisations failing to properly protect personal data:
‘I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.’
Directors will be in the spotlight and executives’ jobs are at risk
Under the Corporations Act 2001 (Cth), directors and officers of companies are required to act with care and diligence in discharging their duties.
The Optus breach will continue to shine light on the expectations of directors and officers when it comes to cyber risk preparedness and how incidents are responded to. It will also put pressure on executives, whose jobs can be called into question after an attack occurs, as we have seen in many examples in the United States.
In this case, there have already been calls for Optus’ CEO to resign, not just because the incident occurred, but more because of how the response was handled.
There are many lessons to be learned from the Optus attack.
- The incident has shone a light on the reality that any organisation can be impacted by a cyber attack. While cyber risk cannot be reduced to zero, there are things that can be done to mitigate that risk.
- Transparency is paramount when it comes to incident response. Customers should be communicated with directly, not find out about an incident in the media.
- Getting the incident response right is critically important. This includes undertaking investigations, gathering facts and providing clear, accurate and helpful communications to all stakeholders.
- It is arguable that Optus’ incident response may not have been executed in a way that meets the expectations of the government, Optus’ customers or the community. Various things being pointed to include that:
- Optus should not have:
- told the public that the attack was sophisticated when it appears not to be;
- left many customers in the dark about whether they are impacted during a time of panic and confusion;
- required customers to contact Optus to ask what of their data was impacted; or
- required customers to proactively seek compensation for credit monitoring or to replace identification impacted by the incident, which was initially rejected.
- Optus should have:
- proactively offered credit monitoring and identity protection services immediately to those whose government identification cards were impacted, not a few days after the attack became public and only after Minister O’Neil demanded it on the floor of Parliament;
- immediately reached out to Federal and State governments about finding a way to streamline the reissuing of impacted identification cards, rather than it taking around a week to occur; and
- told customers exactly what type of data was impacted from the beginning, rather than finding out almost a week later that Medicare cards were impacted.
- Optus should not have:
- The Australian Government has flagged potentially fast-tracking new data breach notification rules to ensure better oversight of suspicious activity, such as compelling organisations to notify banks as soon as possible after becoming aware of a cyber attack.
- Demand for cyber insurance may increase, particularly with privacy reform on the horizon. Cyber insurers may face greater exposure if the predicted changes to the Privacy Act come into effect. In an already hardened market, Privacy Act reform may lead to higher premiums, lower policy limits and a more stringent screening process by insurers for prospective customers. Notwithstanding these potential changes, significantly higher potential penalties may change the risk dynamic for companies assessing whether to obtain cyber insurance, and companies that previously decided against purchasing this insurance may now reassess that decision.
What steps should an organisation take?
There are a number of immediate steps that an organisation should take to ensure that they are not the next Optus, and, if they are attacked they are able to respond in an effective manner.
Some of the steps include:
- making enquiries of internal or external IT providers about the security of the organisation’s systems (and don’t just accept that everything is secure). It is important that organisations carry out testing with IT experts to try to break their systems and identify vulnerabilities;
- properly assessing how the organisation would respond to a major data breach or cyber security incident. This includes engaging lawyers with expertise in cyber/privacy law to ensure the organisation has a robust incident response plan to deploy if it becomes the subject of a cyber attack. A good incident response plan includes identifying the group within and external to the organisation responsible for the response, understanding legal obligations, a clear communication strategy for all stakeholders (including customers or clients) and assessing the types of decisions an organisation may need to make if an incident occurs – including taking a position on issues like a ransom demand;
- analysing and considering the types of personal information it collects. This includes only collecting personal information necessary for its functions and activities and ensuring that the organisation has a data retention policy that involves the deletion or de-identification of data in accordance with regulatory obligations set out in the Privacy Act; and
- ensuring staff are properly trained to prioritise cyber risk and privacy law compliance. Probably all cyber attacks involve some element of human error.