Optus chief executive Kelly Bayer Rosmarin announced last week that users of the company’s services dating back to 2017 should exercise ‘heightened vigilance’ to protect their identities, after ‘sophisticated criminals’ whose motives are unknown breached the company’s security systems to potential access the personal data of millions of Australians.
The Optus data breach is now being investigated by the Australian Federal Police, and around 10 million affected users anxiously await further advice on the extent of the breach, what the company is doing to help those affected and what they should be doing to ensure they do not fall victim to identity theft.
What was accessed?
According to Optus, the data breach includes personal information including emails, dates of birth, full names, mobile numbers and drivers’ licence numbers.
In a statement to media, the company said “no passwords or financial details have been compromised,” and that customers who are the most seriously are being contacted by telephone, for assistance in ensuring they do not have their identities stolen and used for nefarious purposes.
The company says it will not be sending emails or SMS messages, so customers should not click on links purporting to originate from Optus.
In the meantime, customers have been strongly advised to change their passwords and watch their bank accounts for any anomalous transactions – but rumours are circulating that the information is already being sold on the dark web.
And many believe this is too little, too late and the company should be made at least partially accountable for the inevitable stress, anxiety and partial lost caused by systems which have proven to be inadequate in protecting personal information.
How serious is the breach?
The AFP has said it’s difficult to know whether the claims of data being sold are real or bogus, because there has already reportedly been one attempt at extortion with an anonymous account claiming to have the data which would be returned if $1 million in cryptocurrency was paid by the company within one week.
The AFP has said it is monitoring the situation closely, and also that “It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment,” but this is cold comfort for Optus customers who are facing the very real threat of identity theft.
And the problem for customers is, at this stage there are still more questions than answers.
Large corporations such as Optus require a range of personal information when setting up a telecommunications account – customers have no choice but to hand this information over. They then trust that this data will be kept secure and confidential, and have little recourse when hackers launch a successful cyber attack and it’s compromised.
It’s difficult to know why hackers do what they do – certainly there are financial gains to be made from selling personal data. But there are other reasons too – some do it just for the thrill, others do it because they’re disgruntled.
Irrespective, it’s incredibly stressful for those affected – the digital world is vast – and it’s impossible to know if one can fully protect themselves from a data breach, or completely retrieve information once it has been leaked – this leaves victims feeling vulnerable forever more. Identity theft ruins lives and can take years to recover from.
And a situation as serious as this highlights just how current laws which regulate how data is managed by corporations and government organisations fail to fully protect consumers.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 which came into force in 2018, ensures that eligible businesses must notify the Australian Government via the Office of the Australian Information Commissioner (OAIC) if a serious data breach has occured.
The laws apply to all businesses, government agencies, and non-profit organisations with an annual turnover of more than $3 million, as well as health service providers, credit reporting bodies, and any entity which receives and handles tax file numbers.
Failure to comply can result in fines of up to $1.7 million for companies, which many might argue is a simply a ‘slap on the wrist’ for large corporations such as Optus.
Draft legislation currently being considered by the Federal Government – the draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 proposes higher penalties for organisations, amongst other tweaks to the law, but the problem remains the same – beyond reporting, a company’s obligations to customers do not extend much further when a data breach has occurred, and the onus remains on individuals to keep themselves protected.
What about the Privacy Act?
Under the Privacy Act 1988 (Cth), individuals do have the right to make complaints to the Privacy Commissioner if they believe that their privacy has been breached by an organisation.
The Privacy Commissioner will then investigate the matter and if the Privacy Commissioner concludes there has been a privacy breach, the Commissioner has the power to make a determination that certain remedies be provided to the individual whose privacy has been breached, including requiring the organisation to pay compensation to the individual whose privacy has been breached, although typically these payments are relatively small.
The Privacy Commissioner also has the option to apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the Act.
While this process has been dubbed ‘cumbersome’, ‘frustrating’ and ‘time consuming’, individuals can of course take action through a private civil suit, although this too, can be an expensive way to seek compensation.
In 2020, a successful class action was taken against NSW Health Administration Corporation by employees who suffered a data breach when their work compensation records were harvested by a contractor and sold to a third party.
Class action suits may well become more common in future as cyber-crimes continue to rise.