[…]
The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.
Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.
Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.
The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.
It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.
An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.
[…]
That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.
As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.
“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”
Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’
Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.
[…]
Optus ‘left the window open’
The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.
She also scoffed at the idea the hack was sophisticated.
“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
[…]
Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”
On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.
“Australian companies should do everything they can to protect your data,” Albanese said.
“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”
[…]
Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.
In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.
[…]
If the government has no legal incentive to tighten security and privacy, then companies won’t invest in it.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft