“We are deeply sorry,” all the major Australian newspapers read in capital letters this weekend. Sender is telecom company Optus, which apologized for a data breach that left the privacy-sensitive information of 9.8 million customers on the street. It has been called the largest data breach in Australian history.
The drama started over a week ago. Australia’s second-largest telecom company noticed suspicious movements on the network and warned customers that data such as names, dates of birth, addresses, email addresses and telephone numbers of existing and old customers had been stolen. Nearly three million people are especially vulnerable to identity theft because their driver’s license and passport numbers have also been leaked.
A few days later, the data of ten thousand customers was put up for sale on the ‘dark web‘. A self-proclaimed hacker demanded a $1 million ransom. Not long after, the hacker changed his mind and apologized. The data was removed again, but the damage is done. The data has been copied and is still circulating on the web. Last Friday, Australian police announced a special operation to protect victims. The FBI is also involved.
Deficient information
Nearly 40 percent of the Australian population may be victims of the data breach. It causes enormous chaos. Aid has so far been flawed and uncoordinated, leaving victims feeling left to their own devices. More than a week after the news was announced, far from all affected customers have been informed. “I had to read in the newspaper that there was a data breach. And I still haven’t heard from Optus,” said Charo Devery (69). She’s been trying to change all her passwords for days and trying to change her driver’s license number.
Devery is an entrepreneur and calls himself ‘tech savvy‘. But that doesn’t apply to all duped customers. “I have friends who call me in panic because they don’t know what to do. I try to help them, but it is very time consuming,” she says.
There is much speculation about how this could have happened and who is behind it. The company and the police have not yet confirmed anything. Soon after the first reports of the leak, CEO Kelly Bayer Rosmarin went through the dust and apologized in an emotional press conference. “This was an advanced attack. I can’t say more than that, except that we are very sorry,” she said.
Poorly secured
But there is growing evidence that the data was poorly secured. It seems that the company has left the digital back door wide open. It is believed to be a vulnerable API (Application Programming Interface), used to exchange data and provide access to the data of millions of Australians.
Claire O’Neil, cybersecurity minister, has lashed out at the telecom company. “This was not an advanced attack. I am very concerned that a fairly simple hack was possible at a major telecom provider in our country.” she told the Australian public broadcaster ABC.
Cyber security experts agree. “If the hacker got the information through an unsecured API, the theft would have been very simple indeed,” says Alastair MacGibbon of security firm CyberCX to the newspaper The Age. In fact, it would be so easy to request the data that the theft is not even officially considered a hack.
Reputational damage
The fact that the data was apparently up for grabs caused enormous reputational damage for the telecom company. It doesn’t help that the ransom demand was remarkably low and may indicate an amateur hacker. One million US dollars is one of the lowest amounts ever demanded when it comes to large-scale data theft. It is joked on social media that the hacker dr. Evil is from the movie Austin Powers, who doesn’t realize that $1 million isn’t a lot of money these days. It is unclear why the hacker changed his mind. Optus says it has not paid a ransom.
The storm of criticism is not only aimed at the telecom company, the inadequate privacy laws and regulations in Australia are also under scrutiny. The privacy legislation dates back to 1988. Fines for companies that handle customer data carelessly are very low. “The maximum fine we can impose for violating our privacy laws is USD 2.2 million. That’s a drop in the ocean for a huge company like Optus,” said cybersecurity secretary O’Neil.
Higher fines
That is why experts believe that Australia should introduce the same regulations that have been in place in Europe for a long time. Lawyer Tony Song from the University of New South Wales calls for the introduction of the European Union’s ‘gold standard’ for data protection. “The fines should be much higher, not only for the criminals who steal the data, but also for companies that collect our data,” he says.
Secretary O’Neil admits that current legislation is inadequate. “We’re probably a decade behind,” she told ABC. More than a year ago, a new cybersecurity law was introduced, but it does not apply to telecom companies. The minister wants to change that. “At the time, the telecom companies said they were so good at cybersecurity that we didn’t have to worry. That is clearly not the case.”
Prime Minister Anthony Albanian has expressed his support for stricter regulations. „This is a huge wake up call for Australians,” said Albanian. He wants Optus to pay for new passports and driver’s licenses of duped customers. The company has already promised to do so.
Victims, such as Charo Devery, are now considering legal action against the company. In addition, Devery hopes that the government will deliver on its promise to better protect citizens. “They are making a lot of noise now, because that suits them politically. I have yet to see if it really changes anything.”
A version of this article also appeared in the newspaper of October 3, 2022