In recent months, Australians have had two nasty reminders of the potential downside of life in the digital age – the cyber attacks on Optus, the nation’s second-largest telecommunications provider, and on Medibank Private, its largest private health insurer.
In each case, vast quantities of personal information were accessed by cyber criminals. The risk is that the information obtained could be used to commit fraud, either by the hackers themselves or by someone they on-sell to.
The Optus attack in September exposed private data on up to 9.8 million current and former Optus customers. That data included customer names, dates of birth, phone numbers, email addresses, and, “for a subset of customers, addresses, ID document numbers such as drivers licence or passport numbers.”
Soon after the attack, data on 10,000 people was posted online and a ransom was demanded from Optus threatening further data releases. However, almost immediately the alleged attackers thought better of it. The post was taken down and the ransom demand withdrawn. The attackers also claimed that they had deleted all their Optus files. The reason they gave? “Too many eyes. We will not sale [sic] data to anyone.”
The Australian Federal Police (AFP) in conjunction with state and territory police established ‘Operation Guardian’ to “supercharge the protection” of the unlucky 10,000 whose data had been briefly posted online. That was done as part of the new AFP-led Joint Policing Cybercrime Coordination Center set up in March “in response to the escalating threat and prevalence of cybercrime”.
At the same time, the government announced new regulations “to allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents”.
So far there’s little evidence of the Optus data being used for financial gain. However, that’s small comfort to the Optus customers who had at least one number from a current and valid form of ID accessed.
The biggest loser is undoubtedly Optus itself. While it’s going to great lengths to provide support to customers affected, it has inevitably suffered major reputational damage.
And some of the comments from the government haven’t helped. Optus described the attack on it as “sophisticated”, but the government called it “basic”. Home Affairs Minister Clare O’Neil told the ABC that “"We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen”.
According to the recent EFTM Mobile Phone Survey of more than 2,000 people, “56% of current Optus customers answered YES when asked if they were “considering changing telcos as a direct result of the Optus Cyber Attack?””. 10% say they’ve already left. Optus has not confirmed these numbers, but it has admitted to increased customer churn and a reduction in new customers.
Optus has also allocated AU$140 mln for expenses incurred in handling the data breach. And that doesn’t include the cost of defending any class actions that eventuate from the incident, or any resulting compensation payments. So far, two major class action law firms have indicated that they are investigating possible claims.
Optus executives might almost have been relieved when, less than a month after their incident, Medibank announced that it too had become the victim of a major cyber attack. Again, the attack involved the personal information of nearly 10 million of the target’s current and former customers.
It appears that someone stole the login details of a (presumably high-level) Medibank staff member and then sold them to a group of Russian cyber criminals which used them to access customer data. That group wants US$10 million ransom, and to incentivise Medibank’s cooperation it is engaging in a staged release of confidential information.
To date, the information released has concerned Medibank customers with medical issues involving drugs, alcohol, abortion, and mental health. Medibank insists that it will not pay any ransom.
Home Affairs Minister O’Neil calls the cyber criminals “Russian thugs” and “scumbags”, and is promising to bring them to justice. That would seem difficult, but O’Neil suggests otherwise.
The AFP is working on the case with various international agencies including Interpol and enforcement groups in Australia’s Five Eyes partners. It claims to have detailed intelligence on the offenders. In the words of AFP Commissioner Reece Kershaw, “We know who you are”.
As in the case of Optus, the one certainty is that Medibank will suffer, both reputationally and financially. Like Optus, it will incur significant expenses in managing the crisis, including in providing a range of support services to its customers.
And, again like Optus, the class action lawyers are already circling. At best, Medibank will be up for large legal costs, at worst major compensation payments.
Faced with back-to-back cyber attacks in less than a month affecting half the country, the government has acted quickly. It has announced a new task force between the AFP and the Australian Signals Directorate (an intelligence agency located within the Defence Department). Around 100 officers from these two organisations – “the very best, smartest, toughest people in cyber-security in this country” – have formed a ‘Joint Standing Operation’ to combat cyber criminal syndicates.
But it’s not just the hackers that the government is targeting. The government has also announced that it will introduce much tougher penalties for serious data breaches. In the words of the Attorney General, Mark Dreyfus, “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour”.
The maximum penalty for serious or repeated privacy breaches will be increased from the current $2.2 million to the greater of $50 million, three times the value of any benefit obtained from the misuse of information, and 30% of a company’s adjusted turnover in the relevant period.
Ouch.
These are dangerous times for any company in Australia that handles the personal information of customers and isn’t completely confident about the robustness of its cyber defences. It’s now an urgent priority for any such company to get its digital house in order.
And that may not be easy. If there wasn’t already a shortage of cyber security experts in Australia in September, there certainly is now.
Ross Stitt is a freelance writer with a PhD in political science. He is a New Zealander based in Sydney. His articles are part of our 'Understanding Australia' series.
9 Comments
The fact that millions of people have had their personal details compromised (again) is a huge tragedy, but the real issue here is that we never learn. No matter how often this happens, the push towards massive centralised databases of sensitive information continues unabated.
Kind of like saying we should get rid of all networked computers because people sometimes abuse the internet.
If these companies secured their data correctly, they wouldn't have had problems. Data breaches are far more common in small companies because they don't have the resources to employ security experts. You just don't read about them because the impacts are less, but not for those whose data was breached.
Kind of like saying we should get rid of all networked computers because people sometimes abuse the internet.
No it's not. Networked computers are fine, provided everyone's information is stored on their own computer and not in some centralised database. This is the problem which blockchain was supposed to solve. It's centralisation which is the problem, not networking.
Computers fail or are stolen, houses burn down with all electronic devices destroyed, earthquakes happen with the same. If you suggesting everyone has their identity on their home computer/USB drive and it exists nowhere else?
Maybe ask all those people who had bought a few hundred bitcoin as a joke, stored it on their personal drives and then lost them, how that worked out.
Generally security requires 2 way authentication. If one party can't verify the identity of the user on the other end of the network via some sort of shared identity values, they don't trust them. Passwords might not be the best mechanism, but until everyone adopts in home biometrics, it's probably the best we have. Other identifying information is usually required for identity challenges and having the ability to contact your customers.
It's a bit like home security isn't it?
Do you spend big $ on the gold plated security solution for your home?
Or do you spend medium $ on the basic security solution and hope that it's enough to deter the burglars and they'll just go looking for a home with no security?
Take that sales pitch to your shareholders and see what they decide.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.