40% of Australians Have Had Personal Data Stolen in the Optus Massive Data Breach
As experts debate whether the Optus cyberattack is the worst data breach in Australia’s history, Reflectiz dives into the details, and asks, what could have been done differently?
Last month, Australia’s second-largest Telecommunications provider, Optus, suffered a data breach that was unprecedented in its size, with 10 million customers impacted by stolen personal data.
The data stolen included full names, dates of birth, home addresses, phone numbers, email addresses, and both passport numbers and driving license numbers. Undisclosed originally, Medicare numbers were also part of the breach.
The Australian federal government has warned that the 2.8 million victims who have had passport and driver’s license IDs stolen are at what they called a “significant risk” of having their identities stolen or used in instances of fraud.
Governments and Regulators Pile on the Heat
In fact, as it stands, the government appears to be putting the blame on Optus, with Reuters reporting that they believe the company “effectively left the window open” for hackers, and believe that the organization needs to be held accountable with an overhaul of its privacy rules, and larger fines as a consequence.
As well as the government, as of October 11th, two regulators have announced investigations into the Optus breach. First, the Office of the Australian Information Commissioner (OAIC) announced a deep dive into whether Optus took what it calls “reasonable steps to protect customer data and comply with privacy laws”. At the same time, the Australian Communications and Media Authority (ACMA) also made it clear that they are putting Optus under the spotlight, and investigating whether Optus could be said to have met its own industry obligations as pertains to its customers’ sensitive and personal data.
If the OAIC finds Optus to be liable, and there was indeed a preventable breach of Australian privacy law, civil penalties can be up to $2.2 Australian dollars for each broken law. This would be in addition to any class action lawsuits which are filed by individual law firms, already under consideration by firms such as Slater and Gordon, and Maurice Blackburn. According to legal experts, “compensatory damages could easily be billions of dollars.”
Even if Optus can make it through the financial, regulatory and governmental hurdles – their brand damage is likely to be immense, and at the moment, the public is not on their side. Chair of the Australian Competition and Consumer Commission, Gina Cass-Gottleib told parliament that the regulator was receiving approximately 600 calls per day from concerned Optus customers. Many of these customers are demanding payment for new passports and driver’s licenses, and will not soon forget that their most sensitive data was put at risk.
Don’t be the Next Optus: What are the Reasonable Steps for Protecting Customer Data?
What way will the wind blow for Optus in the long term? This will probably hinge on whether Optus can prove that they took what’s known as reasonable steps to safeguard their customers’ privacy, and active measures to protect their data.
At the moment, we don’t have enough information about the cause of the breach to answer this question, but at Reflectiz, we recognize the pattern of an organization that believes it is secure, when in reality, there are glaring security gaps that could expose customer information.
Optus’ Chief Executive, Kelly Bayer Rosmarin described the attack as “sophisticated”, claiming the company has very strong cybersecurity measures, and “multiple layers of protection.” However, journalists have uncovered that the hacker has revealed the data was taken from a “freely available software API.”
For ease of integration and seamless functionality, software APIs are incredibly useful for today’s businesses, who need to connect with third parties to offer their services. APIs allow applications to exchange data, automatically react to triggers, and relay communications. However, if your APIs aren’t secure, then neither is your own business. While you might have dozens of security tools working to protect your own environment, what about these third parties?
Reflectiz offers robust security enforcement so that the actions taken by third party assets are under your control, and you can easily spot weak authentication, misconfigurations, and data leakage or exposure, even when it doesn’t originate from your own network. You can set a defensive baseline according to your business context, and when any action deviates from that norm, you can block the behavior, and you’ll be immediately alerted to the risk.
With a platform like Reflectiz, you’re taking actionable steps to ensure consumer privacy and safeguard data, not only on the server side, but also on the client side, ensuring that you’re doing everything that you can to proactively and holistically protect users from any risk.
Intrigued? Let us show you how it works in more detail. Schedule a demo.