Nine years ago, the US retailer Target suffered a data breach. First the company announced credit card information had been taken from 40 million people. Then it said 70 million had personal information stolen. Then it clarified the two were separate but overlapping, taking the likely total towards 100 million.
Relative to the national population, the Target breach was about the same size as the Optus hack that has gripped Australia’s attention since it was revealed at 2pm on the public holiday called to mourn the Queen last Thursday.
Target’s chief executive, Gregg Steinhafel, whose business has no connection to the Australian retailer of the same name, clung on for months. He apologised to customers. He said he would “get to the bottom” of the hack. He authorised a 10 per cent store-wide discount to try to regain goodwill. But five months later, after congressional hearings and revelations of disastrous cybersecurity at Target, Steinhafel resigned. Now, all eyes are on Optus chief executive Kelly Bayer Rosmarin, who has vowed to stay on and lead the company’s response, to see if she will do the same.
She got off to a good start. On Wednesday last week, someone at Optus noticed something was not right. The concern travelled up to the chief information officer, Mark Potter, who called Bayer Rosmarin. “At that stage [Potter] did not understand the extent of it, just that we were sure something had occurred,” Bayer Rosmarin later told a press conference. “It was only late that night that we were able to determine that it was of a significant scope. I think that was sort of a late-night call.”
By Thursday the company had alerted the press, albeit after The Australian newspaper had published a story, disclosing a breach. The names, addresses and contact details of about 9.8 million people had all been exposed. Almost 3 million customers’ passport and licence numbers too. A perfect toolkit for cybercriminals to impersonate Australians and lift bank balances. Bayer Rosmarin fronted the press the next day, earning plaudits for showing she understood the emotional gravity of the breach. “I’m very sorry, and apologetic,” she said. “It should not have happened.”
But it did happen, Bayer Rosmarin said, because it was a “a sophisticated attack. And we will not be releasing further details at this stage.” The company’s justification was that the Australian Federal Police were investigating.
Meanwhile, the federal government was quiet. Home Affairs Minister Clare O’Neil, who is also cybersecurity minister, was tweeting about the AFL and NRL finals. It irked her opposite number, Liberal cybersecurity spokesman James Paterson, who shot back that she should be telling Australians what the government was doing about the breach.
Over the weekend the story grew. Researchers who monitor the shadier parts of the internet found a forum user called “Optusdata”, with a default profile picture of an anime woman, claiming to have data from Optus on more than 10 million Australians and personal identity document numbers from about 4 million. They wanted a $US1 million ($1.54 million) ransom in a cryptocurrency called Monero in seven days, or else the cache would be sold to cyber criminals for $US300,000. They posted a sample of 200 customer records to substantiate their claims.
When O’Neil did become publicly involved on Monday, she made up for her absence immediately. She lambasted the company for effectively leaving the window open to data being stolen and when asked in a TV interview whether she believed Optus’ claim that it was the subject of a sophisticated attack, O’Neil said: “Well, it wasn’t. So, no.” It was a steely, direct performance that capitalised on the rising tide of consumer anger (“I’m fuming,” one Optus customer emailed to say) and swung attention away from questions about whether federal law needed to be reformed to stop companies having to keep so much information. But backed with the authority of the security agencies investigating the hack and advising the government, O’Neil’s answers also gave the public a diametrically different view of Optus’ claims.
Optus seemed blindsided. At the time the minister’s pre-recorded interview went to air on Monday night, she was speaking to the company. The next morning Bayer Rosmarin fronted the media, reiterating the company’s stance and suggesting the minister had not been fully briefed by the company when she went on TV. “We are not the villains,” she said. That did not deter the federal government, which only redoubled its criticisms as the forum user with the anime girl avatar posted the records of another 10,000 people, this time including Medicare data. Since then, Optus has said very little.
Police on Friday appeared to confirm these 10,000 records were genuine when they began an operation called Guardian to protect those people.
Optus declined to make its chief executive or another spokesperson available for interview for this story and did not directly answer a list of questions. It has consistently defended its cybersecurity practices, and said it is doing everything it can to support customers – including providing a year of free credit monitoring. It urged people to be vigilant against scams.
In a brief statement, an Optus spokeswoman pointed to a media release from the AFP that said police would not divulge information from their investigation to protect its integrity. “To help protect customers, Optus will not comment on some details of the cyberattack, including, for now, technical details,” the spokeswoman said.
The company has separately taken out an ad in Saturday’s papers, where it apologises to customers and reassures them the breach is over. “We’re deeply sorry that a cyberattack happened on our watch,” the ad reads. “We know this is unacceptable and that we’ll need to work hard to regain your trust.”
From Prime Minister Anthony Albanese down, the government is now considering how it can make companies like Optus pay for major cyber breaches. The company is paying for affected customers to replace licenses, while the prime minister has said Optus will also cover passport replacements for affected people. That could cost Optus millions. “In Australia, the maximum fine that we can attach to this kind of breach in the Privacy Act is [about] $2.2 million, which for a massive company like Optus is really a drop in the ocean,” O’Neil said on Wednesday. In Europe, it is up to $30 million, or 4 per cent of a company’s global annual revenue. For massive internet companies like Google, or Facebook owner Meta, that would be many billions.
But Graham Greenleaf, a board member of the Australian Privacy Foundation and professor at UNSW, said even under current laws Optus could be made to pay major compensation. Two class action firms, Slater & Gordon and Maurice Blackburn, are investigating claims. Either avenue could mean millions of customers could demand compensation for the costs and distress of their information being stolen. “That could be very big with up to 10 million complainants,” he told The Sydney Morning Herald and The Age. Asked for an estimate of how much money could be in play, Greenleaf said enforcement had been such a “black hole” before the current privacy commissioner that it was hard to know.
Loading
Whether Optus is liable will depend on whether it has breached a series of privacy principles that require big companies to only collect personal information that is related to their business and delete it promptly when no longer needed. “I thought I’d be safe because its April 2018 when I went back to Telstra after two dismal years with Optus,” one former customer whose data was taken told the Herald and The Age. “I can’t see why they need to keep that information for so long, to be honest.” Bayer Rosmarin said on Friday that “the reason that we hold on to customer data for a period of time is that it is the law. We have to be able to go back in our records for six years and so we do hold information for the required length of time”.
Metadata laws say phone companies have to keep names, addresses and “other information” used to identify subscribers while their account is active and for two years after. The intention is to let law enforcement catch people who commit crimes online. But the laws are silent on what documents or ID numbers, if any, need to be kept to fulfil that rule. Former human rights commissioner Ed Santow said the Optus hack had validated other concerns about the laws expressed at the time. “The former government justified the metadata law as being to catch the worst criminals, terrorists and murders. In fact, it has been used rarely if ever to combat those serious crimes. In fact, it’s used much more frequently to chase fines and debts and protect revenue.” The bipartisan Parliamentary Joint Committee on Intelligence and Security recommended that access be tightened up two years ago, but nothing has happened.
Attorney-General Mark Dreyfus, who has promised to move quickly to reform privacy laws, said companies that inspected driver’s licences or passports to confirm their customers’ identities should not need to hold on to the information. “They don’t seem to me to have a valid reason for saying we need to keep that for the next decade,” Dreyfus said on Thursday.
Rachael Falk, the chief of the Cybersecurity Co-operative Research Centre, an industry-government-academia partnership, has scant sympathy for Optus despite the ambiguity of the law on what information the company has to keep. That is because the law demands that firms “protect the confidentiality of information” kept under metadata law. “It’s unequivocal,” said Falk, who was involved in discussions on the laws as a former senior Telstra executive. “The security aspect is unequivocal.”
Privacy advocates have used the Optus breach to throw attention on how much data is kept by companies big and small across the country. Real estate agents, hoteliers and rental car firms routinely take copies of identity documents. Santow, now at the University of Technology Sydney, and his colleagues published a paper during the week outlining how scant protections are for the use of facial recognition technology, too. Lizzie O’Shea, chair of Digital Rights Watch, an NGO, said Australians had no guarantee that information was being stored properly and deleted quickly. The regulator is under resourced, she said, and individuals cannot go to court to have their data deleted. “We don’t have that in Australia,” O’Shea said.
Investigations into how the hack happened are still under way, but there is a view among cybersecurity experts that O’Neil is right and someone at Optus made a major error in leaving a gateway to its data exposed online.
Alastair MacGibbon, who used to run one of the government cybersecurity agencies now investigating the breach, says that theory is not confirmed but “seems to be the consensus”. It means all the hacker had to do was find the access point, called an API, and ask for customer data in the right way. “Not sophisticated, quite simple, and sadly, understandable in complex compute environments,” said MacGibbon, now with security firm CyberCX. If that is the case, then this was less a break and enter than someone walking in through the front door. Compared to the Target hack, where a criminal gang infected a third-party refrigeration company with malware to eventually access the retailer, the Optus breach may not even qualify as a “hack”. Police would provide no details at a press conference on Friday.
Several industry insiders, who spoke anonymously because their employers had not authorised them to speak, said such a lapse should never have happened. They argued it fit Optus’ reputation for having a stingy approach to cybersecurity, which generates no money for businesses. And it is not the first data breach at Optus. In August last year the Information and Privacy Commissioner announced an investigation into how 50,000 Optus customers’ names, phone numbers and addresses were published without their agreement in the online and also, potentially, the print White Pages. A “system error” caused that breach, not a hack, Optus said in 2019, when it disclosed the problem.
Loading
If the Optus sceptics are right about this breach, then that could also make encryption, which Optus says it used, irrelevant. The data would be encrypted on Optus servers, and in transit to the thief, but it would be in plain text on arrival. Optus has not denied the central claim in this debate that the hacker used what is called an API – a common way of computers exchanging data – to request the customer information. But it has strongly contested other elements, with Bayer Rosmarin hitting out at “misinformation”, arguing the company has invested heavily in cybersecurity and pointing to checks by police and cyber agencies of the company’s systems. “It is not the case of having some sort of completely exposed API sitting out there,” she has said.
MacGibbon is critical of the language in these denials. “Their crisis management has been very poor,” he said. Things like the company’s description of its data as “encrypted”, he said, were a word “word salad” that prevented people trusting the company because the data appeared to have been unencrypted when it reached the hacker. Optus is a victim, MacGibbon said, but the company’s “failure to actually have a crisis plan and execute upon how you deal with your stakeholders, has actually led to the situation being much worse for Optus.”
Assistant Treasurer Stephen Jones fed the sceptics on Thursday. “If you just look at the amount of ransom or bribe that was sought by the actor … someone who asks for a million dollars that’s more the ring of a kid in a garage than a state actor, I’ve got to say,” Jones said, before stressing that he did not know that as a matter of fact. Typically, hackers demand money from a company before going public, giving their targets maximum incentive to pay and avoid reputational damage. This hacker did not do that and later complained they could not work out how to contact Optus. And then on Tuesday the hacker backpedalled, claimed to have deleted the data and apologised, saying they were attracting too much attention. “Deepest apology to Optus for this,” the person said. That followed the FBI being called in and sparked rumours that Optus may have paid up, but an Optus spokesman told the Herald and The Age that day: “We didn’t pay.”
Loading
The hacker also asked for $US1 million ($1.55 million), an amount that some wits compared to Dr Evil’s demand for the same amount in the movie Austin Powers. “A million dollars isn’t exactly a lot of money these days,” a sidekick reminds the villain. That amount is well below some of the highest ransoms paid. The global meat processor JBS Foods paid $14 million last year to end a ransomware attack, but that had disabled its plants in America and Australia, threatening meat supplies for supermarkets. Colonial Pipeline, a company that supplies about half of the gas to the United States’ east coast, paid $7 million in Bitcoin to end another ransomware attack in the same year. Again, the potential consequences of not paying were dire. Optus, by contrast, has assured customers their phones and internet connections have remained safe to use. But the demand is not the lowest either; Uber paid $US100,000 in 2016 to have hackers delete stolen data on 57 million users.
When Target’s chief executive resigned, the company lost its president and chairman too. All three roles were held by the same man. The government has stopped short of calling for Bayer Rosmarin’s resignation, but its language has been backhanded, widening the sphere of people in the firing line even as it dismisses the suggestion. “I don’t think it’s helpful at this point in time to be speculating on who should go from Optus – whether it’s the chair, whether it’s the board, whether it’s the CEO,” Financial Services Minister Jones said midweek. Bayer Rosmarin has said her focus is on helping customers.
Unlike the American Target or the big four banks when they came under fire from the 2017-19 royal commission, Optus’ management has a distinct advantage. The company is not publicly listed. Instead, it is a subsidiary of Singtel, an international telecommunications conglomerate largely owned by the Singaporean state wealth fund. And Singtel is standing behind the company for now. “We have extended our fullest support to Kelly and the Optus management team as they work to minimise inconvenience and risk to customers,” a spokesman said.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.