In September 2022, Australian telecommunications provider Optus announced that it had suffered a cyberattack, resulting in the data leakage of nearly 10 million users, accounting for one-third of Australia’s total population. The leaked information included customers’ names, birth dates, home addresses, phone numbers, emails, and sensitive data such as passport and driver’s license information for some customers. Among the stolen information, the detailed data of 10,000 Optus users had been published online by hackers. This incident is considered one of the largest cyber attacks in Australia’s history.
Optus is the second-largest telecommunications operator in Australia, following Telstra, and boasts a large user base. Upon discovering the data breach, Optus promptly took action, including notifying news agencies and cooperating with relevant authorities to investigate the situation. The incident immediately caused a significant uproar, and Optus’s CEO Kelly Bayer Rosmarin stated in a statement: “We took immediate action to halt the cyber attack and launched an investigation as soon as we became aware of the issue.” Following the incident, Optus sent text messages and emails to users whose sensitive information had been leaked and offered some solutions.
There are two different explanations for the cause of this cyberattack. ABC News reported that Optus insiders revealed to them that the vulnerability in the Optus API was due to human error. However, Optus claims that it was a ‘complex attack’ targeting its systems.
In the era of big data, the internet has become an indispensable part of most people’s lives. When using various platforms and services, people must input their personal information, which is then stored in these platforms’ databases. Often, our names and phone numbers are connected to more private data. Although these companies and platforms state in their privacy policies that users’ private data is absolutely safe, in reality, once users provide personal information to these platforms or companies, their data is no longer private and confidential.
Optus Faces Crisis in Rebuilding Customer Trust and Repairing Reputation
The data breach at Optus had a significant impact, affecting the information of over one-third of Australia’s total population. Searching for “Optus data breach” on the social media platform X reveals numerous complaints about the effect of this data breach on personal privacy. For example, one user posted that since the Optus data breach, she has been inundated with spam emails, including fake invoices sent to her PayPal account. She had just started using Optus two weeks before the incident occurred.
Australia has a large international student and immigrant population, and some of these individuals need to use their passport numbers as identification while living in the country. Searching for the incident’s keywords on the Chinese social media platform “Little Red Book” also shows many people discussing how they have been affected by the event.
As the second-largest telecommunications operator in Australia, Optus has a massive user base. News reports and information on major social media platforms reveal that Optus has long been criticized by users for “poor signal” and “frequent network outages.” It is clear that this incident will have a significant impact on Optus’s reputation. The biggest risk is the potential loss of business as customers move to other operators. Rebuilding customer trust will be a challenging battle for Optus.
Dissatisfied Users File Class Action Lawsuit Against Optus
Following the incident, many users were unhappy that their various data had been leaked. As a result, they filed a lawsuit against Optus. Law firm Maurice Blackburn submitted a representative complaint to the Office of the Australian Information Commissioner (OAIC). The complaint alleges that Optus retained customer information when it was no longer needed or was not authorized to do so. Additionally, Slater and Gordon also filed a lawsuit against Optus on behalf of over 100,000 participants. The lawsuit accuses Optus of failing to fulfill its duty to protect customers’ personal information. The organization did not specify the amount of compensation they are seeking from Optus, but stated that the class action plaintiffs are seeking compensation for the losses caused by the data breach, such as the cost of replacing identification documents and enhancing personal data security.
Multiple scams have emerged, and the Australian government is reminding people to be mindful of their privacy and security.
1. “Unauthorised transaction on your account” scams:
Scammers claim there are suspicious transactions on your online account due to the Optus data breach. They then ask you to provide personal or financial information.
2. “Hi Mum” scams:
Scammers pretend to be a family member or friend in need of help, sending texts to people and using the Optus hack as an excuse for contacting them from a new number. These messages quickly escalate to requests for money or personal information (including photos).
3. Financial Restitution:
In this type of scam, scammers impersonate Optus over the phone, claiming to offer financial compensation to customers affected by the data breach. They use this as a reason to ask for customers’ personal and financial information.
Optus’s response to the incident
pon discovering the attack, Optus immediately shut down the attack and collaborated with the Australian Cyber Security Centre to mitigate any risks faced by customers. Optus also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and other major regulatory bodies. In a statement, Optus stated that it would proactively notify customers deemed to be at high risk and provide professional third-party monitoring services. As an immediate remedy, Optus offered affected users a one-year subscription to Equifax credit monitoring services. This service provides immediate alerts if anyone applies for credit fraudulently. Additionally, Optus stated that it would contact customers whose identity documents (such as driver’s licenses or passports) had been stolen and reimburse them for the cost of applying for new documents.
On October 3, 2022, Optus released a statement on its website announcing that it had engaged the international professional services firm Deloitte to conduct an independent external review of the cyberattack incident and its security systems, controls, and processes. Optus CEO Kelly Bayer Rosmarin stated: “This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sectors where sensitive data is held and there is a risk of cyberattack.”
The importance of protecting personal privacy data in the digital age
The data breach incident at Optus undoubtedly served as a wake-up call for other companies. This incident made many Australian businesses realize the importance of implementing data breach prevention strategies. User trust is one of the crucial factors for a company’s long-term survival. If a user’s personal information is not properly protected, any company could lose user trust and the good reputation it once held, ultimately hampering its healthy and successful development. Collecting user data can certainly help companies improve their products and services. However, when consumers discover that their data has been massively leaked or used for illicit profiteering activities, they become increasingly cautious and reluctant to provide their personal privacy data to companies. Therefore, companies must establish, publish, and effectively implement robust and comprehensive data security policies to earn consumers’ trust.
Companies can strengthen the protection of user data by improving data protection policies and regulating data processing procedures. In terms of data collection, companies should clearly inform users of the purpose, scope, and manner in which data is collected and obtain explicit consent from the users before conducting data collection activities. In addition, companies can conduct regular system security reviews and ensure data can be promptly restored in the event of an unexpected attack.
Legal and Governance Issues Regarding Privacy Data
The Optus data breach incident has once again raised concerns about privacy protection and cybersecurity. Australian Home Affairs Minister Clare O’Neil stated that the incident highlights the gap between Australia and other parts of the world in terms of privacy and cybersecurity. She mentioned that “we are ten years behind.” O’Neil also suggested revising the Cybersecurity Act. She noted that if similar incidents occurred in other countries, the offending company might face hefty fines. However, under Australia’s privacy laws, the maximum fine for such incidents is only 2 million AUD.
At the same time, Australia’s Attorney-General Mark Dreyfus stated that the Optus incident prompted the government to consider promptly amending the Privacy Act to impose heavier penalties on companies in violation. Following the incident, O’Neil has already proposed interim reforms to enable companies to respond to security vulnerabilities more quickly and effectively.
On October 6, 2022, the Australian Treasury released a statement saying that “The Albanese Government has prepared amendments to the Telecommunications Regulations 2021 to better protect Australians following the Optus data breach.” The primary goal of these amendments is to enable Optus and other telecommunications companies to coordinate more effectively with financial institutions, the Commonwealth, as well as state and territory governments to detect and mitigate risks associated with cybersecurity incidents and malicious online activities such as fraud and scams.
According to the Treasurer, the Hon Dr. Jim Chalmers MP, “Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach. These new measures will assist in protecting customers from scams, and in system-wide fraud detection.” This initiative by the Australian Treasury strengthens monitoring and protection measures, providing better security for customers affected by the incident.
If someone uses services on the internet and seemingly enjoys these services without paying anything, their personal data is actually the currency exchanged for the service. In this era where all services on the internet require personal data for exchange, our personal data is not well protected. For example, many platforms have mandatory privacy policies—if you agree, you can use the service; if you disagree, you can’t use it. These privacy policies are often lengthy, causing many people to choose “agree” without even reading them. Flew Terry also mentioned this in his book: Online terms of service agreements are complicated, vague, and legalistic, and typically offer the user an all-or-nothing option(Terry,2021).
Moreover, the relevant laws and regulations on internet data security in many countries are not comprehensive enough to adequately protect people’s data security. In the case mentioned in this article, the maximum fine for such data breach incidents in Australia is only 2 million AUD. For some larger companies, this amount is not a significant sum. If the legal penalties are not severe enough and companies that violate related laws do not pay a heavy price, they will not realize the severe impact of such incidents, and the likelihood of similar events occurring again in the future will be high. In this situation, customers’ personal data and even private data will be placed at risk, and security cannot be guaranteed.
What can you do to protect your ‘secrets’?
1. Share personal information cautiously
Avoid entering personal information such as bank accounts, passwords, and ID numbers on unsafe websites or apps. Configure privacy settings on social media platforms appropriately to avoid disclosing more personal information.
2. Use strong passwords and multi-factor authentication, and regularly check account security settings
When registering for accounts on various platforms, use strong passwords and change them regularly. If the platform offers multi-factor authentication, enable it to enhance the security of your account. Additionally, periodically check your personal account’s security settings and activity to ensure there are no suspicious logins or other issues. If you notice unauthorized access or other security problems, take immediate action, such as changing your password or contacting the relevant authorities.
3. Be cautious with public Wi-Fi and shared devices
Avoid transmitting sensitive information such as online banking transactions and shopping payments while using public Wi-Fi. Additionally, refrain from logging into personal accounts on shared devices to prevent your information from being accessed by others.
4. Understand and exercise relevant laws and regulations
Know your rights as a data subject. Before providing personal information, understand the purpose of its collection and use. If you find that your personal information is being misused, you can request the relevant institutions to delete or correct it.
Conclusion
In today’s thriving digital economy, data has become a resource, and even a form of currency. The World Economic Forum described personal data as ‘the new “oil” – a valuable resource of the twenty-first century … a new type of raw material that is on a par with capital and labour’ (World Economic Forum, 2011).We exchange our personal data and even private data on the internet for information. Just like Alice and Danah said, the tech industry often frames its products as a give-and-take between people willingly sharing personal information in exchange for benefits. Without realizing it, we may believe our information is secure and private, but the moment we submit it online, it is no longer private.
The Optus data breach not only serves as a reminder for major companies to strengthen their protection of customer data, but it also cautions each of us to avoid submitting our private data to online platforms without careful consideration.
In “Technopoly,” Neil Postman mentioned, “Every technology is both a burden and a blessing; not a binary choice, but a product of both benefits and drawbacks.” While various internet technologies have made our lives more convenient, we must also be aware of the dangers they pose, becoming decision-makers regarding our personal privacy rather than being prisoners of data.
Individuals need to raise their awareness of data security, and major companies should conduct regular security audits of their systems to prevent incidents like the Optus data breach. Government agencies must also keep up with technological advancements and promptly revise related laws and regulations, strictly regulating companies to better protect individuals’ privacy and digital rights.
References:
Cyberknow.(2022)Optus Data Breach Timeline.
https://cyberknow.medium.com/optus-data-breach-timeline-c02d8c5298c4
Flew,T.(2019).Platforms on Trial. Intermedia, 46(2), 18–23. https://eprints.qut.edu.au/120461/
Flew, T. (2021). Issues of Concern. In T. Flew, Regulating platforms,79–86. Polity.
Jim,C.(2022).Changes to protect consumers following Optus data breach.Treasury Portfolio.https://ministers.treasury.gov.au/ministers/jim-chalmers-2022/media-releases/changes-protect-consumers-following-optus-data-breach
National Anti-Scam Centre.(2022)Optus Data Breach Scams.Australian Government.
https://www.scamwatch.gov.au/types-of-scams/recent-scam-activity/optus-data-breach-scams
Optus.(2022).Optus Notifies Customers of Cyberattack Compromising CustomerInformation.https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack
Optus.(2022).Optus Commissions Independent External Review of Cyberattack.https://www.optus.com.au/about/media-centre/media-releases/2022/10/optus-commissions-independent-external-review-of-cyberattack
Be the first to comment