Optus data breach: Another one bites the dust
If you have switched on the television, scrolled through social media and/or picked up a newspaper sometime within the last few days, you are likely aware that Australia’s second largest telecommunications provider, Optus, has admitted it has suffered a significant data breach. Indeed, if you are an Optus customer, you may have already received correspondence from the telecommunications company notifying you that your personal data has been compromised.
Unfortunately, Optus’ data breach is just one in an ever-increasing wave of cyber-security incidents in Australia.
What happened?
On 22 September 2022, Optus announced that the personal data of up to 9.8 million of its former and existing customers had been stolen from its internal customer database. Worryingly, it appears that up to 2.8 million of these customers have been severely affected by the breach.
Optus is yet to provide a comprehensive account on how the data breach occurred, although has indicated the breach was the result of a sophisticated cyber-attack. However, news and media outlets are increasingly reporting that experts believe the data breach may have been the result of inadequate security protocols combined with human error.
On 27 September 2022, a party claiming to be responsible for the Optus data breach, who operated under the username ‘Optusdata’, posted a ransom message on the dark web in which they demanded Optus pay AUD$1.5 million to prevent the exposure of all customer data records. In this same ransom message, the self-proclaimed hacker released the details of 10,000 Optus customers, with the threat that more customer data will be released in the coming days. In a surprising turn of events occurring later that same day, the user Optusdata reportedly issued an apology to Optus and vowed not to release any further customer data. For Optus customers, only time will tell whether this promise is upheld.
Impact on Optus
Whilst it is still early days, Optus is already feeling the detrimental ramifications of its data breach. The telco company is facing heavy criticism and scrutiny from customers, security experts and governmental agencies, which is likely to result in long-lasting reputational damage. Consequently, it is likely Optus will experience a mass customer exodus over the coming months. There is also a class action lawsuit underway against Optus, which undoubtedly has the organisation’s insurance provider/s feeling extremely concerned.
Australian businesses which experience a significant data breach should be aware that they may also face repercussions similar to those encountered by Optus.
Regulatory response – what is likely to occur?
Unsurprisingly, the sheer size of the Optus data breach has prompted widespread calls for increased security requirements and an overhaul of the existing regulations and legislation governing the retention and storage of data within the telecommunications industry. These proposed changes seek to both minimise the amount of personal data required to be collected by telecommunications companies and reduce the duration that such information is retained.
Further, the publicity surrounding this data breach is likely to result in the accelerated implementation of Australia’s Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, which proposes to significantly increase the penalties faced by Australian businesses who suffer serious or repeated breaches of privacy. These increased penalties stand to be readily welcomed by the OAIC, the ACCC, and now, more than likely, the Australian public.
Data breaches: A question of when, not if…
The Optus data breach serves as a critical reminder for businesses within Australia that the occurrence of a data breach should be regarded as a question of when, not if. Indeed, data released by the Office of the Australian Information Commissioner (OAIC) indicates that there are upwards of 900 instances of data breaches affecting Australian Businesses each year (this doesn’t include the tens of thousands of non-reported data breaches occurring in Australia). The cause of these breaches is overwhelmingly the result of malicious attacks and/or human error.
What happens if my business experiences a data breach?
Whilst every data breach should be responded to on a case-by-case basis, there are generally four key actions businesses should take in responding to a breach.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ (see below) under the national data breach scheme, it may be mandatory for your business to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
Eligible Data Breaches
Businesses operating within Australia are legally obligated to notify affected individuals and the OAIC of all “eligible data breaches”. An eligible data breach occurs in circumstances where there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that is likely to result in serious harm to one or more individuals, and such harm is unable to be prevented.
Key takeaways – lessons for Australian businesses
In light of Optus’ data breach, it is critical that Australian Businesses ensure they are acting in compliance with Australia’s privacy requirements as set out within the Privacy Act 1988 and the Australian Privacy Principles.
In addition, businesses should turn their minds to and review their existing cyber-security protections, policies, and procedures. This includes, non-exhaustively;
- Ensuring that your business has a data breach response plan;
- Reviewing and updating your privacy policy;
- Minimising your data collection and retention where possible; and,
- Conducting regular cyber security training and information courses of all staff. Keep in mind human error plays a significant role in many data breaches.
Need more information or assistance? We can help!
For further information or a review of your compliance with Australian privacy legislation, please contact one of our Privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
AI adoption in business: Unveiling the Senate’s blueprint for regulation
Social media ban for children under 16: What are the privacy implications and impact on the future?
Queensland Government agencies’ obligations strengthened
stay up to date with our news & insights
Optus data breach: Another one bites the dust
If you have switched on the television, scrolled through social media and/or picked up a newspaper sometime within the last few days, you are likely aware that Australia’s second largest telecommunications provider, Optus, has admitted it has suffered a significant data breach. Indeed, if you are an Optus customer, you may have already received correspondence from the telecommunications company notifying you that your personal data has been compromised.
Unfortunately, Optus’ data breach is just one in an ever-increasing wave of cyber-security incidents in Australia.
What happened?
On 22 September 2022, Optus announced that the personal data of up to 9.8 million of its former and existing customers had been stolen from its internal customer database. Worryingly, it appears that up to 2.8 million of these customers have been severely affected by the breach.
Optus is yet to provide a comprehensive account on how the data breach occurred, although has indicated the breach was the result of a sophisticated cyber-attack. However, news and media outlets are increasingly reporting that experts believe the data breach may have been the result of inadequate security protocols combined with human error.
On 27 September 2022, a party claiming to be responsible for the Optus data breach, who operated under the username ‘Optusdata’, posted a ransom message on the dark web in which they demanded Optus pay AUD$1.5 million to prevent the exposure of all customer data records. In this same ransom message, the self-proclaimed hacker released the details of 10,000 Optus customers, with the threat that more customer data will be released in the coming days. In a surprising turn of events occurring later that same day, the user Optusdata reportedly issued an apology to Optus and vowed not to release any further customer data. For Optus customers, only time will tell whether this promise is upheld.
Impact on Optus
Whilst it is still early days, Optus is already feeling the detrimental ramifications of its data breach. The telco company is facing heavy criticism and scrutiny from customers, security experts and governmental agencies, which is likely to result in long-lasting reputational damage. Consequently, it is likely Optus will experience a mass customer exodus over the coming months. There is also a class action lawsuit underway against Optus, which undoubtedly has the organisation’s insurance provider/s feeling extremely concerned.
Australian businesses which experience a significant data breach should be aware that they may also face repercussions similar to those encountered by Optus.
Regulatory response – what is likely to occur?
Unsurprisingly, the sheer size of the Optus data breach has prompted widespread calls for increased security requirements and an overhaul of the existing regulations and legislation governing the retention and storage of data within the telecommunications industry. These proposed changes seek to both minimise the amount of personal data required to be collected by telecommunications companies and reduce the duration that such information is retained.
Further, the publicity surrounding this data breach is likely to result in the accelerated implementation of Australia’s Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, which proposes to significantly increase the penalties faced by Australian businesses who suffer serious or repeated breaches of privacy. These increased penalties stand to be readily welcomed by the OAIC, the ACCC, and now, more than likely, the Australian public.
Data breaches: A question of when, not if…
The Optus data breach serves as a critical reminder for businesses within Australia that the occurrence of a data breach should be regarded as a question of when, not if. Indeed, data released by the Office of the Australian Information Commissioner (OAIC) indicates that there are upwards of 900 instances of data breaches affecting Australian Businesses each year (this doesn’t include the tens of thousands of non-reported data breaches occurring in Australia). The cause of these breaches is overwhelmingly the result of malicious attacks and/or human error.
What happens if my business experiences a data breach?
Whilst every data breach should be responded to on a case-by-case basis, there are generally four key actions businesses should take in responding to a breach.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ (see below) under the national data breach scheme, it may be mandatory for your business to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
Eligible Data Breaches
Businesses operating within Australia are legally obligated to notify affected individuals and the OAIC of all “eligible data breaches”. An eligible data breach occurs in circumstances where there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that is likely to result in serious harm to one or more individuals, and such harm is unable to be prevented.
Key takeaways – lessons for Australian businesses
In light of Optus’ data breach, it is critical that Australian Businesses ensure they are acting in compliance with Australia’s privacy requirements as set out within the Privacy Act 1988 and the Australian Privacy Principles.
In addition, businesses should turn their minds to and review their existing cyber-security protections, policies, and procedures. This includes, non-exhaustively;
- Ensuring that your business has a data breach response plan;
- Reviewing and updating your privacy policy;
- Minimising your data collection and retention where possible; and,
- Conducting regular cyber security training and information courses of all staff. Keep in mind human error plays a significant role in many data breaches.
Need more information or assistance? We can help!
For further information or a review of your compliance with Australian privacy legislation, please contact one of our Privacy experts.