Optus chief executive Kelly Bayer Rosmarin has said that a breach of up to 9.8 million Australians’ personal data was facilitated via the telecoms giant’s improper system protections as ‘sloppy’ and ‘misinformation’.
This development happened after Home Affairs Minister Clare O’Neil said that the telco had left the door open to a ‘basic’ hack, according to a report by The Australian Financial Review. Optus “left the window open for data of this nature to be stolen”, O’Neil said on the ABC’s 7.30 program, flagging the government would lift the fines for such breaches significantly. However, she did not specify the quantum of increase.
Industry watchers opine that this breach is one of the largest in Australian corporate history. Minister O’Neil lambasted Optus on Tuesday after reports a person claiming to be the hacker had obtained Medicare numbers.
“I am incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom,” O’Neil said in a statement.
“Medicare numbers were never advised to form part of compromised information from the breach. Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.“
Counter Claim of Optus
Optus CEO Bayer Rosmarin, in the company’s defense repeated that the attack, in which millions of driver’s licence and passport numbers were stolen, was ‘sophisticated’, but said she was unable to go into details as police investigations were continuing. “We have multiple layers of security and, because of the incident, we have invited in a third-party expert, a cyber firm, and the Australian Centre for Cybersecurity, and they have scanned our perimeter to ensure that there isn’t the kind of exposure that has been sloppily written about,” she told The Australian Financial Review.
The third party cyber firm was not named. Asked whether Ms O’Neil was misinformed when she commented to 7.30, Ms Bayer Rosmarin said:
“We were actually talking to the minister at that time, so the interview she did was before her briefing with us.”
“I think she was talking more generally and, of course, she wants to make sure in the event that Optus has done something that we shouldn’t have, we are held accountable.”
But it is understood Ms O’Neil stood by her comments to the ABC, even after talks with Optus later last night, stated AFR.
Meanwhile, the culprit on a hacking forum pulled down their ransom demand to sell the data unless Optus paid them almost $1.5 million in the Monero cryptocurrency. The apparent culprit had previously posted samples of the data online which seemed legitimate.
O’Neil also said she wanted reforms to the fines levied against companies that suffer data breaches that affect Australians.
“In other countries around the world, a breach of this scale would result in hundreds of millions of dollars worth of fines for a company like Optus. We have a maximum of just over $2 million under the Privacy Act – totally inappropriate,” Ms O’Neil said.
Optus says its has contacted the most affected customers, and will offer a year subscription to credit monitoring service Equifax – which will help identify suspicious financial activity – to customers.