Optus had high hopes for Kelly Bayer Rosmarin when she was appointed chief executive in April 2020 – and the South African-born banker had even greater expectations of herself.
‘We’ve done a lot of stuff but it will never be fast enough for me – I want to get to be the most loved everyday brand,’ she said less than a year into the job.
Bayer Rosmarin, a former Commonwealth Bank executive, came to Optus without ever having worked in the telecommunications industry and served a year-long apprenticeship before assuming the top spot.
Kelly Bayer Rosmarin had an ambitious goal when she was appointed chief executive in April 2020. ‘We’ve done a lot of stuff but it will never be fast enough for me – I want to get to be the most loved everyday brand,’ she said less than a year into the job
About 9.8 million Optus customers have had personal details stolen in data breach, and a hacker has threatened to release 10,000 of those everyday unless the company gives into a ransom of $1.5million
Her first day in the role came as the nation was dealing with the early stages of the Covid-19 pandemic and it has been hard going ever since.
Not only is Optus in an ongoing battle with market leader Telstra, which is twice its size and offers slightly broader coverage, but TPG Telecom has become a serious competitor after merging with Vodaphone in 2020.
The cyber hack that has seen data belonging to 9.8 million current and former Optus customers being compromised puts Australia’s second biggest telco a long way from being ‘the most loved everyday brand’.
Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.
And a hacker claiming to be behind the security breach has reportedly released 10,000 customer records, demanding a $1.5million ransom.
The purported cybercriminal had been threatening to release 10,000 more records every day for the next four days if the ransom was not paid.
Optus boss Kelly Bayer Rosmarin (above) says the company couldn’t say much about the ransom threat as it was being investigated by the Australian Federal Police
The ransom demand appeared on the dark web, with the hacker warning Optus had four days to decide
The mysterious hacker has since apologised for the attack but Optus customers have begun receiving threatening text messages demanding they pay $2,000 to have their details erased.
Data involved in the breach includes names, email addresses, phone numbers, dates of birth, home addresses and driver’s licence and passport numbers.
Bayer Rosmarin rightly insisted on Tuesday that the real villain in this security nightmare was the hacker but she is the public face of the disaster and for many observers, the buck stops with her.
‘Well, look, I think most customers understand that we are not the villains and that we have not done anything deliberate to put any of our customers at risk,’ she told ABC Radio’s AM program on Tuesday.
No one is suggesting Optus deliberately exposed its customers to such a data breach but how most of them feel about the company is less clear-cut.
Until now, the lowest point in Optus’s relationship with its subscribers was the debacle during the 2018 World Cup.
For the first time, Australian fans of the round-ball football code could only watch most of the tournament’s matches by being an Optus customer or paying $15 a month to stream games on its app.
The licensing deal with SBS was described at the time as unprecedented and the experience for viewers was certainly unique.
The technology failed badly early in the competition, with streams dropping out, buffering or not working at all.
Then-prime minister Malcolm Turnbull called Bayer Rosmarin’s predecessor Allan Lew to ask what had happened and Optus eventually let SBS screen the remaining games because it could not guarantee fixing the problem.
Data involved in the breach includes names, email addresses, phone numbers, dates of birth, home addresses and driver’s licence and passport numbers. Stock image above
Federal politicians have again been weighing into Optus’s woes, with Prime Minister Anthony Albanese describing the data breach as a ‘huge wake-up call’.
Home Affairs Minister Clare O’Neil has gone harder, launching a scathing attack on Optus in parliament in which she said the breach was a ‘basic’ hack.
O’Neil laid blame for the security failure firmly at the feet of the telco, describing it as potentially the result of simply leaving a ‘window’ open.
Home Affairs Minister Clare O’Neil slammed Optus saying the security breach was ‘basic’, however the telco has rejected those claims
‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ O’Neil said on Monday.
‘We expect Optus to continue to do everything they can to support their customers and former customers.’
Bayer Rosmarin rejected O’Neil’s claim the hack was not sophisticated.
‘Unfortunately I think our briefing of the minister happened after she gave that interview,’ Rosmarin told AM. ‘But given we’re not allowed to say much because the police have asked us not to.
‘What I can say that hopefully should help people understand that it’s not as being portrayed is that our data was encrypted and we have multiple layers of protection.’
Bayer Rosmarin reportedly has always enjoyed a challenge – she has described herself as ‘very clam in a crisis’ – and she has one on her hands right now.
The 45-year-old joined Optus in March 2019 in the newly created position of deputy CEO, having served various senior roles since 2004 at the Commonwealth Bank.
She had been named in the Top 25 Women in Asia Pacific Finance, the Top 10 Businesswomen in Australian and 50 Most Powerful Women in Australian Business.
Running Optus was nonetheless a huge step up again.
Covid immediately curtailed Bayer Rosmarin’s ability to physically visit Optus’s network of national offices and she found herself working from her Vaucluse home.
By August 2020, Bayer Rosmarin was still upbeat when she told The Weekend Australian that Optus ‘absolutely could be No 1 in mobile share over time’.
‘I’d love to see it happen because we are so focused on customers that they choose us and they choose to stay with us,’ she said.
Nine months after her appointment Bayer Rosmarin told Nine newspapers she believed the telco industry was lacking new ideas in the fight to make profits.
‘Despite being so fundamental and despite it being something that people actually love and use every day – it’s a sector that globally is struggling for profitability,’ she said.
Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account. One such text message is pictured
Under Bayer Rosmarin, Optus bought low-cost carrier Amaysim, which was viewed positively by the share market, and won approval from customers by freezing prices during the pandemic.
There have been other successes.
Optus Sport has held the rights to the English Premier League since 2016 and renewed that deal as the competition’s exclusive local broadcaster in late 2021 for six more years.
Bayer Rosmarin is a Manchester United fan and former Football Federation of Australia board member and the company is confident it will never experience another broadcasting disaster like the 2018 World Cup.
The Singtel-owned provider had also been close to securing a broadcasting rights deal with Rugby Australia in 2020 before the pandemic hit.
If the current data breach had happened in Europe the company responsible would face potential fines worth hundreds of millions of dollars but Bayer Rosmarin did not back tougher penalties here.
‘Look, honestly I’m not sure what penalties benefit anybody,’ she told AM.
Federal politicians have again been weighing into Optus’s woes, with Prime Minister Anthony Albanese describing the data breach as a ‘huge wake-up call’. Stock image above
‘I think what I can say is Optus is doing absolutely everything possible to be transparent, to be on the front foot.
‘We’re communicating to every customer individually about which specific fields of theirs may have been accessed and we’re working through that.’
Bayer Rosmarin said Optus was working closely with the Australian Cyber Security Centre and Australian Federal Police to identify the culprits.
‘We definitely know that this is the work of some bad actors and really they are the villains in this story,’ she said.
‘Now of course we will investigate thoroughly how it could happen, what went wrong, how we could have avoided it.
‘And later on if something comes out of that indicates that Optus have made an error or done something bad we will of course take full accountability for that.
‘But there’s a time and a place for that and we remain focused on doing everything we can to make sure no harm comes to customers as a result of this theft.’
Optus has announced it will be providing the most affected past and present customers with a free 12-month credit monitoring subscription to Equifax Protect.
Asked if she had considered resigning, Bayer Rosmarin said: ‘At the moment all we’re focused on is protecting our customers, so someone has to be accountable for doing that and that’s exactly what I’m focused on.’
What Optus has said about the breach:
How did this happen?
Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
Has the attack been stopped?
Yes. Upon discovering this, Optus immediately shut down the attack.
We are now working with the Australian Cyber Security Centre to mitigate any risks to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.
Why did we go to the media first instead of our customers?
The security of our customers and their data is paramount to us. We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly.
What information of mine may have been exposed?
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Customers affected will be notified directly of the specific information compromised.
Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payments details, and account passwords have not been compromised.
What should I do to protect myself if I suspect I am a victim of fraudulent activity?
We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
How do I contact Optus if I believe my account has been compromised?
If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.
If you are a business customer, contact us on 133 343 or your account manager.
How do I know if I have been impacted?
We are in the process of contacting customers who have been directly impacted.