Optus is facing an ‘extinction-level event’ after its massive loss of customer data to a hacker, a technology analyst says.
Shara Evans, who is the CEO of leading tech research firm Market Clarity, says the telco’s response has been completely inadequate and could see it face massive fines both in Australia and Europe.
‘This is an extinction-level event for Optus’s reputation,’ Ms Evans, who has worked for US tech and telco giants Alcatel, Sprint, Telenet and GTE, said.
Shara Evans, who is the CEO of leading tech research firm Market Clarity, says Optus faces an ‘extinction-level event’ after the mass hack that stole the personal data of up to 11 million of its customers
‘This is a public relations fiasco.
‘I have seen some reports that it could be up to 11.2 million people, so we are talking about 30 to 40 per cent of Australia’s population.
According to Australia’s Information Commissioner, otherwise known as the privacy commissioner, a data breach is defined as something ‘likely to cause you serious harm’.
About 11 million Optus customers had personal details stolen in the massive data breach
Ms Evans said there was no question that ‘Optus have a notifiable data breach’.
‘The information that has been exposed is a combination of your name, date of birth, email, phone number or address associated with your account.
‘There’s no doubt in my mind that this constitutes the kind of information that could result in identity theft, financial loss through fraud, serious psychological harm.’
The maximum penalty that can be levelled against a company in Australia for a privacy breach is $2million, which Ms Evans called ‘pocket change’.
Ms Evans said a hacker who had someone’s date of birth could wait years before using it maliciously (pictured, a stock photo)
However, Optus could face much harsher potential penalties coming out of Europe.
‘I am told there are [millions] of people in Australia who have dual EU citizenship, which means the EU’s General Data Protection Regulation (GDPR) comes into effect,’ Ms Evans said.
‘Optus is liable under EU law for all EU citizens impacted by the breach.’
The maximum fines under the GDPR is €20 million ($29million) or 4 per cent of a firm’s global revenue of the preceding year, if that is higher.
Ms Evans expressed her disbelief at how the telco had left so many of its customers in the dark.
‘I think the burning question is: why were people not pro-actively notified?’ she said.
‘This should have been told to everybody involved as soon as they realised “Oh my God, this involves birthdates, driver’s licences – all kinds of other information”.’
Optus could face both fines in Australia, but also much bigger sums under EU law, for the data breach
Ms Evans believed Optus may well have been in breach of the law, which is enforced by the privacy commissioner and the federal attorney-general.
‘It is the law to notify impacted people straight away,’ Ms Evans said of the breach.
‘There’s different categories of information but without a doubt birth date falls into what is classified as sensitive information.
‘It appears that everybody who has been breached had their date of birth compromised.’
The commissioner’s website says a firm has 30 days to assess whether a data breach is likely to ’cause serious harm’.
Ms Evans is in no doubt the Optus breach falls into this category.
‘If birth dates and driver’s licences are released you don’t need 30 days to assess if there is potential serious harm,’ she said.
‘You know that right away.’
‘They have an obligation to push the information, not just through a press release. They’ve got your phone number!’
Ms Evans said the hack and especially the slow response of Optus was a ‘public relations’ disaster
Ms Evans was scathing about what she saw as the lack of urgency and transparency.
‘On the Optus portal and on the app from day one there was zero notification about a potential breach,’ she said.
‘I just do not believe Optus has acted in good faith towards its customers in terms of disclosure by not notifying people when it is dead obvious what this data could be used for.’
Potentially the most sensitive piece of information the hacker appears to have harvested, possibly from every stolen account, is birth dates.
‘If your date of birth is compromised you are subject to identity theft – full stop,’ Ms Evans said.
‘Once your birth date is gone the only thing you can do to repair it is die.’
Ms Evans outlined the approach she thought Optus should have taken.
Ms Evans slammed the offer by Optus to provide free credit monitoring to only a ‘subset’ of people affected
‘There should have been banners on their app, on their portal, on their website, pro-active text messages to everybody saying “we really regret having to send this message to you but this is what’s happened, log in into your secure portal – note a new URL – and you will find more information there”.
‘”And we continue to update you about your situation as we investigate further”.’
Ms Evans said the company’s offer of free credit monitoring to prevent identity theft was nowhere near enough.
On Monday Optus said it was ‘offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost’.
Ms Evans said this needed to be offered to everybody who had details stolen, especially as the company has not been forthcoming on what was taken.
‘How do you define the most affected?’ she asked.
‘They appear to only be offering it to a subset.
‘Everybody who has been impacted by this breach should get lifetime data protection. In their news reports nothing is said about the duration.
In a bizarre post ‘optusdata’ claimed there were ‘too many eyes’ on them and claimed they would not sell or leak the hacked data of over 10million Australians
‘Once your data is compromised it often takes years before someone does something to you, so you need to vigilant for the rest of your life.’
A hacker in possession of a birth date and other personal information could at any time open up credit in the name of their victim.
‘I would never know about it,’ Ms Evans said.
‘Which it why it is absolutely essential Optus puts in place forever protection notification so that you have an organisation that sees forever if people are trying to open accounts in your name.’
Ms Evans pointed out that Equifax offered three types of product but two offered only partial protection.
‘It needs to be the top end ID theft and credit reports,’ she said.
‘It can’t be one or the other.’
In a bizarre twist the mysterious hacker claiming to be responsible for the Optus data breach suddenly apologised for the cyber-attack and backed off the demand the company pay him a $US1million ($1.5million) ransom on Tuesday morning.
Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account (pictured, the text message)
However, customers said they were still receiving threatening text messages demanding they pay $2,000 to have their details erased.
In a bizarre post on Tuesday morning, ‘optusdata’ claimed there were ‘too many eyes’ on them and said they would not sell or leak the hacked data of up to 10million Australians.
In broken English, optusdata said: ‘Deepest apology to Optus for this. Hope all goes well from this’.
However, Australians are now receiving threatening texts demanding they pay $2,000 to have their ‘confidential information erased off the system’.
The text warns Optus customers that if they do not comply, their information will be ‘sold for fraudulent activity’ in two days time.
The message asks the $2,000 be transferred to a Commonwealth Bank account under the name ‘Optusdata’ and that customers send a copy of their receipt.
‘Optus has left security measures allowing us to access the personal information of their customers including name, email, phone number, date of birth, address and licence number,’ the text reads.
‘Optus has not responded to our demand of paying the 1M$USD ransom as such as your information will be sold and used for fraudulent activity within 2 days or until a payment of $2000AUD is made then the confidential information will be erased off our systems.’
What Optus has said about the breach:
How did this happen?
Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
Has the attack been stopped?
Yes. Upon discovering this, Optus immediately shut down the attack.
We are now working with the Australian Cyber Security Centre to mitigate any risks to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.
Why did we go to the media first instead of our customers?
The security of our customers and their data is paramount to us. We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly.
What information of mine may have been exposed?
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Customers affected will be notified directly of the specific information compromised.
Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payments details, and account passwords have not been compromised.
What should I do to protect myself if I suspect I am a victim of fraudulent activity?
We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
How do I contact Optus if I believe my account has been compromised?
If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.
If you are a business customer, contact us on 133 343 or your account manager.
How do I know if I have been impacted?
We are in the process of contacting customers who have been directly impacted.