More and more information is becoming available about the breach of the Optus systems. It looks like the hacker is more of an amateur than a professional criminal or a “state actor”. This makes the hack even more worrisome.
It looks as though Optus didn’t have its security house in order. This makes the issue all the more painful for the company. It will dent its reputation and customers could become rather wary about dealing with the company. Having said that, the reality is that this is not the first breach and will most certainly not be the last one.
Nevertheless, the company will have to come up with some serious customer service campaigns to show that it still earns the trust of the market. A few free months or something similar might soften the pain for the affected customers.
Over the last week, the company’s main activity has been to secure as much as possible of the lost data (from passports, drivers’ licences and Medicare cards). It is obvious – with a very unhappy government – that they will have to pay for reissuing new documents for those people who have been compromised. This is where the first big costs will occur. On top of that, there is the class action and who knows what that will amount to?
This is an absolute nightmare for the company and a lesson for all large organisations that maintain private data from their customers. As mentioned, this will not be the last hack. I am sure there will be serious questioning happening in many boardrooms around the country and indeed around the world.
The Optus hack is bringing the issue very close to home. It doesn’t really matter that the hacker has indicated that he will not release more data, the reality is that this hack makes it clear what can happen and what an impact this has or can have.
This occurs at a time when the cyber threat has never been as serious as the present. The deteriorating geopolitical situation as well as the big shift in the way that criminals operate in the cyber domain are creating the sort of disasters, we are seeing with the Optus breach.
One thing for sure is that in order to enjoy all the positives resulting from the digital economy, we need to be far more vigilant about the security of our personal information that we are often freely giving away to third parties.
In most cases, a hack is a result of a lack of security either on the side of organisations that host personal data or a lack of security on the user side. Obviously, criminals interested in these crimes prefer to go for the organisations as they are able to score large amounts of data from a single attack.
The Optus hack shows the enormous “reward” for the criminals involved. There are also very clear questions about Optus’ security regarding the personal data of its customers — did they really need to have all of that private data stored and if that is the case, all in one place? A big question mark about that.
So, it is paramount that Optus – and of course all organisations, especially those with sensitive personal data – will have to maximise their efforts to increase their security. Often the criminals are looking for weaknesses in a system that they can exploit to get access to the data that is stored here.
Typical situations that are exploited by these people are when maintenance, tests and new installations occur. Data systems are extremely complex and if something unusual happens such as testing, for example, it could well be that somewhere else in the system an opening appears that hackers can exploit.
Therefore, it is critical that organisations upgrade their security so that before tests or other events are happening, a full security check is conducted to ensure the work involved doesn’t create an opportunity for hackers.
On the user side, we have to be more and more prepared that data stored with the many organisations we deal with will get hacked. So be prepared for the worse. Users will therefore also have to maximise their efforts to protect their data from being misused. You need to protect yourself from criminals who do get access to your personal data. In order to make it more difficult for them to get access to your bank or phone account, there are steps that you can take.
A two-step protection system is a good start. Apart from your password, this requires you to enter a unique code that you receive from companies such as your bank or phone company by SMS or email before you can go into your account. This offers you a significantly higher level of protection.
Most of these systems also allow you, as an alternative, to use your fingerprint to get into your personal details. These codes and fingerprint protections are making it far more difficult for hackers to get access to your accounts.
None of the security systems is bulletproof but, on both sides (organisations and users), more can be done to better protect personal data.
The Government is also not off the hook. As with so many policies, there has been a serious lack of vision from the Government and therefore also no clear strategy attached to it. There is a dozen or so initiatives that are not aligned and sometimes conflict with each other.
As we are saying with the Optus hack as well, decisions are made on the fly without proper process. So much of what passes for government cyber-security initiatives have been knee-jerk reactions to external events, rushed through with no time for thoughtful inputs from experts in the field. Input from experts should be asked before policies are developed, not afterwards.
There has not been any due process in the formulation of the policies. This is a serious undermining of trust in the Government being able and interested to work with the experts, industry and the community to put a solid policy in place.
I am just back from Europe and you cannot communicate – in relation to your personal services – with any bank, telecom services or any other serious brand without double or even triple authentication procedures, the latter also uses QR coding.
Rather than coming out with regulations on top of regulations, Australia could consider using the EU privacy law and human rights law, known as the General Data Protection Regulation.
Authentication procedures are not an option — it is the law. Australian companies offering such personal services in Europe have these regulations already in place as it is compulsory, but also our domestic operators should consider using GDPR.
Hopefully, the Optus hack is another wake-up call that we all need to take cyber security far more seriously.
Paul Budde