Flat-footed response aggravates anxiety of Optus attack

When Optus announced at a media conference a week ago that a hacker had accessed the private information of up to 9.8 million of its customers, many – including The Age – praised it for its transparency.

Yet as more details have emerged about the hack and the damage it has caused, the company is now facing difficult questions about its actions and safeguards and the case is building for legislative reform to protect Australians’ privacy.

While Optus initially said it had been the victim of a “sophisticated” operation by organised crime, Home Affairs Minister Clare O’Neil on Monday said it was a “basic hack” and blamed Optus for lax security systems which “left the window open” for hackers.

Optus has disputed this description, but it has agreed with experts who have expressed concerns about the risk to privacy when firms keep unnecessary personal data for too long on their servers.

It now seems that as many as 2 million customers had their highly personal data such as driver’s licences, Medicare numbers and passport details stolen.

While collecting this information might have been initially necessary to confirm an individual’s identity, the longer it remains on a server the greater the risk it will be stolen.

Telecommunication firms are required by law to retain data for at least two years in case they are needed by counterterrorism and serious crime investigators to match people to specific communications.

The unanswered questions arising from this hack go beyond preventing future cyberattacks to managing the consequences when privacy breaches occur.

Optus, state and federal governments and a host of other related parties have taken too long to take basic steps to protect customers whose data has been stolen.

Optus did the right thing by quickly announcing the hack and it has also offered affected customers a 12-month free subscription to a credit monitoring and identity protection service. This is welcome but insufficient.

Many readers have told us they cannot get through to Optus to simply find out what information has been stolen.

State and federal governments also have questions to answer over the glitches in their response to the highly predictable demand for new driver’s licences and Medicare cards to replace those that have been compromised.

The Victorian government has asked Optus to pay for replacement driver’s licences and allowed drivers to apply for replacement online. But members of the public still report getting the runaround.

This all only heightens anxiety at a time when people know they are vulnerable. This week, someone posted details on a website of 10,000 accounts which they said were a sample of the data stolen from Optus.

The self-styled hacker demanded a $1 million ransom in cyber currency or else they said they would sell the data. It is not clear if the threat was real but it set nerves jangling.

The federal government is now promising a major policy response to the hacking, which will likely increase fines for companies found to have been negligent in data storage. It should also look at the data retention rules and give consumers more rights to act against firms that fail to protect data.

In a fluid digital world, governments and firms cannot prevent data theft completely. But they should be doing much more to stop cyberattacks in the first place and smooth the process when people have their information stolen.

Michael Bachelard sends an exclusive newsletter to subscribers each week. Sign up to receive his Note from the Editor.

Most Viewed in National

From our partners

Source: Read Full Article