Things are not getting better for Optus, a subsidiary of the Singapore-owned Singtel and Australia鈥檚 second largest telecommunications company.
Responsible for one of the country鈥檚 largest data breaches, the beleaguered company is facing accusations and questions on various fronts. It is proving to be rather less than forthcoming about details as to what has been compromised in the leak.
Optus on September 22 that details of up to 9.8 million customers had been stolen from its database. Dating back to 2017, these include names, birthdates, phone numbers, email addresses and, in a number of cases, addresses, passport number or driver鈥檚 licenses.
Fittingly, and perversely, a from the Australian Institute of Criminology that same year found that one in four had been victims of identity crime or a general misuse of personal information.
The authors remarked that such rates were 鈥渃omparable with the 27 percent reported by respondents to the identity fraud survey conducted in 2012 for the United Kingdom鈥檚 National Fraud Authority鈥.
Optus claims that the breach arose from a 鈥渟ophisticated cyber attack鈥. The view from the outside is different.
The attack seemed to have happened when an application programming interface (API) was linked to an Optus customer database, leaving it easily accessible. In basic terms, an API permits the transfer of data. Left naked and vulnerable, users can pry their way into systems they would otherwise not be able to access.
Optus CEO Kelly Bayer Rosmarin claimed the company is 鈥渘ot the villain鈥 and suggested that the API was not freely exposed.
However, she is defending a crumbling front, made stark by her light burden of responsibilities, among which was to recently retired tennis star, Ash Barty, the company鈥檚 鈥淐hief Inspiration Officer鈥, and Australian Formula One racer Daniel Ricciardo Optus 鈥淐hief Optimism Officer鈥.
Less laughable is the spectrum of Australian companies which do not like regulatory oversight of their data security.
As wrote in the Australian Financial Review: 鈥淚ntense lobbying from financial, payment, telco, media and marketing interests鈥 retarded reforms towards 鈥渁 trusted, secure, reliable and efficient regulatory regime to manage the burgeoning digital economy and the data that fuels it鈥.
Featuring this reluctance are Australia鈥檚 banks which, when asked to confirm bank account holder details linked to the account prior to making payments, muttered and grumbled.
Those who identities have been breached have little recourse.
There is no right to sue for the civil wrong of a breach in privacy in Australia. Common law remains perversely stubborn in articulating a clear tort on the subject and legislators have not brought in any laws on the matter.
The federal聽Privacy Act 1988, given its numerous exemptions for small businesses, employee records, media bodies and political parties, is but a poor, shabby cover. It certainly falls far short of its European cousin many times removed, the General Data Protection Regulation (GDPR).
David Lacey and Roger Wilkins, a former secretary of the Attorney-General鈥檚 Department, in a 2019 released by the Department of Home Affairs under Freedom of Information, found that 鈥渙verall, the response system [to data breaches] is either non-existent or performing poorly from a citizen鈥檚 perspective鈥.
The authors 鈥渙bserved significant deficiencies in response standards, formal reporting channels of Government, and meaningful protection for consumers鈥.
The condition was made worse by mandating the retention of customer data for up to two years, though there is no strict requirement not to keep such data after that period.
The Department of Home Affairs that such a policy ensures 鈥淎ustralia鈥檚 law enforcement and security agencies are lawfully able to access data, subject to strict controls鈥.
The , overseen by the Australian Communications and Media Authority, also permits telcos to hold personal data for billing information purposes 鈥渦p to six years prior to the date the information is requested鈥.
This does not, however, necessitate the retention of passport details, drivers鈥 licenses and Medicare numbers.
The implication of such provisions is unmistakable. They have encouraged companies to engage in conduct that has made security feeble and breaches likely.
They have become the shoddy handmaidens of government paranoia.
Entities such as Optus cannot be seen to be reliable in responding to such crises. The sombre from digital rights advocate Lizzie O鈥橲hea is dire. 鈥淢y third law of IT is that every time there is a data breach, one of the first lines out of the spokesperson鈥檚 mouth is that they take security seriously 鈥 even if they have demonstrably proven they are not.鈥
While accepting that Optus is not directly responsible for the conduct, she suggested that 鈥測ou can鈥檛 complain that something鈥檚 been stolen when you haven鈥檛 locked the front door鈥.
The policy implications are vast. Should such telcos be required to hold data as required under problematic data retention law that has been assailed in the EU? (In September, Germany鈥檚 general data retention law by the European Court of Justice to violate EU law.)
Making such organisations the holders of such information renders them rich targets.
Penalties have been proposed. In the context of the European Union and California, stiff monetary sanctions apply, a point Home Affairs Minister Clare O鈥橬eil has noted.
Current fines in the order of $2.2 million for companies and $440,000 for individuals are risible. There are promises from Optus to fork out to replace compromised documents.
But in terms of legislative protections, Australian policy makers continue to look at data protection through a lens that is both fractured and dated.
[Binoy Kampmark lectures at RMIT University.]