Optus chief executive Kelly Bayer Rosmarin announced on September 22聽that users of the company鈥檚 services dating back to 2017 should exercise 鈥渉eightened vigilance鈥 to protect their identities, after 鈥渟ophisticated criminals鈥, whose motives are unknown, breached the company鈥檚 security systems to access the personal data of millions of Australians.
罢丑别听聽is now being investigated by the Australian Federal Police. Around 10 million affected users anxiously await further advice on the extent of the breach, what the company is doing to help those affected and what they should be doing to ensure they do not聽.听
According to Optus, the data breach includes personal information including emails, dates of birth, full names, mobile numbers and drivers鈥 licence numbers.
The company said 鈥渘o passwords or financial details have been compromised鈥 and that customers who are the most seriously affected are being contacted by telephone to assist in ensuring they do not have their identities stolen and used for nefarious purposes.
Optus says it will not be sending emails or SMS messages, so customers should not click on links purporting to originate from it.
In the meantime, customers have been strongly advised to change their passwords and watch their bank accounts for any anomalous transactions. However, there are rumours circulating that the information is already being sold on the dark web.
Many believe Optus鈥 response is too little, too late and the company should be made, at least partially, accountable for the inevitable stress, anxiety and partial loss caused by systems which have proven to be inadequate in protecting personal information.
How serious is the breach?
The AFP said it is difficult to know whether the claims of data being sold are real or bogus because there has already reportedly been one attempt at extortion: an anonymous account claims to have the data which would be returned if $1 million in cryptocurrency was paid by Optus within a week.
鈥淚t is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years鈥 imprisonment,鈥 the AFP said.
But this is cold comfort for Optus customers who are facing the real threat of identity theft.
At this stage there are still more questions than answers.
Large corporations, such as Optus, require a range of personal information when setting up a telecommunications account: customers have no choice but to hand this information over.
They trust that this data will be kept secure and confidential, and have little recourse when hackers launch a successful cyber attack and their data is compromised.
It鈥檚 difficult to know why hackers do what they do. There are financial gains to be made from selling personal data, but there are other reasons too: some do it for the thrill, others because they鈥檙e disgruntled.
Identity theft
Irrespective, it is stressful for those affected. The digital world is vast and it is impossible to know if one can fully protect themselves from a data breach or completely retrieve information once it has been leaked. This leaves victims feeling vulnerable forever more.
and can take years to recover from.
Laws regulating how data is managed by corporations and government organisations fail to fully protect consumers.
,聽which came into force in 2018, ensures that eligible businesses must notify the government via the Office of the Australian Information Commissioner (OAIC) if a serious data breach has happened.
The laws apply to all businesses, government agencies and non-profit organisations with an annual turnover of more than $3 million, as well as health service providers, credit reporting bodies and any entity which receives and handles tax file numbers.
Failure to comply can result in fines of up to $1.7 million for companies. Many might argue that this is a 鈥渟lap on the wrist鈥 for large corporations, such as Optus.听
Draft federal legislation being considered聽鈥斅犅犅犫 proposes higher penalties for organisations, among other tweaks to the law.
But the problem remains the same: beyond reporting, a company鈥檚 obligations to customers do not extend much further when a data breach has occurred: the onus remains on individuals to keep themselves protected.
What about the Privacy Act?
Under the federal Privacy Act 1988, individuals do have the right to make complaints to the Privacy Commissioner if they believe their privacy has been breached by an organisation.
The commissioner will then investigate the matter and, if they conclude there has been a privacy breach, they have the power to determine certain remedies including requiring the organisation to pay compensation to the individual whose privacy has been breached. Typically, however, these payments are relatively small.
The Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the law.听
While this process has been described as 鈥渃umbersome鈥, 鈥渇rustrating鈥 and 鈥渢ime consuming鈥, individuals can also take action through a private civil suit, although this can be an expensive.
A was undertaken in 2020 against聽NSW Health Administration Corporation by employees who suffered a data breach when their work compensation records were harvested by a contractor and sold to a third party.
Class action suits may well become more common in future as cyber-crimes continue to rise.
[Sonia Hickey writes for 聽where this article was first published.]