Optus hack renews calls for better protection of customers and their personal data

Following a data breach, Australians are typically told to change passwords and watch for unusual bank transactions — and after the Optus “cyber-attack” was announced on Thursday, the advice was no different.

For some, this emphasis on individual responsibility instead of better consumer protections is wearing thin.

During a media call on Friday morning, Optus chief executive Kelly Bayer Rosmarin apologised to customers and acknowledged it was difficult to provide immediate advice following the incident.

‘Complicated message’

“There isn’t a simple message like update your passwords or talk to your financial institution,” she said.

“On the one hand that’s good news, but on the other, it’s a more complicated message.”

Instead, she advised “heightened vigilance” across government, companies and customers while Optus determines how many customers have been caught up in the incident.

The company said it would individually contact each affected subscriber about what data had been exposed.

Katharine Kemp, an expert in consumer data privacy at UNSW law school, said Australia’s approach to regulating data breaches focuses on notifying those affected, but doesn’t go much further.

Under the Notifiable Data Breaches scheme administered by the privacy regulator, companies must let customers and the privacy regulator know when a data breach is likely to result in serious harm.

“It does mean that we push responsibility down the line to the individual to deal with the fall out,” Dr Kemp said.

“Most of us don’t have a clue how we would do that when you’re dealing with sophisticated actors.”

More help for customers after data breaches

Optus said it became aware of the intrusion into their network on Wednesday and went public a day later.

But for Optus customers, the type of personal information potentially exposed in the incident means there are not many steps that can be taken beyond being on the lookout for scams and abuse of their details.

According to Optus, the actor was potentially able to access personal identifying information such as names and birthdays rather than passwords or credit card numbers, which can be more simply updated.

“It’s not easy to change your date of birth or your name,” said Kate Bower, consumer data advocate at Choice.

Leave a Comment