Following a data breach, Australians are typically told to change passwords and watch for unusual bank transactions — and after the Optus “cyber-attack” was announced on Thursday, the advice was no different.
- Optus calls for “heightened vigilance” after a cyber attack that could affect customers as far back as 2017
- The company went public with the breach on Thursday
- There are now calls for a cultural shift in the way companies in Australia manage data
For some, this emphasis on individual responsibility instead of better consumer protections is wearing thin.
During a media call on Friday morning, Optus chief executive Kelly Bayer Rosmarin apologised to customers and acknowledged it was difficult to provide immediate advice following the incident.
“There isn’t a simple message like update your passwords or talk to your financial institution,” she said.
“On the one hand that’s good news, but on the other, it’s a more complicated message.”
Instead, she advised “heightened vigilance” across government, companies and customers while Optus determines how many customers have been caught up in the incident.
The company said it would individually contact each affected subscriber about what data had been exposed.
Katharine Kemp, an expert in consumer data privacy at UNSW law school, said Australia’s approach to regulating data breaches focuses on notifying those affected, but doesn’t go much further.
Under the Notifiable Data Breaches scheme administered by the privacy regulator, companies must let customers and the privacy regulator know when a data breach is likely to result in serious harm.
“It does mean that we push responsibility down the line to the individual to deal with the fall out,” Dr Kemp said.
“Most of us don’t have a clue how we would do that when you’re dealing with sophisticated actors.”
More help for customers after data breaches
Optus said it became aware of the intrusion into their network on Wednesday and went public a day later.
But for Optus customers, the type of personal information potentially exposed in the incident means there are not many steps that can be taken beyond being on the lookout for scams and abuse of their details.
According to Optus, the actor was potentially able to access personal identifying information such as names and birthdays rather than passwords or credit card numbers, which can be more simply updated.
“It’s not easy to change your date of birth or your name,” said Kate Bower, consumer data advocate at Choice.
“Telcos are an essential service. People have no choice but to share this information with these businesses.”
Companies should bear some responsibility for the administrative burden customers face following a breach, according to Kathryn Gledhill-Tucker, board member of Electronic Frontiers Australia (EFA).
“Contacting banks, monitoring your credit score, updating your fingerprints, these all take time and effort,” they said in a statement.
“Why should we have to spend what little spare time we have cleaning up messes caused by other people?”
In Optus’s media call on Friday, the chief executive said the company was talking to different providers to supply additional support and monitoring, especially to customers who had identification numbers exposed.
Optus has not announced when and how this will be made available.
A ‘cultural shift’ needed
While Optus is still investigating the incident and has not yet detailed how the actor was able to access so much customer information, Kate Bower said she would like to see a “cultural shift” among Australian companies more broadly.
In past decades, there’s been what Ms Bower dubbed a “data grab culture”. In particular, there hasn’t been a strong incentive to minimise the collection of customer data and to delete it when no longer needed.
This is of particular concern following the Optus incident, as information about past customers as far back as 2017 may have been exposed.
“It’s always going to be balanced.
“Obviously, they can’t always delete everything, but it should be a case of deleting everything that they can,” Ms Bower said.
“Those are questions Optus customers will reasonably have in the coming days and weeks.”
Questioned about the loss of password and drivers licence ID numbers on Friday, the Optus boss said the company is required by law to hold onto identification information for six years.
Optus did not respond to questions about which law Kelly Bayer Rosmarin was referring to, by deadline.
More powers for customers and the privacy regulator
While the full details of the data breach are yet to be known, the incident has also renewed calls for individuals to be given more power to take action following the loss or abuse of their personal data.
The EFA advocates for a private right of action, Kathryn Gledhill-Tucker said.
Currently, Australians aren’t able to sue for serious invasions of privacy.
“When companies fail to protect users and their personal information, there should be consequences that encourage better data handling practices for all companies,” they said.
Ms Bower said the Office of the Australian Information Commissioner needed to be better resourced and given more powers to protect consumers.
“At the moment, the onus is much too much on individuals, who can’t do much but watch and wait,” she said.