Optus attack a wake-up call for boards

None of it can stop ferocious attacks on the telco ranging from customers to the federal government to regulators to class action lawyers.

The abrupt retreat, the relatively modest ransom demand and the rudimentary tone and misspelling of the hackers’ message all back up Cyber Security Minister Clare O’Neil’s savage criticism of Optus’ inadequate defences against “quite a basic hack”.

O’Neil remains unimpressed by Bayer Rosmarin’s subsequent suggestion that her strong censure was because she had not been briefed on the telco’s use of encrypted data and multiple complex layers to repel cyberattacks before making her remarks.

But while the hackers’ clumsy and belated “sorry” to Optus and its customers sounds bizarre, their rationale for withdrawing is less so – especially if their assault is indeed pretty basic. Their online message complains of “too many eyes” to be able to sell or release more information as a way of pressuring the company to pay the ransom.

The combined force of groups like the Australian Federal Police, the Australian Cyber Security Centre, the Australian Signals Directorate and even the FBI was backed by public and political outrage.

Unlike many other corporate cyber ransom attempts, the Optus breach attracted massive, national attention as soon it became known.

But O’Neil’s declaration that the breach was of a nature not expected to be seen in a large telecommunications provider in Australia was especially damning for Optus.

Telstra, TPG the winners

It effectively rejects the company’s claim to be a reliable company dealing responsibly with a growing threat. Optus customers will be even more unnerved despite Bayer Rosmarin’s argument that people understand Optus is not the villain. Telstra and TPG will be immediate beneficiaries.

But the Optus scare will also translate into greater community caution and demands for proof that telcos and all other businesses are more vigilant against the risk. Guarantees may not be possible given the scale of the cyber weaponry being developed by ever more sophisticated players.

Greater co-operation with government experts is just the start. Unfortunately for Optus, this particular attack sounds more like an accident waiting to happen.

Amidst apologies, Bayer Rosmarin still insists the attack was instead “sophisticated” but can’t go into details given ongoing investigations.

That won’t offer Optus management much protection – including from the Singaporean owner, Singtel, whose board is here this week.

This is clearly one of the great corporate debacles in terms of brand damage. Perhaps the CEO should ask her new hire, former NSW premier Gladys Berejiklian, for advice.

The government’s intention to upgrade financial penalties for failing to protect customer data – currently a ludicrous $2.2 million maximum - will be popular.

By contrast, Bayer Rosmarin will be even more unpopular for saying she doesn’t think increased penalties “would benefit anybody”.

But she’s right in one sense. The devastating impact on Optus’ reputation, which will only increase, puts higher government penalties of multiple tens of millions of dollars into perspective. And that’s before the inevitable class actions and other legal challenges start to add up.

Quickly becoming former customers

The only solace is that the Optus’ failure to protect individuals probably won’t be quite as extensive as it might have been.

Before reversing course on Tuesday, the hackers had released personal details of 10,200 Optus customers – including drivers’ licenses as well as passport and medicare numbers in a minority of cases.

The data appeared genuine with the release of similar numbers of customer information supposed to continue in coming days.

The details only accelerated O’Neil’s obvious anger with Optus. There had been no advice, she said in a statement, that medicare numbers formed part of compromised information.

“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them,” she said. “Reports today make this a priority.”

Optus’ priority is desperately working with authorities to fix the problem, including putting customers on high alert about possible scams. It will provide free credit monitoring services to affected customers for a year. That will be the least of it.

Optus can only hope the hackers will not, in fact, release information on millions more of its customers – many of whom are quickly becoming former customers.

“It is a data breach that should never have happened,” Attorney-General Mark Dreyfus said. “What’s really important for these customers now is the steps they take in terms of their own security.

“It is really important that people do not click on links. It is really important that people check the sources of websites. And it’s really important that, in having phone conversations, people should do not divulge their personal information unless they are 100 per cent confident about the circumstances in which that conversation is happening.”

That sounds more like common sense – for everyone.