Lessons from Optus cyber attack for energy and infrastructure companies


Optus, Australia’s second largest telecommunications provider, announced on 22 September that it was investigating “the possible unauthorised access of current and former customers’ information”. It has subsequently confirmed that 9.8 million customer records were exposed, and it has contacted customers whose personal data was released on the dark web. Optus has appointed Deloitte to conduct a forensic review of the cyber attack and formed a joint working group with the Australian government to inform a coordinated response to the incident.

The Optus data breach is the latest in a long line of data security incidents involving major corporations. As the infrastructure and energy sectors evolve to adopt new technologies and digitalisation becomes a norm on-site, they are generating increasing volumes of data of growing value. In this context, it has never been more important for those businesses to take action to improve their cyber resilience and safeguard data.

Technology, and in particular cloud-based systems and the internet of things, have become the norm in large scale infrastructure and energy projects. These innovations have allowed efficiency and cost savings, but they also introduce new risks and obligations to protect the data generated and stored through these technologies.

A significant amount of highly sensitive and personal data is created and obtained throughout the lifecycle of a project. Examples include information associated with tenders, building information modelling (BIM) systems, legal contracts – such as supplier agreements, and IT systems and equipment. It also includes project correspondence and other files, regulatory documents, performance reporting and work scheduling data and systems, building management systems, and project reports – including calculations, site surveys and test results.

Employee details such as tax file numbers, drivers’ licences, trade-specific licences and, in some instances, health information, where employees are required to undergo medical assessments, are also sensitive and potentially highly prized by hackers. So too are financial metrics for the project, contractors, subcontractors and other parties.



Source link