The Optus cyber security wake-up call | Dentons
[co-author: Luna Arango]*
This year’s Cyber Smart Week 2022, CERT NZ’s annual cybersecurity awareness week, shined a light on the importance of cybersecurity to individuals and businesses. It was particularly important this year following the monumental cybersecurity incident that happened across the ditch at the end of September.
On the 22nd of September 2022, Singtel Optus Pty Limited (‘Optus’), the second largest telecommunication company in Australia, was the subject of a cyber-attack that exposed customers’ information. Optus informed the public in a press release that their information was compromised in a cyber-attack. Optus also notified key financial institutions about the breach after becoming aware of the cyber-attack.
The Optus data breach is now considered one of the (if not ‘the’) most significant data breaches in Australian history – and it sends warning signals to organisations in and out of Australia that deal with personal information. The breach has brought global media attention and prompted a collaboration between multiple governments and law enforcement agencies from various jurisdictions.
The breach is relevant to New Zealand because it happened so close and because the customer records leaked by the attackers included the word “ZEALAND” 10 times, relating to New Zealand passports likely used to create Optus accounts.
In light of the Optus data breach and the constant wave of cyber-attacks both Globally, including in New Zealand, organisations in or out of Australia must be prepared for and have appropriate plans to respond to data breaches.
This article reminds you of the best practices to follow regarding cyber security. We begin by providing an overview of what transpired in the Optus data breach and proceed to outline ways in which you can prepare and respond to cyber risks.
Optus was the target of a cyber-attack which resulted in unauthorised access to Optus’ current and former customers’ data. Optus publicly announced the data breach 24 hours after noticing suspicious activity on its network.
Optus confirmed that the information obtained by the cyber-attack included Optus customers’ names, dates of birth, phone numbers, email addresses, physical addresses, and more identification document numbers such as driving licences or passport numbers. Around 10 million customer account records were compromised, with the exact number still unconfirmed.
The alleged hackers have initially leaked 10,000 records and threatened Optus that they would release 10,000 records each day unless a ransom of US$1 million was paid in cryptocurrency. Ironically, the hackers apologised the next day to the individuals whose data they leaked, retracted all their demands, and claimed that they had deleted the only copy of these records. Neither the identity of the hacker nor what happened to the data is clear, despite the alleged hackers’ claims.
The Australian Government has released guidance for customers whose data has been compromised in the Optus data breach – more information can be found here. The Government has nominated ACC’s Scamwatch as the first point of contact for information about what affected customers can do to protect their data. Affected individuals can also apply for new identification documents.
The breach has received significant media attention, including allegations by members of the Australian Parliament that Optus was partly responsible for the vulnerability that exposed it to the breach, even though Optus has emphasised that the leak was due to a sophisticated cyber-attack. The broad media coverage (generally negative) has created obvious legal and reputational issues for Optus. It must handle the fallout from the cyber-attack, including responding to allegations, containing and remedying the reputational damage, and potentially dealing with class action suits.
The Optus wake-up call and Cyber Smart Week 2022 are great reminders for individuals and organisations to remember the critical importance of cybersecurity.
What should organisations be doing to prepare for and respond to data breaches?
Embed cybersecurity in your organisation’s identity
You will be best placed by investing in cybersecurity, which, despite the name, requires a holistic look at your organisation. A robust cybersecurity environment will require an organisational cybersecurity culture, awareness and literacy, policies and processes, regular training, and physical security measures.
Security measures and systems compliant with international cybersecurity standards, such as ISO 27001, coupled with self or independent auditing, cyber security testing and white-hat hacking are helpful to ensure adequate measures.
Most data breaches within organisations result from human acts or omissions, and while cybersecurity policies are commonplace among organisations, people may view them as guidelines rather than rules. Humans remain the weakest link in the security chain. Investing in, and developing, a cybersecurity aware culture within your organisation can decrease the risk of the human factor, positively impacting efficiencies and security while mitigating financial risks. Similarly, technologies cannot protect organisations if incorrectly integrated and utilised. Developing a cybersecurity culture within your organisation will help change people’s mindset and foster security awareness and risk perception, leading to a proactive organisation against cyber threats rather than a reactive one.
It would help if you also considered whether your contracts with third parties and service providers have adequate processes, mechanisms and measures to manage risks, allocate liability and include sufficient remedies to cover your actual and potential damages in the event of a breach. The due diligence on such third parties in terms of their cybersecurity compliance and culture will also be important.
Minimise and compartmentalise
Adherence to the ‘data minimisation principle’ is key to ensuring privacy compliance and reducing cyber-security risks. The data minimisation principle is simple – if you have to collect personal information, you should limit that collection to only what is relevant and necessary to fulfil your specific purpose of collection. The principle includes not collecting personal data if you can achieve the same purpose without collecting personal information – for example, by using appropriately de-identified information. Collecting personal information beyond the minimum increases the exposure risk of extensive information in a cyber-attack or data breach.
Compartmentalising the information held is also an effective way of limiting the breadth of a potential data leak. It is the concept of ‘not putting all your eggs in one basket’ embodied within the privacy and cybersecurity context. Data compartmentalisation means categorising and separating the data you hold into many different compartments to reduce the impact when it is compromised.
Don’t continue to hold information if it’s not necessary
To minimise the risk of information being exposed to cyber-attacks, those who hold personal information should, before collecting the data, identify how long they need to keep the information to fulfil the purpose for which they collected the information and only hold it for as long as it is required to achieve that purpose. The longer that data is held, the more it is likely to be exposed to cyber-attacks.
Personal information that is no longer required should be erased, de-identified, or, if holding the information is still necessary for the purposes for which they have been collected but not immediately needed, taken offline or encrypted with restricted access to be restored only by authorised functions, and only if such retention is necessary for a specific purpose (for example, responding to requests from individuals such as access and correction, law enforcement agencies, conducting legal claims etc.) or if there is a legal obligation to retain the information for a set time.
Have a plan
You cannot guarantee that cybersecurity incidents will never occur; however, you can take steps to mitigate risks – the first is to have a plan. A well-thought-out plan includes protection measures to minimise risks and respond to and communicate breaches.
Organisations that collect and hold personal information should always have a plan to respond to potential risks, cyber-attacks, and other data breaches. The security and response plan should clearly outline how the organisation will respond if personal information is exposed, who will be responsible for complying with notification requirements to the relevant individuals and regulators, and who will be in charge of the response to remedy the breach.
A cybersecurity plan must should address your legal obligations, so seeking legal advice at the early stages of developing your plan will arm you with appropriate controls to ensure compliance with your obligations.
A privacy impact assessment (‘PIA’) is a helpful tool that can help you identify the potential risks arising from your handling of personal information and prepare a plan to address cybersecurity threats. The PIA will ideally draw a bird’s eye view of your data handling and identify potential risk areas, the measures by which such risks will be managed, and how you will respond if a privacy or security incident occurs. It can also help identify the actions you need to take to maintain your privacy compliance and cybersecurity status when there’s a change to your existing systems or processes.
Test, test, and test.
Cybersecurity and response plans should be regularly tested before real risks emerge to identify potential weaknesses and ensure they are fit for purpose and effectively implemented. Testing the plan is all about how the plan will work in practice. Implementing the plan is about ensuring that members of your organisation know the steps to safeguard personal information.
Cyber-security threats are constantly changing and evolving. Testing your plan ensures that it is up to date and evolves with emerging risks. It would be best if you considered having regular testing and review processes embedded in your plan to strengthen your position against new threats.
Consider cybersecurity insurance
The best solution for managing cybersecurity risks is prevention, which is why all our previous suggestions focus on this. However, we cannot ignore the possibility that, despite all our best efforts, a breach can occur, you may be held to ransom, or you (or third parties) may suffer losses; all of which is why you may want to consider taking a cyber insurance policy as part of your cybersecurity strategy.
According to Harvard Business Review, the cybersecurity insurance market is still in its infancy. With the increasing number of ransomware attacks across the globe (just like the Optus breach), cyber insurance is becoming harder to get and more expensive. However, suppose you have robust cybersecurity measures and response plans. In that case, you can consider policies tailored to your specific needs, offering protection from specific types of attacks and providing instructions on how to respond to them appropriately.