Australia to introduce cyber reforms following Optus data breach


Australian cybersecurity minister Clare O'Neil will announce cyber reforms after a massive data breach affected up to 40% of the country’s entire population.

As a result of the cyberattack on Australia's second-largest wireless carrier Optus, up to 10 million customers had their personal data exposed.

Following the incident, O'Neil blamed Optus for the breach, adding that in some jurisdictions, this would have resulted in fines worth hundreds of millions of dollars. Under European laws, for instance, companies are liable for up to 4% of global revenue for privacy breaches.

“Responsibility for this security breach rests with Optus. This is a breach we shouldn't expect to see in a large telecommunications provider.”

O'Neil announced to the Parliament that a very substantial reform task will emerge from the incident “of this scale and size.”

"One significant question is whether the cybersecurity requirements that we place on large telecommunications providers in this country are fit for purpose," O'Neil said.

She furtherly stated that reforms are expected to follow, encouraging affected customers to watch out for dodgy emails, text messages, or any correspondence from a financial institution.

Details on reforms will emerge in the coming week.

In the meantime, Prime Minister Anthony Albanese said that new privacy provisions will allow banks to be alerted faster in case of cyberattacks on organizations.

Optus: the disastrous data breach

Optus announced on Thursday that a massive data breach allowed threat actors to access personal data of their customers.

Although Optus did not verify the exact number of exposed customers, it announced that 9.8 million was the “worst case scenario.” Allegedly, some information may date back to 2017, as the company keeps identity verification records for six years.

The information included customers’ names, dates of birth, phone numbers, email addresses, and in some instances, home addresses, driver’s licence or passport numbers.

"About 2.8 million customers have had all their personal details taken in the cyberattack, including their passport and license numbers, email and home addresses, dates of birth, and telephone numbers," Ben Packham, foreign affairs correspondent at The Australian, said.

The threat actor’s IP address seemed to move between countries in Europe. It is still unclear how the attack happened, however, experts suggested that the issue concerned a weakness in Optus' firewall.

According to Reuters, another news outlet reported a demand of $1 million in cryptocurrency for the data in an online forum, although this was not confirmed by Optus. The post allegedly included the information of 11.2 million Optus customers and over 3.6 million driving licence numbers. The user claimed to have extracted Optus’s data from an unauthenticated application programming interface (API), which did not require any login details.

The Australian federal police said that they’re aware of the claims that data is put up for sale online.

According to Optus, affected customers will receive access to free credit monitoring and identity protection with credit agency Equifax Inc for a year.