Australia has experienced one of the most serious data breaches in its modern history.
The ensuing investigation into the leak of sensitive records belonging to an estimated 9.8 million Optus customers should reveal the motive for such a monumental data hack.
As shocking as it is to see identifying details like Medicare, passport, and driver's licence numbers breached, this is a day experts knew would come eventually.
It should now raise questions about the level of cyber security measures adopted by the Australian telco industry, and businesses at large.
The business models of Australian corporate houses encourage them to skimp on security at the cost of both national and individual security.
The primary focus of big business is to earn customers and grow quickly through big data analytics, excluding privacy and security practices for later.
I see Australian companies, large and small, skimp on security measures, cutting corners in the business models at the cost of millions of customers' private information. In the name of personalised marketing offerings, companies collect millions of data points and develop quick and dirty systems to analyse them, leaving the window open for data to be stolen.
The EU General Data Protection Regulation can levy fines up to 20 million euros (roughly US$20,372,000), or 4 per cent of worldwide turnover for the preceding financial year - whichever is higher.
We can fine up to $2 million under the Privacy Act. This does not pass commonsense test. It's high time to reform cyber security protection regulations for commercial and customer data and reforms to fines for companies that have lax policies to protect Australians.
Although Optus offer a year's subscription to credit monitoring service Equifax to track suspicious financial activity for affected customers, customers have a right to know the extent of the data breach and potential compensation. Customers also have a right to give minimum information to receive a service, not a hundred points of personal identification.
Despite the initial motive of $US1 million ransom in exchange for removing the stolen big data, the hacker has now withdrawn the demand declaring, "Too many eyes. We will not sale [sic] data to anyone. We cant [sic] if we even want to: personally deleted data from drive (only copy)".
This surprising twist in the event has opened a can of worms as it now questions the authenticity of the original motive in the first place. While the message and the actions seem immature, there is no guarantee of the involvement of a sophisticated criminal group or a state actor to mask the real purpose.
READ MORE:
Because, the hacker knew that a large telco giant like Optus was never going to pay the ransomware. In recent years, there was evidence of state involvement in stealing big commercial data in retail, aerospace firms, and semiconductor companies in the US.
When a state is involved through hackers in the criminal underworld, businesses are often the victims because the objective is to expose the vulnerabilities of an easy target rather than monetary value in data.
Any litigation against Optus, either through class-action lawsuits or federal agencies, will reveal the possible reasons for the data breaches.
While human error might have been a contributing factor in the Optus data breach due to its insecure software interface, the telco's chief executive Kelly Bayer Rosmarin insisted on the "sophisticated" nature of the attack. A technology giant like Optus should have been more careful about its customers' personal information.
Another risk has come about due to COVID-19. Many employees are working remotely with flexible working conditions, away from physically secured office buildings and clearly defined and protected systems perimeters.
The working population has increasingly adopted mobile technology through bring-your-own-device incentives and, in general, lacks fundamental knowledge of cyber security procedures for protecting organisational assets and data.
The lack of security awareness exposes Australian businesses to potential cyber threats and makes our sensitive personal information vulnerable.
Employees must be reminded about their role in how effectively to prevent, detect, respond and recover from cyber attacks.
Management should provide new guidelines and monitor the success of employee training and learning activities, role-based training programs, and exercises to raise and strengthen awareness. These programs must be considered for every level of employee.
Assuming contingency, companies should have a strategic communications plan on when, what and how to communicate with stakeholders. The data breaches in the big data economy have arrived as a formidable threat to Australian businesses today, and addressing it is the utmost priority to secure customers and our national interests.
- Associate Professor Shahriar Akter is an expert in artificial intelligence and algorithmic bias, data privacy, and digital innovation. He is the associate dean of research at the faculty of business and law at the University of Wollongong.
