Australia to Amend Privacy Laws After Optus Breach

Australian Prime Minister Anthony Albanese

Australian Prime Minister Anthony Albanese on Monday revealed that the country would make changes to its privacy laws to compel companies to report cybersecurity breaches to banks sooner. This would allow banks to respond quickly and protect their customers, he explained.

This statement comes after a cyberattack on Optus, Australia’s second-largest telecommunications company, exposed the personal data of over nine million former and current customers. Some of these customers — an estimated 2.8 million — had sensitive information stolen.

Earlier Monday, Optus said it had successfully reached out to all affected customers. However, the company is yet to provide further details about the incident, such as the exact number of people affected and how the threat actor breached its network.

On Saturday, an unidentified party, claiming to be the hacker behind the breach, demanded $1 million in cryptocurrency for the stolen data.

On Sunday, possibly in response to this, Optus said the Australian Federal Police is investigating the incident. The police have “advised Optus not to provide comment on certain aspects of the investigation, including verifying the authenticity of customer information published on the internet,” the company noted in a statement.

‘A Huge Wake-Up Call’

Prime Minister Albanese described the breach as “a huge wake-up call” for the country’s corporate sector. He said some state actors and cybercriminal groups are looking to get their hands on people’s data. As a result, the government plans to amend its privacy laws so that banks can protect their customers.

“We want to make sure … that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so they can protect their customers as well” he said.

Australia’s Minister for Home Affairs and Cyber Security Clare O’Neil said the reforms would be “very substantial,” as it requires resolving a complex issue. She said the government would look into the present privacy and security obligations of telecom companies.

Last week, Optus CEO Kelly Bayer Rosmarin described the breach as a sophisticated attack.

“The IP address [used by the hacker] kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe. And in terms of the customer data, I think it dates back to 2017,” Rosmarin said.

However, O’Neil blames Optus’ lax security for the breach. She said the company bears full responsibility and “left the window open for data of this nature to be stolen.”

“One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose,” O’Neil said. “In other jurisdictions, a data breach of this size would result in fines amounting to hundreds of millions of dollars.”

Optus Warns About Potential Phishing Attacks

Optus said it sent emails or SMS messages to present and former customers who had their driver’s licenses and passport numbers leaked. The company has offered these customers a free 12-month subscription to Equifax Protect to protect them from identity theft. Optus also warned customers about malicious emails or SMS messages impersonating the company.

“Optus wishes to reiterate to customers that our email and SMS notifications will not have hyperlinks,” the company said. “If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click on any such links.”

Optus directed customers who feel they’ve suffered any loss due to the breach to reach out to the company on 133 937.

If you are interested in learning more about phishing attacks and how to protect your privacy, we recommend checking out our article on phishing scams. It has all the information you need to spot phishing scams and measures to take if you’re a victim.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.