Optus chief executive Kelly Bayer Rosmarin announced on September 22 that users of the company’s services dating back to 2017 should exercise “heightened vigilance” to protect their identities, after “sophisticated criminals”, whose motives are unknown, breached the company’s security systems to access the personal data of millions of Australians.
The Optus data breach is now being investigated by the Australian Federal Police. Around 10 million affected users anxiously await further advice on the extent of the breach, what the company is doing to help those affected and what they should be doing to ensure they do not fall victim to identity theft.
According to Optus, the data breach includes personal information including emails, dates of birth, full names, mobile numbers and drivers’ licence numbers.
The company said “no passwords or financial details have been compromised” and that customers who are the most seriously affected are being contacted by telephone to assist in ensuring they do not have their identities stolen and used for nefarious purposes.
Optus says it will not be sending emails or SMS messages, so customers should not click on links purporting to originate from it.
In the meantime, customers have been strongly advised to change their passwords and watch their bank accounts for any anomalous transactions. However, there are rumours circulating that the information is already being sold on the dark web.
Many believe Optus’ response is too little, too late and the company should be made, at least partially, accountable for the inevitable stress, anxiety and partial loss caused by systems which have proven to be inadequate in protecting personal information.
How serious is the breach?
The AFP said it is difficult to know whether the claims of data being sold are real or bogus because there has already reportedly been one attempt at extortion: an anonymous account claims to have the data which would be returned if $1 million in cryptocurrency was paid by Optus within a week.
“It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment,” the AFP said.
But this is cold comfort for Optus customers who are facing the real threat of identity theft.
At this stage there are still more questions than answers.
Large corporations, such as Optus, require a range of personal information when setting up a telecommunications account: customers have no choice but to hand this information over.
They trust that this data will be kept secure and confidential, and have little recourse when hackers launch a successful cyber attack and their data is compromised.
It’s difficult to know why hackers do what they do. There are financial gains to be made from selling personal data, but there are other reasons too: some do it for the thrill, others because they’re disgruntled.
Irrespective, it is stressful for those affected. The digital world is vast and it is impossible to know if one can fully protect themselves from a data breach or completely retrieve information once it has been leaked. This leaves victims feeling vulnerable forever more.
Identity theft ruins lives and can take years to recover from.
Laws regulating how data is managed by corporations and government organisations fail to fully protect consumers.
The Privacy Amendment (Notifiable Data Breaches) Act 2017, which came into force in 2018, ensures that eligible businesses must notify the government via the Office of the Australian Information Commissioner (OAIC) if a serious data breach has happened.
The laws apply to all businesses, government agencies and non-profit organisations with an annual turnover of more than $3 million, as well as health service providers, credit reporting bodies and any entity which receives and handles tax file numbers.
Failure to comply can result in fines of up to $1.7 million for companies. Many might argue that this is a “slap on the wrist” for large corporations, such as Optus.
Draft federal legislation being considered — Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 — proposes higher penalties for organisations, among other tweaks to the law.
But the problem remains the same: beyond reporting, a company’s obligations to customers do not extend much further when a data breach has occurred: the onus remains on individuals to keep themselves protected.
What about the Privacy Act?
Under the federal Privacy Act 1988, individuals do have the right to make complaints to the Privacy Commissioner if they believe their privacy has been breached by an organisation.
The commissioner will then investigate the matter and, if they conclude there has been a privacy breach, they have the power to determine certain remedies including requiring the organisation to pay compensation to the individual whose privacy has been breached. Typically, however, these payments are relatively small.
The Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the law.
While this process has been described as “cumbersome”, “frustrating” and “time consuming”, individuals can also take action through a private civil suit, although this can be an expensive.
A successful class action was undertaken in 2020 against NSW Health Administration Corporation by employees who suffered a data breach when their work compensation records were harvested by a contractor and sold to a third party.
Class action suits may well become more common in future as cyber-crimes continue to rise.
[Sonia Hickey writes for Sydney Criminal Lawyers where this article was first published.]