Things are not getting better for Optus, a subsidiary of the Singapore-owned Singtel and Australia’s second largest telecommunications company.
Responsible for one of the country’s largest data breaches, the beleaguered company is facing accusations and questions on various fronts. It is proving to be rather less than forthcoming about details as to what has been compromised in the leak.
Optus revealed on September 22 that details of up to 9.8 million customers had been stolen from its database. Dating back to 2017, these include names, birthdates, phone numbers, email addresses and, in a number of cases, addresses, passport number or driver’s licenses.
Fittingly, and perversely, a study from the Australian Institute of Criminology that same year found that one in four had been victims of identity crime or a general misuse of personal information.
The authors remarked that such rates were “comparable with the 27 percent reported by respondents to the identity fraud survey conducted in 2012 for the United Kingdom’s National Fraud Authority”.
Optus claims that the breach arose from a “sophisticated cyber attack”. The view from the outside is different.
The attack seemed to have happened when an application programming interface (API) was linked to an Optus customer database, leaving it easily accessible. In basic terms, an API permits the transfer of data. Left naked and vulnerable, users can pry their way into systems they would otherwise not be able to access.
Optus CEO Kelly Bayer Rosmarin claimed the company is “not the villain” and suggested that the API was not freely exposed.
However, she is defending a crumbling front, made stark by her light burden of responsibilities, among which was to make recently retired tennis star, Ash Barty, the company’s “Chief Inspiration Officer”, and Australian Formula One racer Daniel Ricciardo Optus “Chief Optimism Officer”.
Less laughable is the spectrum of Australian companies which do not like regulatory oversight of their data security.
As Tom Burton wrote in the Australian Financial Review: “Intense lobbying from financial, payment, telco, media and marketing interests” retarded reforms towards “a trusted, secure, reliable and efficient regulatory regime to manage the burgeoning digital economy and the data that fuels it”.
Featuring this reluctance are Australia’s banks which, when asked to confirm bank account holder details linked to the account prior to making payments, muttered and grumbled.
Those who identities have been breached have little recourse.
There is no right to sue for the civil wrong of a breach in privacy in Australia. Common law remains perversely stubborn in articulating a clear tort on the subject and legislators have not brought in any laws on the matter.
The federal Privacy Act 1988, given its numerous exemptions for small businesses, employee records, media bodies and political parties, is but a poor, shabby cover. It certainly falls far short of its European cousin many times removed, the General Data Protection Regulation (GDPR).
David Lacey and Roger Wilkins, a former secretary of the Attorney-General’s Department, in a 2019 report released by the Department of Home Affairs under Freedom of Information, found that “overall, the response system [to data breaches] is either non-existent or performing poorly from a citizen’s perspective”.
The authors “observed significant deficiencies in response standards, formal reporting channels of Government, and meaningful protection for consumers”.
The condition was made worse by Australian laws mandating the retention of customer data for up to two years, though there is no strict requirement not to keep such data after that period.
The Department of Home Affairs states that such a policy ensures “Australia’s law enforcement and security agencies are lawfully able to access data, subject to strict controls”.
The Telecommunications Consumer Protections Code, overseen by the Australian Communications and Media Authority, also permits telcos to hold personal data for billing information purposes “up to six years prior to the date the information is requested”.
This does not, however, necessitate the retention of passport details, drivers’ licenses and Medicare numbers.
The implication of such provisions is unmistakable. They have encouraged companies to engage in conduct that has made security feeble and breaches likely.
They have become the shoddy handmaidens of government paranoia.
Entities such as Optus cannot be seen to be reliable in responding to such crises. The sombre assessment from digital rights advocate Lizzie O’Shea is dire. “My third law of IT is that every time there is a data breach, one of the first lines out of the spokesperson’s mouth is that they take security seriously – even if they have demonstrably proven they are not.”
While accepting that Optus is not directly responsible for the conduct, she suggested that “you can’t complain that something’s been stolen when you haven’t locked the front door”.
The policy implications are vast. Should such telcos be required to hold data as required under problematic data retention law that has been assailed in the EU? (In September, Germany’s general data retention law was found by the European Court of Justice to violate EU law.)
Making such organisations the holders of such information renders them rich targets.
Penalties have been proposed. In the context of the European Union and California, stiff monetary sanctions apply, a point Home Affairs Minister Clare O’Neil has noted.
Current fines in the order of $2.2 million for companies and $440,000 for individuals are risible. There are promises from Optus to fork out to replace compromised documents.
But in terms of legislative protections, Australian policy makers continue to look at data protection through a lens that is both fractured and dated.
[Binoy Kampmark lectures at RMIT University.]