It’s too late to undo the Optus hack. How do we stop the next one?

The account claims to have the details of 11.2 million users (notably more than the ceiling of 9.8 million users affected, according to Optus) — as well as passport and driver’s licence numbers for 4.2 million of them. 

The listing included a sample of users’ data. Crikey was able to verify the data of at least one Optus customer listed. This user’s data is not found in the data breach notification service Have I Been Pwned, suggesting that it has not been previously released in other breaches. Other researchers and outlets have also been able to confirm data with other customers. Taken together, this suggests that Optusdata has been able to access Optus customer data — although this does not substantiate the account’s claim about the scale of the leak.

Optus has not confirmed that Optusdata’s database is real. The company said it has been advised by the Australian Federal Police to not offer further comment. 

The account told Crikey that they had not yet heard from Optus. They said they would delete the information if the ransom was paid: “Data will not be sold to criminal [sic] if paid. Data will be destroyed and we can retire. If Optus care about there [sic] customers they should pay money. It is small in compared to there [sic] revenue,” they said in a message. 

Ransomware attacks are increasingly common as hackers leverage cyberattacks to extract payments from businesses and organisations. Even though many will pay the ransom (80% according to one survey of Australian businesses this year), there’s no guarantee that attackers would follow through on their promise and delete the data obtained. 

How did the Optus cyberattack happen?

Reporting by the ABC’s Andrew Greene and BankInfoSecurity’s Jeremy Kirk suggests that intruders used an application programming interface (API) to obtain Optus’ customer data. 

In layman’s terms, API is a go-between for two different pieces of software. A popular example is weather APIs; most weather apps get condition information from an API belonging to an organisation like the Bureau of Meteorology, which actually physically collects the data.

In this case, it’s believed that the people behind the cyberattack were able to access an Optus API that did not require someone to log in to access customer data. The suspected API endpoint is offline, meaning there’s no further risk of more information being retrieved.

What happens when millions of Australians have their data leaked?

Optus has contacted all of those caught in the leak. They’ve been advised to watch for phishing attempts and suspicious transactions. These responses place the onus on the individual to be responsible for managing their own harm. Plus individuals have little chance of legal recourse as Australia does not have a statutory tort of invasion of privacy. Unfortunately for them, many of the details in the leak are difficult or impossible to change. That leaves them exposed in the future to these risks.

What of the broader implications for Australia? Governments, businesses and organisations use personal identifying information (PII) to verify people’s identities. The release, or the threat of the release, undermines current systems built on existing standards of verification. 

University of Canberra Associate Professor Dr Bruce Baer Arnold said it’s unlikely governments will re-issue passports, drivers licences and other identity objects.

“They are not set up to engage in what approaches population scale re-regulation,” he said.

Australian National University’s Dr Liz Allen told Crikey there are questions about data integrity and the social licence of future data collection, such as the census. Right now, banks have reportedly stepped up monitoring for suspicious activity in response, while Optus is requiring customers to come into their stores to carry out transactions. 

What can we do to stop the next Optus hack?

The government’s Home Affairs and Cybersecurity Minister Clare O’Neil is set to announce reforms that would allow telcos to inform banks about privacy breaches, a move currently prevented under existing privacy protections. Coalition’s opposition spokespeople Karen Andrews and James Paterson want to introduce new offences for cyber extortion and ransomware activities. The attack will intensify interest in the results of the long-running Privacy Act review, which are set to be released later this year. 

One of the major public policy issues that have emerged from the Optus cyberattack is the question of how much data companies are required to keep — and how much they’re actually keeping. The data held by Optus included many forms of PII data going back as far as 2017, including for former customers. 

University of Queensland’s Brendan Walker-Munro said that hyper-collection of data is a common issue with companies.

“We need to start asking these companies why they need to collect and store this information,” he said.

Some have been quick to point the finger at regulation for the amount of data held by Optus. The ABC quoted a “long-serving telecommunications insider” saying as much: “It annoys me that people think Optus and others want this data — it’s necessary for metadata laws — we don’t”.

But the volume and types of data held by the telco go beyond what it is required to keep. This means it’s not just an issue of regulation forcing too much retention; it’s also about the data practices of big companies that have little incentive to treat customers’ private details with care.

Whether or not Optus customer data ends up being sold online, the cyberattack will leave a lasting impact on the millions of Australians who will always fear its release. The question is whether policymakers will seize this opportunity to reform regulations to ensure that something this potentially harmful doesn’t happen again.