Cart

Breached as

type
Article
author
By Matt Steele, Digital Content Manager, IoD
date
28 Oct 2022
read time
3 min to read
Security camera painted on concrete

If you haven’t heard what happened, on 22 September, Optus, one of Australia’s largest telcos, suffered a cyber-attack.

What made the attack so significant?

  • It was big. Approximately 10 million customer records may have been exposed in the breach
  • A lot of customer data may have been compromised – including name, date of birth, email addresses, and in some cases identity document such as driver’s licences, health cards and passport numbers.

While obviously concerning for the telco, the impacts of the breach have been felt more broadly across Australia including across cybersecurity information services, local and central government agencies and other organisations which also store their customers’ identification documents.

In the aftermath

The Australian Communications and Media Authority (Acma) and the Office of the Australian Information Commissioner (OAIC) are both leading investigations into the breach.

The ACMA investigation is looking directly at Optus’ obligations “relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections”.

The OAIC will look at whether Optus took reasonable steps to protect the personal information they held from “misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business”.

If Optus is found in breach of Australian privacy law, it could be fined up to A$2.2 million for each contravention. If a similar breach was investigated in New Zealand by the Office of the Privacy Commissioner, the organisation could face up to a $10,000 fine for each contravention – significantly less, but still potentially very expensive if multiple privacy contraventions are identified. Parties whose privacy has been impacted can also take the matter to the Human Rights Review Tribunal, which can fine up to $50k.

Collecting, storing and sharing information

These investigations are a wake-up call to organisations on both sides of the ditch. But the breadth of the investigations also provides useful guidance for assessing the efficacy of our own organisation’s privacy policies and practices. To summarise, the investigations cover how personal information was:

  • acquired
  • authenticated
  • retained
  • protected
  • used by the business
  • and disposed of. 

Each of these areas requires attention as part of an organisation’s privacy and cybersecurity settings.

The Privacy Act 2020 provides useful guidance through its principles-based approach to the collection, storage, and sharing of information. The first principal in the Act is a useful starting point for boards and management. Principle 1 states that organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose. Boards should ask:

Once you are sure what data you are collecting and are confident of the purpose it is being collected for, you can plan how you collect it, store it, protect it and dispose of it if no longer deemed necessary.  

When a breach occurs

If, or when, your organisation is breached, there are some things you must do, and many more you should do.

If the privacy breach causes harm to someone, whether your customers, clients, suppliers, or staff, you will need to notify the Office of the Privacy Commissioner within 72 hours of becoming aware of the breach. This is a legal obligation and failure to notify could incur a fine of up to $10,000. If you’re not sure whether you need to report the breach or not, check out this useful self-assessment checklist.

Also, make sure you have a clear response strategy and incident plan. This will help your business recover more quickly after the attack, and if implemented quickly, may actually lessen the impact of the attack.

“Businesses shouldn’t be under the illusion that they are immune to a cyberattack, as it can happen to anyone.”
- Phil Dobson, general manager of assurance at Aura Information Security (the cyber security consultancy owned by Kordia).

“That’s why it’s critical to ensure you have a response plan in place and take the time to rehearse it. Knowing what you will do to respond to an incident makes everything easier when you are under pressure, from who will do what, through to handling any notifications or media duties.”

Kordia provides a useful checklist to refine your organisation’s incident response plan that covers:

  • governance
  • legal
  • external communications
  • internal communications
  • customer and regulator notification
  • notification of third parties/ suppliers
  • human resources

The investigations into the Optus breach may conclude the telco acted responsibly in the way it collected, stored and shared its customer information, but the aftermath of the breach is still a useful reminder to boards and executive teams to review and refine their privacy policies and cybersecurity settings, and to also ensure that they have a plan in place if personal data is compromised. 

Kordia logo

Related content