Optus’ rapid disclosure of its massive customer hack was messy – but also the right call

Optus’ announcement on Thursday that a hacker had breached its systems, exposing the personal information of millions, was not tidy.

The company had no details of how the hacker got in, who they were, or what they wanted and those unknowns are plainly scary.

Optus CEO Kelly Bayer Rosmarin has said the attack left her devastated and angry.Credit:Dominic Lorrimer

But Optus did the right thing in making the breach public as quickly as it did, going public within 24 hours of finding out about it on Wednesday.

It means the up to 9.8 million customers whose personal data was accessed by the hackers can be on high alert for fake calls purporting to be a billing issue with their Netflix account, alleged friends requesting verification codes or notifications that a new credit card has been issued.

Companies acting with such speed is not guaranteed.

In 2016, hackers stole 57 million driver and rider accounts from Uber, including some from Australia.

The company covered it up, paying $100,000 to the hackers to delete the data in the guise of a bounty for finding a security vulnerability. Non-disclosure agreements were signed.

This is an ugly truth but an important one: companies commonly pay up when their data is stolen.

The whole affair only came to light when the founding chief executive was ousted and the board looked into Uber’s business practices.

Last year, Australia’s information commissioner found Uber had breached the privacy rights of an estimated 1.2 million in the incident.

By going public early, Optus has headed off such damaging revelations down the track.

But it doesn’t mean there aren’t questions to answer: how was Optus storing and securing user data? What breach let the hackers in? Exactly how much data was taken?

These aren’t just questions for Optus.

Some of the largest and best defended internet companies have been hacked in recent months, including Microsoft.

In theory, Australia should be better placed than ever to defend against attacks like the one that hit Optus. Over the last two years, parliament passed laws that put extensive obligations on critical infrastructure companies, like telcos, to address cyber threats and notify authorities about major breaches.

The powers in the legislation are extraordinarily broad, allowing the government in some situations to “direct an entity to do, or refrain from doing, a specified act or thing.”

Those invasive powers were justified as being necessary to ensure that Australians are kept safe.

Now the government has the chance to prove to the public that they work – and to do so as openly as possible.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

From our partners

Source: Read Full Article