Criminal or state actor, there are major lessons in the Optus cyber breach
23 Sep 2022|

Optus, Australia’s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said it might be up to 9.8 million users in a ‘worst case’ scenario, while stressing the breach involved ‘a very small subset of data’.

Customers’ names, dates of birth, phone numbers, email addresses, driver’s licence numbers, passport numbers and postal addresses are among the information reported to have been accessed.

Given the scale of the breach, the nature of the personal information and the utility of this data, a key question is whether a state or criminal actor was behind the attack.

A state actor would be able to make very productive use of this data, especially if it included records of who people had called. It’s a little unclear from Optus’s statement whether ‘phone numbers’ means an individual customer’s phone number or the phone numbers customers have called.

In places like the US, we’ve seen China steal the records of security cleared officials, and hotel and health records. Joining these datasets together has the potential to provide rich pickings for states, enabling them to knit together useful details about key individuals, and understand patterns of behaviour and communication across groups of interest. It requires affected countries to think carefully about how these data breaches might be used against them in future. The scale and level of detail of Optus’s customer data would make it highly valuable to a state actor.

The other possibility is that this is the work of cyber criminals. ITnews reported that while Optus notified the media of the breach yesterday, the data of its customers appears to have been posted for sale online since 17 September. That could suggest the work of a cybercriminal gang. However, Optus has told the media that it hasn’t received a demand for a ransom, which would be the obvious thing for a criminal group to do.

Rosmarin said this morning that it was too early to tell whether it was a criminal or state actor, but described the attack as ‘sophisticated’. This is now standard language used by anyone who is successfully penetrated, so it is difficult to read much into that remark.

For Optus customers, the implications of the breach depend to a significant extent on which type of actor was behind the attack. If it was a criminal gang, customers are likely going to be exposed to the significant risk of identity theft, requiring them to spend many painful hours making whatever changes they can to their personal data to minimise their vulnerability—which will be difficult to do entirely. If it’s a state actor, the impact on individual Australians will likely be less apparent, though it may be more pernicious for politicians, business leaders, government officials and anyone else whom the state actor deems a potential target of influence or intelligence-gathering.

Even if this turns out to be the work of cybercriminals, they might see profit in selling the data to state actors. It would therefore be wise to prepare for both eventualities.

So, what are the lessons from this episode?

First, and most obviously, the incentives for businesses that hold large amounts of highly valuable personal data to keep that data safe are still not well enough aligned either to consumer protection or to the wider national interests of Australia. In May, the Australian Securities and Investments Commission successfully challenged an Australian financial services firm in the federal court over the adequacy of the firm’s cybersecurity risk management. The firm was ordered to pay $750,000.

This was an important first in Australia. However, it raises the questions about the strength and consistency of our framework for ensuring there are consequences for cyberattacks. There should be consequences for companies if it’s found that they were deficient in protecting consumers’ data. When it comes to perpetrators, there has been an inclination not to name state actors. In this case, though, the data stolen is the personal information of Australians. It’s reasonable to argue that we should be told who was behind the attack, regardless of the perpetrator.

Second, there’s a growing argument to create an ‘Office of Future Threats’ within the government to look at all the data that has been stolen from businesses, civil society and governments by various state actors, and to plan for scenarios in which this data might be used against Australian interests.

Finally, there is an opportunity to look at streamlining solutions for Australians who are victims of identity fraud so that less time (and heartache) is spent fixing the mess created by these sorts of massive failures. For example, Australians who have had personal data stolen must, in many circumstances, pay for new documents including passports. This should not happen. In a world in which large-scale data breaches are an unfortunate reality, Australians should not be disadvantaged when they are forced to remediate a situation that was never within their control.