Expect ‘substantial reforms’: Optus breach

Man typing on computer with locks unlocked

Substantial security reforms and tighter cyber security requirements placed on telcos are to ‘emerge’ soon, as a result of the recent Optus security breach that exposed personal data of 9.8 million Australians.

Addressing the question in regards to the action taken by the Government following the Optus data breach, Minister of Home Affairs and Cyber Security, Clare O’Neill, said on Monday that in other jurisdictions a “data breach of this size” would result in a fine amounting to ‘hundreds of millions of dollars’ but, more importantly, the incident put in question the issues of cyber security regulations around the telecoms.

“One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose,” O’Neill said in Parliament.

“A very substantial reform task is going to emerge from a breach of this scale and size and there’s a number of policy issues that I think the public will soon become quite aware of.

“I really hope that this reform task is something that we can work on collaboratively across the Parliament, and I will speak in coming days about how we will work through those issues in conjunction with other members of Parliament.”

The minister also said that the previous Government had put in place a very significant piece of legislation which, she said, was “a very good start” but it did not bring telecommunications companies into that legislation, seriously limiting the minister’s power with telecommunications companies.

“And the reason it did that is because at the time the telecommunications sector said ‘Don’t worry about us, we are really good at cyber security. We’ll do without being regulated’,” the minister said.

Unlike in many jurisdictions around the world, where a breach of this scale would result in hundreds of millions of dollars worth of fines against a company like Optus, in Australia it comes down to ‘just over $2 million’ which is the maximum fine under the breach of the Privacy Act, an amount described by the minister as “totally inappropriate”.

During the minister’s speech in the parliament, O’Neill also said that responsibility for the security breach rested with Optus and the breach was of a nature that “we should not expect to see in a large telecommunications provider in this country”.

“For the Australian Government more broadly, our focus now is doing whatever we can to help protect Australians who are affected by this breach.

“Very substantial support has been provided by the Australian Government and I want to credit the work of the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police in that support.”

Further to that, O’Neill described the solution in response to the security breach towards which the Government has been working as ‘legally and technically complex’ and said the Government, the Australian Competition and Consumer Commission (ACCC) and the Australian Prudential Regulation Authority (APRA) were engaging with the banking sector “to see what additional steps can be taken to protect customers”.

The additional protections will be also provided on government platforms such as myGov.

“We expect Optus to continue to do everything that they can to support their customers and former customers,” O’Neill said in Parliament.

“One way that they can do this is providing free credit monitoring to impacted customers. This will help protect those customers against identity theft, and I call on Optus to make that commitment today.”

The Government was advised of a ‘significant cyber security breach’ by Optus, which is owned by Singapore-based telecommunications conglomerate Singtel, on 21 September.

According to the minister, Optus have advised that this breach revealed some personal data of 9.8 million Australians, of which 2.8 million Australian significant amounts of personal data has been taken.

On Monday, Slater and Gordon advised the Australian Securities Exchange (ASX) that the firm was investigating a potential data breach class action against Optus on behalf of current and former customers who had been affected by the unauthorised access to customer data.