Lizzie O’Shea laughed when she heard how Kelly Bayer Rosmarin had defended Optus during an interview with the ABC on Tuesday morning. The chief executive insisted “we are not the villains”.

For years digital rights advocates such as O’Shea, a human rights lawyer and chair of Digital Rights Watch, had warned that a proliferation of national security laws requiring the collection and long-term storage of Australian’s personal information was destined for trouble.

With the Optus leak, everything the group had been warning about had come to pass. Australia’s second-largest telecommunications company had suffered a data breach, in which unknown persons had stolen the records of one in three Australians.

As the head of Optus, which also offers cybersecurity services, Bayer Rosmarin’s efforts at damage control felt to O’Shea like the stuff of a dark comedy.

“Of course, they’re not the ones who have engaged in criminal conduct, there is someone else who has done that,” O’Shea said. “But you can’t complain that something’s been stolen when you haven’t locked the front door.

“The way Optus has responded to this is reflective of our policy environment, which has required and permitted companies to hold vast amounts of information and has not imposed sanctions when it has not been properly secured.

“The reality is the responsibility for addressing the harm has fallen to individuals.”

How the breach took place is still not fully known. News of the incident became public last Thursday, when Bayer Rosmarin announced that the records of 9.8 million customers had been stolen.

The data included dates of birth, addresses, contact details, Medicare numbers, and passport and driver’s licence details.

Although Optus said the breach was the result of a “sophisticated cyberattack”, it is thought it occurred when an application programming interface (API) connected to the Optus customer database was left open to the internet.

An API is used to allow systems to transfer data. When left open with no authorisation, users have free access to internal systems.

The situation escalated last Saturday morning when someone claiming to possess 11.2 million records obtained in the breach – more than the number claimed by Optus – demanded a $US1 million ransom from Optus to be paid in cryptocurrency.

This demand was not posted to the dark web but rather a run-of-the-mill internet forum freely accessible to anybody.

What followed was an overwhelming tide of public anger directed at Optus, as people who had yet to be contacted by email attempted to call the company to learn whether they had been caught up in the attack.

As the company sought to shift the risk onto the individual, federal Cyber Security Minister Clare O’Neil put responsibility for the blame squarely on Optus, whose managing director of enterprise, business and institutional is former New South Wales premier Gladys Berejiklian.

“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil said.

Sky News reported that Optus had appealed to the Morrison government for an exemption from certain legislated security requirements – and that the exemption was granted to telecommunications companies. Paul Fletcher – who was Communications minister at the time and was director of corporate and regulatory affairs at Optus from 2000 to 2008 – defended the decision.

On Tuesday, the stakes rose again. The person who claims to have stolen the data released the first tranche of 10,000 records, hoping to pressure Optus into paying the ransom. They threatened to do the same every day until it was paid. These records reportedly included emails from the Department of the Prime Minister and Cabinet and the Department of Defence.

Within hours, the user backed down, removing their post and posting a message claiming they had deleted the data, apologising to those affected and saying it had been a “mistake to scrape publish data in first place”.

“Too many eyes,” a message said. “We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy).”

If true – and there was no guarantee it was – it was a last-minute reprieve for Optus but one that couldn’t wipe away the events of the past week or the implications it held for Australia’s handling of personal data.

Among the Australian tech community, the response was largely one of incredulity at the lax security culture at Optus.

David Barnes, the chief executive of Zulu Labs, told The Saturday Paper of a meeting with Optus where he gave a short presentation on the company’s vulnerability to common email exploits such as spoofing – the creation of official-looking fake emails designed to trick people into responding.

Barnes says company officials stopped him during the presentation, saying they were “uncomfortable”, and asked him to “move on” – although he says they still took screenshots of his presentation.

“They went and implemented what I was discussing,” he said, “but they didn’t implement it across the domain.”

To demonstrate the vulnerability, Barnes spoofed emails from Optus for The Saturday Paper.

Other experts expressed frustration at the inertia within Optus, which meant it had not adopted the latest strategies for identifying and resolving security issues. The company does not offer a bug bounty program, where people who find hacker attacks that take advantage of a programming flaw can safely inform the company and be paid for their work.It also does not regularly scan its external, public-facing assets or maintain a vulnerability disclosure log. It does not employ dedicated application security experts – a specialised form of cybersecurity.

So far, the federal government’s response has been guided by lessons from the 2020 breach of Service NSW in which 500,000 documents containing the personal information of 180,000 residents were leaked.

The state governments in Victoria, Queensland, Western Australia and South Australia have announced those affected could apply to have their licence reissued, with the governments then billing Optus for the cost. NSW is charging for replacement but says Optus will reimburse the cost.

On Wednesday Prime Minister Anthony Albanese asked Optus to pay for passport replacements, saying, “we believe that Optus should pay, not taxpayers” and called for reform after a “decade of inaction”.

Since the breach, a statement on the Australian Passport Office website has said those affected would have to cover the cost of a replacement themselves.

Justin Warren, the chair of Electronic Frontiers Australia, said the scale of the breach amounted to “Australia’s Equifax moment”. He said he hoped it would galvanise change as governments sought to take the issue seriously.

In 2017 credit bureau Equifax was hacked, with the records of 147.9 million Americans, 15.2 million British citizens and 19,000 Canadians compromised in one of the largest breaches in history.

Although it was feared the information would end up on a public server, it never appeared, and investigators ultimately concluded that members of China’s People’s Liberation Army were behind the hack. China denied any responsibility.

“My third law of IT is that every time there is a data breach, one of the first lines out of the spokesperson’s mouth is that they take security seriously – even if they have demonstrably proven they do not,” Warren said.

“When they fail to do their job, we are the ones who have to clean up their mess. That needs to change and change now.”

Australia is uniquely exposed to the risk of data breaches due to two decades of anti-terror legislation. The country has passed more than 80 anti-terror laws since 2001, many of which require the collection and long-term storage of information such as that stolen from Optus.

Existing privacy protections are limited, with rental agencies, mortgage brokers, schools and childcare facilities, welfare agencies and job network providers that interface with the social security system all permitted and encouraged to build huge stores of information.

If there is any silver lining to the Optus breach it is that this situation could be about to change. During her speech in parliament this week and in statements since, O’Neil has flagged that the government would be looking at reform in the area, saying Australia is “10 years behind the rest of the world”.

“A very substantial reform task will emerge from a breach of this scale and size and there are a number of policy issues that I think the public will soon become quite aware of,” she said.

“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose.”

The attorney-general, Mark Dreyfus, said the government would consider reforms to the Privacy Act and also look at penalties that would “concentrate the minds” of company board members.

“For too long, we’ve had companies solely looking at data as an asset that they can use commercially. We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians.”

Share this article