Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

By Will Ellis

• 
• 
• 

Last Updated on October 19, 2022

A compensation company has forwarded reimbursement steps for those impacted by the Optus hacking, seeking to get compensation. 

Less known, however, is that the Australian federal government responded to the breach by temporarily allowing telecommunications companies to “share approved government identification information” with specific financial services.

A legal firm has put into effect a claim against Optus after it was hacked in a cyber attack where almost 10 million Australians had their data Illicitly accessed by hackers.

A complaint was lodged by Maurice Blackburn to the Office of the Australian Information Commissioner (OAIC), detailing what it described as “an Important Test of Australia’s privacy laws.” The complaint is similar in nature to a class action lawsuit, giving the Commissioner the authority to issue compensation to anyone affected by the privacy law breaches.

According to this, anyone not issued compensation would be penalised and made to forcibly pay compensation but this is the most recent legal firm to declare its intention to get compensation for customers who are impacted. Optus has already apologised to its customers after the breach, but Maurice Blackburn agrees that this is not enough.

McQuarrie University faculty member Sean Foley is a representative complainant in the compensation case, being one of those who were impacted by the cyber attack. Dr Foley was given details by Optus of what personal details were breached and exposed to attackers, despite the fact that he stopped being a customer in 2017.

Overall, 9.8 million customers were impacted – with sensitive info being exposed. The breach of Telecommunications service Optus saw one of the biggest breaches in Australia’s history. One of the head executives of Maurice Blackburn, Vavva said that privacy attacks were an increasing issue because companies were ever more handling entrusted with personal data.

When consumers have to share personal data in order to access key services, they assume their data will be securely protected and not recklessly exposed to identity theft. It’s Maurice Blackburn’s view that they have a case for compensation and will hold Optus to account for what it sees as reckless violations of best practices leading to a “catastrophic data breach.”

The Telecommunications giant not only has to deal with this massive compensation claim, it also is facing another claim firm Slater & Gordon who are making a case against Optus — with Angeline Faulk, a privacy Commissioner, running her own investigation. A spokesperson for Optus said that they will “vigorously defend” any representative complaints.

What Was the Optus Hack?

It was a 2022 cyber attack on an Australian company in the telecommunications sector. On 22 September 2022, the systems of Optus experienced a substantial breach that revealed major data to hackers of old and current customers’ sensitive information, including dates of birth, phone numbers, email addresses and names (others also had their street addresses, passport numbers, and driver licences leaked).

The CEO of Optus, Kelly Rosmarin, asked its customers to display “heightened awareness” of their transactions related to Optus and general accounts. Rosmarin said that passwords had not been compromised. The CEO believes that the extent of the situation was limited to 9.8 million customers at the upper end, which would be one of the biggest breaches in Australian history, but thinks that the true number is a lot lower.

Two days later, Australian news sources The Sydney Morning Herald and The Age said that Optus was dealing with a ransom request of over $1 million requested on a hacking forum. Optus executives were given a week to pay the ransom in cryptocurrency otherwise its data would be sold on the black market for hundreds of thousands of dollars.

The Australian Federal Police arrested a 19-year-old in relation to the attack, on six October. Allegedly, the teenager threatened more than 90 Optus customers by claiming that he would use their leaked information to commit financial crimes, demanding payment of AUD $2,000.

An emergency mandate was announced on that same day, in response to the breach, taking the shape of a one-year amendment to Telecommunications Regulations 2021 to “enable telecommunications companies to temporarily share approved government identifier information with regulated financial services entities.”

Update to Australian laws after Optus hack

One of the effects of this attack is that the AU government has changed certain telecommunication laws, which it says purportedly are in place to protect the most vulnerable consumers from having personal details stolen in the future. For this, it has allowed companies to “temporarily share approved government identify information” with certain regulated financial services companies.

The purported effects of these legal changes will mean that Optus and other telecommunications firms can have that coordination with financial institutions and governments to what the attempts of hackers, fraudsters, and other malevolent cyber activities.

Communications Minister Michelle Rowland said that the goal of the amendment is to lessen the blow of the state average on Optus customers impacted so that financial institutions could proactively monitor and implement safeguards to hacker attempts to leverage stolen data.

More than 33% of Australians have their personal data stolen when 9.8 million records were lost, including driver’s licenses, passports, and national healthcare identification numbers. The hack was finally discovered on 21 September.

Recently, 10,000 records were put onto the dark web in order to coerce Optus into paying a $1 million ransom but the telecommunications company ran full-page ads in Australian newspapers to apologise with the headline saying: “We’re deeply sorry.”

With it, was a link to Optus’ website giving instructions customers could take to thwart fraud and identity theft. Although the government is able to alter regulations without Parliament’s permission, the government intends to make the changes to the Privacy Act using the Parliament in the last four sitting weeks for 2022 after the Optus breach.

Changes requested would be increasing fines for companies without proper cyber security practices in place, reducing certain types and volumes of customer data firms are able to amalgamate, as well as limiting how long personal information can be stored.

Takeaway — The ‘Why’

Why did the pre-existing privacy laws in Australia fail to thwart the Optus hack?

Although it is unclear at this stage,  reportedly one of the vulnerabilities that Optus practiced, which allegedly allowed hackers to more easily gain access to their systems, was the habit of emailing sensitive data through unencrypted email.

Instead of requesting customers to login to emails in order to retrieve renewal documents like policy numbers, address, date of birth and other sensitive data, in some cases this is actually emailed in an unencrypted format. This is done instead of using a secure web portal.

Without documents being encrypted, the sender is to rely on the recipient (you) having their own security protocols in place, such as TLS or SSL. Many people haven’t even heard of these protocols.

In the event of an email being spoofed, then all of the information about you is exposed. SSL stands for Secure Sockets Layer encryption and, together with Transport Layer Security (TLS), they work as a modern and secure way of encrypting email communications. You must be from occurs when a hacker emails you in a way that seems to come from a trusted source.

According to the Director of New NSW Institute for Cyber Security, Nigel Phair, Australia is increasingly becoming vulnerable online. They need to do more in order to thwart cybercrime. 2021, there were 63,000 reports to the Australian Cyber Security Centre.