Responding to the Optus data breach

As it was required to do by law, on 22 September 2022 Optus gave noticeĀ about a cyberattack to its customers, the Australian Cyber Security Centre, the Australian Federal Police, the Office of the Australian Information and Privacy Commissioner, the Commonwealth Government and key regulators.

Although details of the cause of the breach are still under investigation, Optus said that the attack has been shut down.

Optus says that information that may have been exposed for about 9.8 million customers includes customersā€™ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers or Medicare ID numbers. Payment detail and account passwords have not been compromised.Ā 

Customer information may be used by the offenders to commit identity theft in order to carry out fraudulent transactions. Based on the available information, the attackā€™s exposure is limited to retail customers (and potentially small businesses) while enterprise accounts do not appear to be affected.

The Privacy Act requires Optus to take remedial action: Optus has engaged IDCARE, the national identity and cyber support service, to support affected customers.

IDCARE has warned that examples of misuse of identity information include unauthorised creation or access of banking or non-financial accounts and mobile phone porting or sim swap events.

As a matter of priority, APRA has advised all APRA-regulated entities to harden controls on high-risk processes and transactions where possible, e.g. digital customer on-boarding and setting up first time payees. This could include control examples such as additional two-factor authentication requirements and call-backs.

APRA-regulated entities must give notice to APRA under CPS234 Information Security regarding security incidents and control weaknesses.

Suspicious fraudulent conduct should also be reported to Austrac.Ā 

The Government Cyber and Infrastructure Security Centre has issued a fact sheet of steps individuals can take to protect their identity.

Cybercrime involves many aspects of business operations: from cybersecurity to fraud prevention, responses to ransomware, customer privacy, data retention, cyber insurance and business continuity.

A cybersecurity framework is essential for all financial services and credit licensees.

The starting point for any business is the ACSCĀ Essential Eight mitigation strategies.

Because, as the experts all say, your defences will be tested at one time or another.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.