Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Pedestrian.tv
Pedestrian.tv
National
Aleksandra Bliszczyk

Yr 5-Min Explainer On How The Optus Data Breach Happened And The Likelihood Of More Attacks

Optus, One of Australia’s biggest telecommunications companies, had a data breach last week and personal information of millions of customers was held to ransom. Optus said this was a “sophisticated” attack, but the federal Home Affairs Minister Clare O’Neil said Optus “left the window open” for what was a pretty “basic” breach. The account which claimed to be the hacker since apologised and said they deleted it all — after they leaked the data of at least 10,000 people on Monday, mind you, but there’s no way of knowing so the 10 million victims are now pretty much on their own. So how did the Optus hack happen and what’s the likelihood of it happening again? We asked a couple of experts about cybersecurity practices and Australian privacy laws.

What exactly is a data breach and why do hackers do it?

“The law requires [companies] to keep that data while someone remains a customer,” Toby Murray “That data’s valuable to thieves or people who want to commit fraud … you can use it to open a bank account in someone’s name or take out a loan or extort them for money. So there’s a financial motive.” it happened to MyGov in 2020 and Telstra in 2021

Why was the Optus data breach so bad?

Dr Brendan Walker-Munro, “This has obviously been horrible for each individual who’s been affected but when you look at it at the macro level this has been an unprecedented About 2.8 million of the 10 million victims 100 points of identification “Survivors of domestic violence could’ve had their identities exposed and the new addresses they’ve moved to are now out there in the world,” he said.

How did the Optus hack happen?

Kelly Bayer Rosmarin mistake had occurred “Often they result from a fairly simple problem with the systems that are storing all this data,” Murray said.  “They had a system that was storing all this sensitive information … which was connected to the internet and seemingly anyone could access this.” “The customer would just be a number, and by putting in different numbers you got different details of different customers. The attackers doing this 10 million times ended up getting the details of 10 million customers,” he said.   “In a good system, you have access control which makes sure people are only able to view the data they need to for their job or as a customer, and you also have proper authentication that someone [has to prove] who they are claiming to be.

What are the current Australian laws around data protection and are they adequate?

Privacy Act “Obligations [are] in relation to how companies can collect personal information and then how they have to store it, how they have to treat it, and then at the end of that lifecycle what companies that are finished with that information should do in terms of destruction or deidentifying or getting rid on information they no longer need,” Walker-Munro said. “Telecommunications laws also impose specific requirements. Telcos have to make their best efforts to prevent unauthorised interference or access to information the telecommunications company has.” to make a company like Optus sit up and take notice”. In the European Union, fines are percentages of the company’s annual income instead of blanket rates. But Walker-Munro argued reactionary punishments don’t always incentivise companies to implement the proper protections in the first place. 

How likely is it another major cyberattack will happen in Australia?

“Unfortunately these things are going to happen and the laws need to be there to ensure companies are taking their best steps before [they do],” Walker-Munro said. “There’s a part for government to play here where they really need to be coming in and providing transparency and clarity to companies and saying ‘these are the standards we require you to meet, if you’re not going to meet them, don’t operate in Australia’. “It’s probably the uncomfortable conversations we should be having.”

The post Yr 5-Min Explainer On How The Optus Data Breach Happened And The Likelihood Of More Attacks appeared first on PEDESTRIAN.TV .

Every time you sign up for a service you’re required to hand over a certain amount of personal data, whether that’s identifying data like name, address or driver’s licence, or contact details like a phone number or email. This is actually a legal requirement. For example, anti-money laundering laws say companies must be able to prove their customers are in fact real and are who they say they are to ensure the business isn’t a front for illegal activity. Associate Professor in Computing and Information Systems at the University of Melbourne told PEDESTRIAN.TV. Data breaches are pretty common worldwide — when hackers sold people’s personal data on the dark web  — but the Optus data breach was unprecedented. The Optus data breach was the biggest in Australian history, according to a Senior Research Fellow with the University of Queensland’s Law and the Future of War research group. event in Australian history and what happens from here on is going to have pretty significant ramifications on how we deal with our information,” he told PEDESTRIAN.TV  were several affected by the breach and left particularly vulnerable to identity theft or even violent crime. The amount of identifying data of theirs that was stolen amounted to . Walker-Munro said it’s likely government officials or police were part of the 2.8 million whose home addresses and identities were now compromised which could threaten their safety. Optus CEO said last week it was a sophisticated attack from multiple locations in Europe, but a day later a senior Optus source told the ABC a that allowed the hack. That claim was quickly walked back by the company which denied “human error” was a factor. Optus hasn’t said any more publicly about how the cyberattack happened, but cybersecurity experts and government authorities have ideas. Murray said a system like this allowed anyone, anywhere in the world, to send it a request for a customer’s details, without being logged in or having to verify their authority to access the data. He also said systems should be designed to get rid of data they no longer need, and should be carefully tested with specialist technology available to make sure there are no vulnerabilities. Most companies’ data protection practices are bound by requirements of the . Penalties for breaking these laws are usually fines, but Walker-Munro said our fines aren’t “enough The Home Affairs Minister said in other jurisdictions, a breach of a similar size would result in fines of hundreds of millions of dollars. To put it simply: very likely. But he also said Australia’s cybersecurity laws were changing regularly and can be difficult for companies to understand. Nevertheless, businesses will no doubt be scrambling to make sure their data is properly protected right now so it’s a good day to be in the cybersecurity business.
Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.