Australia: Overhauling of privacy is behind the massive data breach

The government of Australia intends to get more stringent requirements for the disclosure of cyber attacks following one of the most significant data breaches in Australian history.

The Prime Minister of Australia said businesses need to share user data with banks to contain financial fraud.

Prime Minister Anthony Albanese conveyed to Australian radio station 4BC that the government planned to overhaul privacy legislation so that any company mourning a data breach was instructed to share details with banks about customers who had been concerned to minimize fraud. Under current Australian privacy legislation, businesses are prevented from sharing details about their clients with third parties.

The policy statement was made in the wake of a massive data breach last week involving Australia’s second-largest telecom company, Optus. Hackers manipulated to access a vast amount of potentially sensitive data on up to 9.8 million Optus customers — nearly 40 percent of the Australian population. Leaked data included name, address, contact information, date of birth, and in some circumstances, driver’s license or passport ID digits.

Singtel Optus Pty Limited, generally called Optus, is an Australian telecommunications company headquartered in Macquarie Park, New South Wales, Australia. It is a wholly-owned subsidiary of Singtel. Optus is the second-biggest wireless carrier in Australia, with over 10.5M subscribers as of 2019.

The company trades underneath the Optus brand while maintaining several wholly owned subsidiaries, such as Uecomm in the network services demand and Alphawest in the ICT services sector. To provide services, Optus mainly owns and operates its network infrastructure; It delivers services directly to end users and acts as a wholesaler to other service providers such as Exetel and Amaysim. In addition, its Optus ‘Yes’ brand provides broadband and wireless internet services. Additional wholesale assistance includes Satellite and 4G Mobile.

The company was initially known as Optus Communications Pty Limited. Before changing its name, it went through Cable & Wireless Optus Pty Limited, Cable & Wireless Optus Limited, and SingTel Optus Limited. Optus is divided into four significant businesses – Mobile; Business, Wholesale; and Consumer & Multimedia.

The breach may have come from an improperly secured API that Optus developed to comply with regulations about delivering users multifactor authentication choices.

A person asserting the Optus hacker appears to have corroborated this account of the data breach in discussions with security journalist Jeremy Kirk. Per details given to Kirk by the presumed hacker, the information was downloaded by querying the API sequentially for each value of a unique identifier field marked “contacted” and recording every user’s attributes one by one until the dataset of millions of records was created.

A post from the same person in a popular hacking forum claimed to offer the user data for sale for $150,000 and listed an extortion price of $1 million to keep the data private, to be paid in the Monero cryptocurrency. The hacker also released several free “sample files,” which they said contained the complete address data of 10,000 Optus users.

As the situation evolves, many Optus customers have taken to social media to communicate their frustration with how the hack was regulated, particularly regarding informing affected users that their data was at risk.

“Fantastic that Optus can email me when I am a day late in paying my bill, but not when they lose all my info in a massive cyber hack,” tweeted Patrick Keneally after the data breach. He is a news editor for Guardian Australia.