Optus customers were incredulous at the telco’s response when almost ten million customer records were stolen in late September 2022.

The initial claims that – ‘there was nothing to see here’; that no harm had been caused since no financial information had been taken; the slow drip-feed of information culminating in the hackers, not Optus, confirming that unique Personal Identifiable Information (PII) had been taken; the poorly resourced contact centre for concerned customers resulting in all day waits for calls to be answered; the broken promise that affected customers would be contacted quickly; the scarcity of technical details on the nature of the incident; the late call for a ‘crisis communications expert’ when all credibility was lost; the Deloitte-led forensic investigation to determine responsibility for the theft; and the CEO being left out to dry to defend the company during the crisis – left us all flabbergasted.

Medibank – unprecedented crime or weak governance?

A month later, the data theft at Medibank followed a similar trajectory. Roughly ten million customer records were stolen. Initial communications from the insurer suggested that a small amount of customer data was stolen. Two weeks later the hackers, not the insurer, revealed that they had Medibank’s entire customer database, which included extremely sensitive personal health claim information.

Medibank was slow to contact customers, as was Optus. The company also asked Deloitte to conduct a forensic investigation to determine culpability. Like Optus, the CEO – David Koczkar was left to front the media to defend the company’s response to this massive data theft.

Medibank’s chair, Mike Wilkins did address the company’s AGM, telling angry shareholders that “the cyber-attack was unprecedented” and that it was a “shocking crime” the size and scale of which had not been seen before. Overall, the Medibank chair and board have been AWOL during the entire cyber episode, just like Optus.

Besides the breathtaking amount of customer data that has been taken over the last couple of months from major Australian enterprises, the most striking thing about these data robberies has been the jaw dropping lack of board accountability – summed up best by the Optus CEO, “I’m not the person doing cybersecurity.”

In view of these seismic data thefts, how is customer data governed in Australia’s leading ASX companies? Hopefully, Deloitte’s report on Optus and Medibank will shed light on the robustness of their data governance practices and the preventative steps they took to protect customer data against these “unprecedented and shocking crimes.”


  1. Are company director and executive Data Incident Response roles and responsibilities agreed?
  2. Is an approved Data Incident Communications plan in place?
  3. Has the board and executive participated in a Data Incident simulation in the last 12 months?
  4. Is sensitive data and Personal Identifiable Information (PII) encrypted?
  5. Are data metrics reported to the board on a regular basis?
  6. Is ISO27001 or NIST implemented?
  7. Has an independent vulnerability and penetration test been conducted in the last 12 months?
  8. What is the company’s posture on the Essential Eight maturity matrix*?

*To find out more on the Australian Cyber Security Centre’s Essential Eight Maturity Model, go to the Essential Eight Maturity Model | Cyber.gov.au

To receive Digital Literacy for Leaders free to your inbox, sign up here.

Bill Owens

Bill Owens

Veracity CEO

Leave a Reply