OPINION: In the wake of the Optus cyber incident, corporate Australia has been put on notice. With costs continuing to mount for replacement driver licences and passports, a Deloitte investigation underway and the brand value of Optus at an all-time low, the Optus case means there are no more excuses for CEOs and boards not taking responsibility for data governance.
In this article, I’ll review the Optus scenario and clarify what steps you can take to ensure your company is not the next to make headlines for a customer privacy breach.
The Optus Story
On 17 September, the names and email addresses associated with 1.1 million Optus customers allegedly were put up for sale, according to threat analyst, Brett Callow. On Wednesday 21 September, Optus investigated and shut down a ‘possible’ unauthorised access to customer information.
At 2 pm the following afternoon, a public holiday in Australia, Optus posted on its website that it had been subject to a cyber-attack resulting in the disclosure of customers’ personal information. Optus urged customers to be vigilant as exposed information may have included names, dates of birth, phone numbers, email addresses and for some customers addresses and ID document numbers such as driver licences or passport numbers.
The telco confirmed payment details and account passwords were not compromised, and services remained safe to use. Optus opined that it was “not aware of customers having suffered any harm” although it had not contacted any customers to confirm this.
On Friday 23 September Optus CEO, Kelly Bayer Rosmarin, conducted a virtual press conference to apologise to all customers. She did not confirm how many people were affected, but 9.8 million customers was the “absolute worst-case scenario”, “that the number was smaller than that” and “importantly, it was a very small subset of data dating back to 2017, which did not include any financial data or passwords”. Bayer Rosmarin added that Optus will “proactively contact each individual customer with very clear explanations of which data has been exposed and potentially taken.”
Ms Bayer Rosmarin would not provide details on the nature of the vulnerability, saying it was the “subject of criminal proceedings” although intimated that it was a “sophisticated attack, coming out of various countries in Europe.” On Wednesday 28 September, Optus revealed for the first time that almost 37,000 Medicare numbers were also compromised in the cyber incident.
On 3 October, 12 days after the cyber incident was first reported, Optus announced it had commissioned Deloitte to conduct an independent external forensic assessment of the company’s cyber event with a focus on security systems and processes. That afternoon Optus confirmed that 2.1m customers had one form of ID number exposed in the incursion, with 900,000 of those being ID numbers from expired documents. Ms Bayer Rosmarin reiterated her commitment to rebuilding trust with customers. When asked if she was feeling pressure to resign, she said, “I’m not the person doing cybersecurity.”
The following day Optus disclosed that it had hired a ‘crisis expert’ to navigate the cyber crisis amid ongoing criticism from customers, the federal government, regulators, and cyber specialists on its handling of the incident that exposed the personal data of 40% of Australia’s population.
Contrary to Bayer Rosmarin’s claims that Optus would “proactively contact each individual customer with very clear explanations”, it appears the customer experience has been very different. Customers remain outraged, left feeling vulnerable and confused by the company’s poor, drip-fed and contradictory communication. A week after the incident, some had received one email, with no advice on what to do, others got nothing. Optus’s online chat platform has been inundated with reports of wait times of between three and 18 hours.
Although the telco has offered those most affected a 12-month credit monitoring subscription through Equifax Protect, customers expressed frustration there had been no direct communication on how to access the service. Optus has seemingly forgotten that customer data doesn’t belong to them.
The federal government’s response has been equally scathing. The Home Affairs and Cyber Security minister, Clare O’Neil questioned why Optus had held on to that much personal information for so long. She also queried the notion that the incident was sophisticated, claiming that Optus “left the window open.”
The government was “incredibly angry” that it had to rely on powers in the Telecommunications Act to get Optus to provide the government with information. Minister O’Neil said that Australia was ten years behind on privacy and that penalties for telcos are “totally inappropriate.” She indicated that the government would pursue “very substantial” reforms in the wake of the cyber incident since it did not have the capacity to fine Optus.
While the government considers regulatory reform, the Office of the Australian Information Commissioner (OAIC) is hamstrung. It is underfunded, making it difficult for it to enforce existing privacy laws. The $2.2 million fine for serious breaches of privacy, modest by international standards, has never once been imposed. Australian telcos sit outside these minimum cybersecurity standards, in any case, having lobbied to be excluded from the laws, citing their superior defences.
Optus’s response to this cyber debacle has been intriguing throughout with the drip-feed of economical and misleading information; Optus’s CEO, Kelly Bayer Rosmarin being the lone face of the incident; the fierce customer backlash; the ferocious government reaction and even the Privacy regulator’s consistent disquiet. How did Optus get its response to Australia’s biggest data breach so wrong?
The answer lies in its data governance arrangements. Optus positions itself in Australia as a courageous challenger brand, the underdog minnow that Australians should back against Telstra’s market dominance. When the cyber breach broke weeks ago, Bayer Rosmarin called on ‘team Australia’ to rise to be extra vigilant against sophisticated global cyber criminals who had breached the telco’s defences. Optus was clearly the victim in this scenario while remaining its customers’ champion. Bayer Rosmarin’s teary press conference appearance fit this narrative.
While playing the underdog in Australia, Optus is in fact part of Singtel, a leading Asian conglomerate with almost 780 million mobile customers across India, South Asia, Africa, Philippines, Singapore, Indonesia, and Australia. While Optus contributes 43% of revenue to the group, it represents only 1% of its mobile customer base.
There is no evidence of a data governance model at Optus or any meaningful national governance at all. Optus does not have a board of directors, a chair, or a risk committee to which the CEO reports. With the greatest respect to Ms Bayer Rosmarin, her role is more akin to a ‘General Manager, Consumer’ than a ‘Chief Executive Officer’ of a major national corporation. The Optus CEO Review in Singtel’s latest annual review is full of ‘bold ambition,’ ‘5G rollout’, transformative ‘customer experiences’, ‘market growth’, new service offerings like Smart Spaces and Smart Hub and becoming ‘Australia’s most loved everyday brand’ driving the operators’ most revered metric – Average Revenue Per User (ARPU). This is no mention of shareholder value, managing risk, or compliance since Singtel is Optus’s single shareholder and governance is its responsibility.
Corporate governance at Singtel is strong. The Chair, Lee Theng Kiat presides over a board of eleven independent, well-credentialed directors, and two experienced executive directors. The main board as well as Audit; Corporate Governance & Nominations; Executive Resource & Compensation; Finance & Investment; and Risk committees govern the Group CEO, Yuen Kuan Moon, and the Management Committee, on which the Optus CEO sits.
There are two advisory committees. The Optus Advisory Committee (OAC) comprises board and non-board members as well as David Gonski, John Marschel and Paul O’Sullivan, who confusingly holds the role of Optus Chairman. The Technology Advisory Panel (TAP) advises the board on developments, issues, and emerging trends in the technology space.
Governance responsibility for the telco group’s Risk Management Framework rests with the Board; Risk, Audit and Management Committees; a Risk Management Committee; and a Cyber Security Resiliency Committee. Data protection and privacy, cyber security, technology, and information technology are all risk factors identified in the risk framework.
While this governance structure presides at group level, providing direction for more than six countries, there’s no mention of Optus’s governance and risk framework in the Singtel Annual Report 2022. An Optus security executive reports to the Optus CIO, who in turn is accountable to the Group Chief Information Officer/Group Chief Digital Officer, and Group Chief Technology Officer.
Lessons for corporate Australia
1. Optus didn’t have a Cyber Incident Response Plan as part of its data governance framework.
Optus did not have a Data Governance framework implemented as was demonstrated by the absence of a Cyber Incident Response Plan (CIRP), a standard requirement and recommendation of the Privacy Commissioner. No incident report has been tabled since Australia’s most damaging incursion occurred on 21 September. This fact alone suggests that the incident was not a sophisticated, internet-wide vulnerability but was the result of an unprotected Application Programming Interface (API) as the cyber hacker suggested.
2. Optus didn’t appear to have a Cyber Communications Plan.
Optus didn’t have a coherent, tested Cyber Communications Plan in place as illustrated by its singular ability to enrage all Australian stakeholders simultaneously including customers, the federal government, regulators, cyber security specialists and the media. Also, after two weeks of deteriorating relationships, Optus felt compelled to hire a crisis communications expert.
If a national Data Governance Framework had been implemented, the Singtel Group Chairman and Group CEO would have fronted the press conference on day one to support the Optus CEO. Alternatively, to maintain the ‘challenger brand’ perception, Kelly Bayer Rosmarin could have been flanked by the Australian directors and advisors on the main board and AOC when addressing the Australian public.
3. Optus senior management appeared not to know where its data is held.
It doesn’t appear that the Optus executive team knew where customer data was held, if it was secure or could prove independently that it was protected. These are the three essentials of an effective Data Governance Framework. Hopefully, Deloitte’s report will assist here, so the next Optus CEO never again declares that “I’m not the person doing cybersecurity” but reassures the Australian public that “My Chair, the Optus board and I are responsible and accountable for keeping the identifiable data of Australian customers safe.”
What steps should you take now?
Don’t make the mistake of thinking the first action should be to upgrade your cyber security. This is a whole-of-business data governance matter.
The costs of not taking responsibility for this governance is now becoming evident for Optus in brand reputation, revenue, and company culture.
Insight #1: Know where your data is held. In most organisations, Personal Identifiable Information (PII) is held in many data repositories across the business and on third-party platforms including finance, CRM, marketing automation and productivity applications, as well as backup devices and spreadsheets. Undertake a comprehensive review of these data repositories to confirm where your corporate data is held.
Insight #2: Determine that your data is secure. Once you have determined where your data is held, ensure that access to it is sufficiently protected to ensure that your corporate data is only available to those authorised to use it.
Insight #3: Prove that your data is secure. It’s imperative to demonstrate your data is secure by undertaking regular, independent penetration and vulnerability assessments of your data repositories and ICT platform, including exposure to social engineering, which are deceptive techniques used to manipulate staff and managers into divulging confidential or personal information that may be later used for fraudulent purposes.
If in doubt, seek support from an ICT Services company that specialises in data governance. It will be some time before the enormous financial costs to Optus are tallied, but undoubtedly an early investment in data governance policies and procedures would have been incidental by comparison.
Bill Owens is the author of the Digital Literacy for Leaders series and Managing Director of Veracity, a leading Brisbane-based IT services consultancy.
To receive Digital Literacy for Leaders free to your inbox, sign up here.