Labor Government Responds to Optus Hack with Emergency Telecommunications Regulation
In September of 2022, Optus' IT systems suffered a cyber attack resulting in a breach of data affecting up to 10 million Australian customers. This data included the customer names, dates of birth, phone numbers and email addresses of both current and former customers. Some customers also saw their street addresses, driver's licenses and passport numbers leaked as part of the breach.
On the 24th of September, Australian media reported that Optus was currently investigating the authenticity of a ransom demand for US$1 Million posted to a hacking forum. The demand stated the ransom was to be paid in cryptocurrency within a week or the breached data would be sold for US$300,000.
On the 6th of October, the AFP announced the arrest of a 19-year-old man who allegedly threatened 93 Optus customers, claiming that he would make use of their leaked information to commit financial crimes unless they paid him AUD$2000. The AFP investigation began when they were made aware of text messages being sent to those affected by the leak with the aforementioned demands.
Government Response & Regulation
In October the Australian Federal Government announced emergency regulation to take effect on the 6th of October, forming a 12-month amendment to the Telecommunications Regulations 2021. According to the announcement the amendment is intended to:
"...enable telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach."
Prime Minister Anthony Albanese stressed that it is Optus' responsibility to manage the fallout of the hack:
“We've written to Optus making clear the government's view, which is that taxpayers shouldn't pick up the bill here.”
Mr. Albanese also intends to pursue reforms which would increase the penalties for such situations. The1988 Privacy Act currently states that businesses are capped at fines of only $2.2 million.
The hack is also currently being investigation by the Office of the Australian Information Commissioner which is intended to explore how Optus managed customer data.
Sources & Further Reading