Optus, an Australian telecommunications company, experienced a cyberattack last year on September 22, 2022. One of the most prominent breaches in Australian history. As a result, customers had their personal information stolen and leaked on the dark web. Outrage from customers and businesses was rampant across social media, in the media and of course conversation within our cybersecurity industry. As a result, this major breach has now commenced a class action lawsuit led by an Australian consumer law firm, Slater & Gordon.
In order to investigate this breach, Optus enlisted the services of Deloitte. However, Optus is currently seeking to prevent the disclosure of Deloitte’s report on the cyberattack by invoking legal professional privilege. Consequently, the customers whose data was compromised may be unable to learn the details of how the cyberattack occurred, as Optus intends to maintain the confidentiality of the report.
Last year, we tackled the incident on 2Fa.tv to discuss the recent breach and the impact it had on our cybersecurity industry. I was joined by Sean Duca, Vice President, Regional Chief Security Officer – APJ at Palo Alto Networks and Wayne Williamson CISO AU/NZ from Equifax.
Take a look at what we discussed:
A year has flown by and I wanted to explore how people were approaching the aftermath and their thoughts towards this breach a year later. I called back Sean and Wayne to drop in their 2-cents.
Williamson opened with, “What’s happened, one year on? I’d like to say a lot, but I just don’t know if we as a nation have moved fast enough… especially if another ‘major’ breach occurred.”
“The breach last year was a terrible event that affected the lives of millions of Australians, but there may be a silver lining.” Commented Sean Duca, from Palo Alto Networks.
Optus was just the start of the major breaches occurring in Australia. The string of these breaches illuminated the importance that these nefarious attacks can really happen to anyone.
“The attack served as a wake-up call for Australia, demonstrating that even large and well-resourced organisations can be vulnerable to cyberattacks; all it takes is for cyber adversaries to get it right in one try.”
“This has brought cyber security to the forefront of the Australian public.” commented Duca.
“These things take time, and there are some great visible remnants from the Australian Government’s investment into cyber – the most noticeable being the appointment of a cyber coordinator.” offered Williamson.
Recovering from any breach takes time and the Equifax Chief Information Security Officer, AU/NZ would know, as his company was previously involved in a major breach back in 2017. Hearing from people like Williamson can engender trust on how to navigate these precarious situations.
So now what happens? Lessons learned after mistakes need to be fueled to drive change. People want to know what really happened in detail after any breach forensic investigation, which in turn provides insights into other companies improving their security posture. Optus has requested the courts to stop the release of the Deloitte cyber attack report.
“One year on, reflecting on the lessons learned from this breach and taking steps to prevent another is essential. We’ve seen significant progress as businesses prioritise their cyber security posture and the government changes data regulations to protect Australians better,” said Duca.
Both the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) are investigating the breach, and their findings will be made public eventually. When eventually is, we’re not quite sure yet.
“However, on the privacy side, we haven’t yet seen strong mechanisms applied that would allow greater enablement to individuals on their rights to control how their personal information is collected, used and retained. In saying this, I am positive we will see it – but when?” Williamson commented.
Australia’s National Cyber Security Coordinator is also working on cybersecurity issues.
“We hope to see greater public-private collaboration as the government drafts its next cyber security strategy to create a framework that builds on established cyber security best practices and state-of-the-art capabilities to strengthen Australia’s cyber resiliency.” Duca said.
What we do know is that post incident trust goes south quickly. Optus has become the least-trusted company in Australia due to this incident, according to Roy Morgan research.
This report talks about how people in Australia trust or don’t trust different brands. It found that Optus became the least trusted brand because of a data breach they had in 2022. Even though people’s trust in Optus has improved a bit since then, many still don’t trust them as much as before.
The report says that once people start distrusting a brand, it’s hard for the brand to regain trust. This is a problem for not only Optus but also for the telecommunications industry as a whole because it’s now the least trusted industry in Australia. Other brands like Medibank and TikTok have also lost trust recently. On the other hand, brands like Woolworths and Coles are the most trusted ones. The report suggests that companies should take distrust seriously because it can affect their business.