Top 3 lessons learnt from the Optus data breach

Unless you spent the end of September 2022 on a digital detox, you would know by now about the Optus data breach. On the afternoon of Thursday 22 September 2022, a national public holiday held to mark the passing of Queen Elizabeth II, headlines began appearing that Optus, Australia’s second largest telecommunications provider, had experienced a ‘significant’ data breach as a result of cyber attack. While the more conservative reports were reticent about estimating the number of records involved, many publications quoted 9.8 million customers as being affected. This mind-boggling estimate was subsequently confirmed by the organisation itself.

No doubt much will continue to be said in the wake of the cyber attack about the reasons for the damage this incident has done to the Optus brand and bottom line. But one thing is clear, the data breach, while unfortunate, provides an important case study that businesses should not ignore- a vital lesson for corporate Australia with three key take-aways:

1. Don’t create an accidental data honeypot;
2. Be ready to respond and repair; and
3. Understand (and budget for) the true cost of a data breach.

1. Don’t create an accidental data honeypot

A ‘honeypot’ is a term used in computing that usually describes a method of baiting potential hackers by creating a fake high value dataset to lure them away from the real data and detect and deflect their actions. However, it appears (from recent data incidents) that many organisations are inadvertently creating literal honeypots of their actual data- too enticing for hackers to resist. In the case of the Optus data breach, it’s been reported that the telco company was storing a substantial and high value customer data set (including large numbers of ID verification details, such as passport and drivers license details). It’s been argued that such valuable information may well have been a siren’s song to would be attackers.

Consequently, the Optus data breach has prompted an important conversation in Australia about data retention. In Europe, under the EU’s strict privacy laws, the General Data Protection Regulation (GDPR) requires companies to adhere to a principle of ‘data minimisation’. This principle refers to the practice of limiting the collection (and storage) of personal information to that which is directly relevant and necessary to accomplish the understood purpose. Here in Australia, companies required to comply with the Privacy Act 1988 (Cth) (Privacy Act), known as APP entities, must comply with Australian Privacy Principle (APP) 11. APP 11 states that where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. However, there are exceptions to this requirement. Importantly, this obligation does not apply if an APP entity is ‘required by law’ to retain the personal information.

Unfortunately for businesses, determining what data they are required by law to keep is not always a straightforward proposition. Australia has a patchwork of different legislative requirements for data retention, often depending on what the data is and its purpose. This means that companies are often faced with unpacking a confusing set of overlapping requirements for all of their different data sets.

Of course, it would be naïve to suggest that regulatory compliance is the sole reason that Australian companies retain so much data. In the wake of the Optus data breach, many commentators have accused corporations of collecting large numbers of records for marketing and data enrichment purposes- or even ‘just in case’. One thing is for certain, data retention laws and practices across all business sectors are likely to come under heavy scrutiny in the coming months.

Businesses should consider whether the data they are currently holding is really worth the risk exposure to the business in the event of a data breach. Remember that the mandatory notification obligations under the Notifiable Data Breaches scheme in the Privacy Act only apply to eligible data breaches of personal information that is actually held by an entity with obligations under that legislation. If you aren’t collecting or storing it, it can’t be breached.

So, what are some steps you can take today to avoid creating a lure for cyber attackers and reduce your risk exposure?

• build customer trust by only collecting the data that you need;
• put in place a robust Data Retention Policy; and
• adhere to a Data Retention Schedule that aligns with your Data Retention Policy and ensures all applicable data detention laws are considered.

2. Be ready to respond and repair

Almost no one could have anticipated the level of scrutiny that the Optus data breach response measures have been subjected to. From customer notification letters being criticised on national TV morning programs, to disapproving press conferences by the Prime Minister and prime time interviews with the Minister for Cyber Security. Almost every aspect of the response (and the company’s actions) has been weighed in on. While some of the more sensational headlines may have been unfairly negative, the post-incident fallout has read like a cautionary tale for businesses on data breach response measures.

One of the critical steps businesses can take in ensuring that they are ready to respond to a data beach is to have a set of communications ready to go in the event of a worst-case scenario. These communications (from pre-filled regulatory notification forms to customer data breach notification letters) will form part of your organisation’s Data Breach Response Plan. Of course, notifications will need to be adapted to suit the circumstances of each individual breach- but having a considered template will save your team time (and stress) when the stakes are high.

In the days that following the first notifications to Optus customers, there appeared to be almost hourly updates on the measures that Optus would be taking to repair it’s client relationships. It is important that your Data Breach Response Plan considers every possible communication and response measure (including engagement with third parties such as government agencies and/or banks).

Some steps you can take today to boost your data breach resilience include:

• developing and implementing a Data Breach Response Plan;
• drafting a set of notification templates for your communications and notifications in the event of a data breach; and
• training your team on all of the above!

3. Understand (and budget for) the true cost of a data breach

One of the useful tools to help with budgeting for a data breach is the Cost of a Data Breach Report – a study conducted by the Ponemon Institute, sponsored by IBM.​ In the most recent 2022 report, the average total cost of a data breach was calculated at USD $4.35M.​ This is an all-time high, an increase of 12.7% from USD $3.86M in the 2020 report.

While much has been said about the inadequacy of the currently available financial penalties in the Privacy Act (which effectively amount to just over 2M AUD)- it’s important to understand that regulatory fines and penalties are only one factor to consider in understanding the true impact of a data breach to an organisation’s balance sheet.

In the case of the Optus data breach, at the time of writing, the company have agreed to:

• replace passports;
• offer credit monitoring services; and
• engage IDCare,

to provide assistance to relevant affected individuals. In addition, they have also commissioned a third party independent external review of the cyber attack and its security systems, controls and processes.

These costs are quite apart from any potential civil penalties or the outcome of class actions that have been commenced by personal injury law firms on behalf of Optus’ customers affected by the data breach. The direct financial costs are climbing, and the indirect financial costs (due to the impact on the brand’s reputation) are yet to be counted.

What are some considerations you should start taking today to reduce the potential impact on your bottom line?

• consider your agreements with any third parties that process data on your behalf, do they contemplate which party will be liable in the event of a data breach?
• talk to your insurance broker about how any of your relevant policies may respond if you find yourself in the position of needing to cover costs like those incurred by Optus; and
• operationalise privacy compliance to reduce the risk of a data breach occurring in the first place.

Prepare and Protect

At PB, we are specialists in regulatory compliance, and data protection and privacy in particular. We know first-hand that operationalising privacy compliance is critical to a business’ ability to respond quickly to a data breach and reduce the impact to your brand and bottom line. For that reason, we’ve built our online training and compliance platform, ComPotency, designed to support businesses just like yours to empower and embed compliance, and most importantly, to boost their data breach resilience.

To learn how to boost your team’s data breach resilience through 24/7 access to targeted training, core policies and procedures and other privacy compliance guidance- book a call with our PB team here to find out about how our ComPotency platform can help you to supercharge privacy compliance today.

You can also download our Free Operationalising Privacy Compliance White Paper, for more useful tips on preparing and responding to a data breach.