According to a technical expert, Optus is facing a “extinction-level catastrophe” as a result of the significant loss of client data to a hacker.
The CEO of a top tech research company, Shara Evans, said the telco’s reaction has been totally insufficient and might result in significant penalties in both Australia and Europe.
According to Ms. Evans, who has worked for US tech and telecom companies Alcatel, Sprint, Telenet, and GTE, “this is an extinction-level event for Optus’s reputation.”
The public relations disaster that is this.
According to some projections, there might be up to 11.2 million individuals affected, which would represent 30 to 40% of Australia’s total population.
A data breach, also known as the privacy commissioner, in Australia is described as anything that is “likely to do you substantial damage.”
There is no doubt, according to Ms. Evans, that “Optus had a notifiable data breach.”
Your name, date of birth, email address, phone number, or the address linked to your account are among the details that have been made public.
“I have no doubt that this information might lead to identity theft, financial loss via fraud, or major psychological injury,” the author states.
In Australia, a firm may be fined up to $2 million for violating privacy laws, which Ms. Evans termed “pocket change.”
Optus may, however, be subject to far severe possible punishments if they come from Europe.
According to Ms. Evans, “there are [millions] of Australians who have dual citizenship with the EU, which means the EU’s General Data Protection Regulation (GDPR) takes effect.”
According to EU legislation, “Optus is accountable for all EU individuals affected by the violation.”
The maximum penalty under the GDPR are €20 million ($29 million) or, if greater, 4% of a company’s worldwide sales for the year before.
Ms. Evans voiced her shock at the telco’s decision to keep so many of its customers in the dark.
The key issue, in her opinion, is: Why weren’t people alerted beforehand?
As soon as someone realized, “Oh my God, this contains birthdates, driver’s licenses, and all sorts of other information,” they should have informed everyone involved.
Ms. Evans thought Optus could have broken the legislation, which is enforced by the federal attorney general and the privacy commissioner.
“It is the law to tell harmed persons immediately,” Ms. Evans stated in reference to the violation.
Although there are many various types of information, a person’s birth date unquestionably comes within the category of sensitive information.
Everyone whose information was hacked looks to have had their date of birth exposed.
A company has 30 days to determine if a data breach is likely to “cause severe damage,” according to the commissioner’s website.
Ms. Evans is certain that the Optus breach fits under this heading.
She said that if birth dates and driver’s license numbers are made public, it won’t take 30 days to determine if there is a risk of severe injury.
“You instantly know that,”
They have a duty to disseminate the information in more ways than simply a press release. They possess your telephone number.
Ms. Evans was quite critical of what she saw as the lack of urgency and openness.
“There was zero information about a possible compromise on the Optus web and on the app from day one,” she said.
“I simply don’t think Optus has behaved in good faith with its consumers in terms of disclosure by not informing individuals when it is blatantly clear what this data may be used for,” the author says.
Birth dates may have been the most sensitive information the hacker seems to have obtained, perhaps from every account they took.
You are vulnerable to identity theft if your date of birth is compromised, Ms. Evans added.
The only way to restore your birth date after it has been lost is to pass away.
Ms. Evans described the strategy Optus, in her opinion, ought to have used.
We truly regret having to send you this message, but this is what has occurred; go in to your secure portal (notice a new URL) and you will find further information there. There should have been banners on their app, on their portal, on their website, and proactive SMS messages to everyone.
‘”And we continue to update you about your situation as we investigate further”.’
Ms. Evans claimed that the company’s free credit monitoring provision was insufficient to stop identity theft.
On Monday, Optus said that it was “providing the opportunity to take up a 12-month membership to Equifax Protect at no cost” to “the most impacted current and former customers whose information was stolen due of a hack.”
Given that the business has been secretive about what was taken, Ms. Evans said that this should be made available to everyone whose personal information was stolen.
She questioned, “How do you classify the most affected?”
They seem to be limiting who they are providing it to.
“Lifetime data protection should be provided to everyone affected by this incident.” Nothing about the period is mentioned in their news stories.
You should be watchful for the rest of your life because once your data is hacked, it sometimes takes years before someone does anything to you.
A hacker who has access to a victim’s birthdate and other personal data might at any moment start a credit account in that person’s name.
Ms. Evans stated, “I would never know about that.
Which is why it is crucial that Optus implements a “forever protection notice” system so that a company can always be aware of attempts to register accounts in your name.
Ms. Evans emphasized that although Equifax provided three different product types, only one of them gave full protection.
She insisted that the ID theft and credit reports be of the highest quality.
“It cannot be either/or,”
In an odd turn of events, the unidentified hacker who claimed responsibility for the Optus data breach on Tuesday morning abruptly expressed regret for the cyber-attack and dropped his demand that the firm pay him $US1 million ($1.5 million) in ransom.
Customers said that they were still getting threatening text messages asking $2,000 to have their information deleted.
Tuesday morning, “optusdata” stated there were “too many eyes” on them and that they would not sell or release the breached data of up to 10 million Australians.
My deepest apologies to Optus for this, optusdata stated in terrible English. Hope everything goes smoothly from here.
Australians are now, however, getting ominous SMS demanding $2,000 in order to have their “private information deleted from the system,” which is a threat.
Customers of Optus are warned in the text that their information would be “sold for fraudulent activities” in two days if they do not heed the warning.
The communication requests that clients email a copy of their receipt and pay $2,000 to an Optusdata-named Commonwealth Bank account.
In the text, it is said that “Optus has left security measures enabling us to access the personal information of their clients including name, email, phone number, date of birth, address, and license number.”
Optus has not reacted to our demand for payment of the $1M USD ransom, thus your information will be sold and exploited for fraud within two days, or until a payment of $2000 AUD is paid, after which the personal information will be deleted from our computers.