The Australian government plans to overhaul its rules regarding disclosure of cyberattacks following an extensive attack on its second-largest telecoms firm Optus. The current law does not allow companies to share information about their customers with third-parties, such as banks, making it difficult to notify banks of users who may have been affected to minimize fraud.
One of the most significant data breaches the country has ever faced, the attack in question involved the seizure of home addresses, drivers’ licenses, and passport numbers of up to 10 million customers, which is about 40% of Australia’s population. Account passwords and payment details were not compromised, however.
Optus did not share how the breach occurred, but some reports suggest that it was due to an API that Optus developed to comply with multi-factor authentication regulations that was not secured properly. According to The Verge, someone claiming to be the hacker conversed with journalist Jeremy Kirk and confirmed this was the case. The apparent hacker told Kirk that they accessed the API endpoint without needing a login or authentication, pointing out that the system was open to anyone who wanted to try. They then sequentially queried each value of the API’s unique identifier field labeled “contactid”, recording each user’s data one at a time until it amounted to millions.
The person claiming to be behind the breach also posted in a hacking forum, offering to sell the data for $150,000. They also shared free sample files which contained the information of 10,000 breached individuals. Meanwhile, they named an extortion price of $1 million in Monero cryptocurrency, which Optus would need to pay to keep the data private.
Since then, Australia’s Senate has reviewed the federal government’s bill on changing data breach penalty laws, giving it the green light. Drafted in response to the Optus breach, the bill proposes raising penalties against companies for severe or repeated data breaches. The maximum penalty proposed is either three times the financial benefit of data breaches for malicious actors, ranging from $2.2 million to $50 million, or 30% of a company’s adjusted turnover in the relevant period. Although the bill passed, many criticized its lack of specificity. They recommended it be amended to clarify elements such as what constitutes a “serious interference” and how such a law would impact small and medium businesses.
Now it just needs to pass Parliamentary approval to become enshrined in law.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.