The Optus data breach is argued to be the worst data breach in Australia’s history. It highlights the significant potential of data breaches, especially without a comprehensive privacy framework such as the GDPR.
Last week, the Australian telecommunications company Optus – which has an estimated 10 million customers (around 40% of the Australian population) – had personal data stolen in what the company calls a “sophisticated” cyber-attack. Yet, the perpetrator undermined this claim stating in a data breach forum that they accessed the data from a freely accessible software interface that did not require authorisation or authentication to access customer data.
The scale of the breach was significant with a high volume of customer personal data being taken. These included email addresses, home addresses and dates of birth. Around 2.8 million people also had their passport or license numbers taken, meaning there is a “quite significant” risk of identity theft and fraud.
The breach occurred on Thursday 22nd September with Optus making the breach public roughly 24 hours after it noticed suspicious activity on its network and reported it appeared the attack had originated overseas. Ransom threats were made on Saturday 24th September when an internet user shared samples of Optus customer data on an online forum and demanded a ransom of $1m in cryptocurrency. Optus was given a week to pay, or batches of the customer data would be sold off according to the user.
The ransom threat escalated on Tuesday 27th September when the same user released a further 100,000 records and repeated their ransom deadline. Yet, just hours later, the user apologised saying it had been a “mistake” and deleted these published data sets, perhaps being spooked by the police investigation. However, other users on this forum copied and recirculated these deleted data sets. Optus deny they have paid any ransom.
Further detail became available on 28th September. 37,000 customers’ Medicare details (government ID numbers that could provide access to medical records) had also been stolen. This was an element Optus did not previously reveal. This ignited a campaign by customers for Optus to be transparent and clear about what personal data has been compromised. One customer, interviewed by The Guardian, states how “incredibly difficult” it has been to receive a clear picture from Optus about what has happened. The customer went on to highlight only one email had been sent by Optus which did not contain any advice or help for affected customers.
Stricter data privacy regulations such as those stemming from the General Data Protection Regulation (GDPR) in Europe may have prevented the Optus breach, or at least served to reduce some of the likely impact that will be faced by data subjects whose personal data has been implicated. For instance, the integration of privacy by design and by default, as stipulated in Article 25 of the GDPR, would have likely prevented the scale and scope of this breach. It would, for example, ensure that all personal data within the company is secured and governed from inception by technical security measures including encryption, firewalls and multi-factor authentication.
As such, Australia’s limited data privacy legislative framework meant there are limited requirements in place for organisations, such as Optus, not least in privacy by design and default but also in the domain of incident identification, investigation, and reporting.
Under the GDPR regime, the Optus Data Breach would undoubtedly have been considered high risk and would therefore have been reported to both impacted customers and the relevant Supervisory Authority (SA) within 72 hours of its discovery.
Notifying the Affected Individuals
Under the GDPR, if the data breach your organisation is facing is likely to result in a high risk to the rights and freedoms of individuals, you are required to inform them of the breach without undue delay.
A personal data breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised.
If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then the risk is higher.
In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. You should provide them with, if any, the best steps they can take to protect themselves in the short term i.e. changing their passwords.
Notifying the Supervisory Authority
If you decide not to notify individuals, the GDPR still requires your organisation to notify the Supervisory Authority, unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
Not all breaches need to be reported to the affected individuals and not all breaches need to be reported to the Supervisory Authority. It is up to your organisation to determine the extent of harm the breach could cause and then act accordingly. However, it should be noted that failure to notify the necessary parties in the event of a breach is a breach of the General Data Protection Regulation (GDPR).
It is therefore extremely important that your organisation has a good grasp on its risk assessment methodology and the steps that should be taken in order to assess the impact of a personal data breach, should one materialise. This methodology could prove the difference between under or over-reporting a breach incorrectly and therefore failing to prevent further harm to data subjects.
How Can Bridewell Help?
If your organisation has recently suffered a data breach or if you would like to get ahead of the curve and ensure that you are in the best position to respond to a breach of this scale, Bridewell’s services could be of use.
Our team of highly experienced GDPR consultants are able to offer a gap analysis will gain a detailed perspective on your current business maturity and then work to ensure your organisation has what it needs to minimise the risks associated with personal data breaches and reporting.