“Heads should roll” over the Optus data breach and the incident should catalyse a fundamental change in the way that businesses verify and store customer identities, a panel of cyber security experts has said in highlighting a bevy of errors in the incident response.
The breach of Optus’ customer database – which saw nearly 10 million customers’ driver’s licenses, contact details, passport, Medicare and other details stolen and held for a $1 million ransom – has become an early test of Australia’s commitment to protecting its critical infrastructure, with participants of the recent ACS Think Tank giving the company and its executives a resounding ‘fail’.
“If you’re an IT director of a company of any size, and you’ve had a large outbreak of malware where your company can’t recover, can’t do business, and can’t restore data – you are a moron and you should be fired,” said Joseph Dalessandro, Vice Chair of the ACS Cybersecurity Advisory Board.
Recent changes in government security policy added telecommunications providers to the list of eleven key industries that face heightened obligations around cyber security protections and breach handling – yet “the underlying issue with Optus is that it’s a national security issue and it hasn’t been treated as a national security issue,” Dalessandro added, noting that even the leaking of key military personnel’s home addresses could be exploited by malicious nations.
And despite the public apologies of Optus CEO Kelly Bayer Rosmarin, who has proactively fronted the media as she worked to handle the breach fallout, panel members agreed that the breach reflected a broader culture of disinterest among executives that, Spartans Security director and chair of the ACS Cybersecurity Advisory Board Louay Ghashash said, “don’t take security seriously enough.”
“They use compliance as a checkbox exercise,” he said, “and regulators have a limited amount of power. If you look at the size of Optus and the maximum amount of the fine they might cop today, they possibly spend more on stationery than they will on the fine itself.”
“A breach of that size should see heads roll,” Ghashash added. “That’s when they will start listening, and they will start taking this seriously – both on the regulator side, and on the Optus side.”
Alessandro agreed, noting the existence of the financial industry’s Banking Executive Accountability Regime (BEAR), which imposes harsh penalties for lackadaisical executive behaviour around governance.
“Even an auditor can have their variable compensation clawed back as a penalty from the regulator for not appropriately doing their job,” Alessandro said. “Why isn’t there a telco version of BEAR?”
Lessons for managing personal data
Even as the government intervenes to facilitate a nationwide response to the breach – including facilitating free credit monitoring and the reissuing of passports and Medicare cards – the incident has reignited an industrywide conversation about the best way for companies to manage personal data.
Rather than storing raw customer data in plaintext, for example, Optus could have deleted the raw data once it passed 100-point checks, instead storing encrypted access tokens that are issued by identity verification systems but have no value outside of the specific application for which they were obtained.
“There are probably a thousand different ways that Optus could have created a method with which to store the 100-point identification without including the bare raw data they use,” Dalessandro explained, “but that’s the kind of thinking management should have been doing ahead of time – and not reactively.”
Some backed government intervention, noting services like myGov and the Document Verification Service and suggesting the government could deliver ID verification on a fee-for-service basis – backed by a mandate that storing passport and Medicare data is illegal.
The discovery that many of the compromised records pertained to former Optus customers had raised questions about obligations around long-term data retention, with some flagging the importance of ‘right to be forgotten’ legislation like that already in place under Europe’s GDPR regime.
“I’m hoping this sparks a bigger conversation around data retention rights, data rights, and consumers’ right to be forgotten,” said Jo Dalvean, ACS Vice President of Membership.
Banks “have got it sorted”, she said, but “people who are former customers are finding that their data has been kept and retained – so why was that there?”
The issues raised during the Optus breach highlight broader themes around professionalism in cyber security, including the importance of clearer standards for activities such as ethical hacking.
“There’s a current need for professionalism in cyber security purely because we have to distinguish between legitimate use of information and illegitimate use of information,” explained cyber security expert Tom Cleary.
“To be fixed, there has to be some honest broker who can be trusted to test your systems so the obvious holes like [Optus’s API breach] don’t get exploited by the bad guys.”
And while some companies have launched formal bug-bounty programs, many others face regular onslaught by self-styled ethical hackers: “we have called the police on people who say they are just testing defences,” Dalvean said, “but they don’t work for us.”
Ultimately, she said, winning the war on cyber security requires a unified approach that captures cyber security specialists, executives, information management specialists, and others.
“My interest in this is to make sure that the responsibility for cyber security is not the responsibility of the cyber security team,” she explained. “It’s actually information management, and in the way that DevOps runs.
“There are rules to follow; there are ways of behaving; there are go/no-go activities. It’s regimented, and it’s protected.”
We'd love to read your thoughts on this panel discussion. Feel free to leave comments below the article.