Increasing government bureaucracy is not necessary to mitigate the fallout of the Optus cyberattack, says an Australian business law expert.
Australia’s second-largest telecommunication company, on Sept. 22, revealed a user known as “OptusData,” demanded US$1 million for the stolen personal details of 9.8 million Optus customers, including driver’s licence details, passport numbers, home and email addresses, and Medicare numbers.
The Epoch Times understands O’Neil was referring to the European general data protection regulation (GDPR), which would fine companies up to four percent of their global revenue for such a leak.
As the government and industry manoeuvre to respond, Rob Nicholls, associate professor in regulation and government at the UNSW Business School, has called for the government to refrain from pushing for more red tape and instead plug the gap in the current system.
“You don’t want a knee-jerk reaction; you need to actually consider the issues,” he told The Epoch Times. “This is a great source of learning, but the solution shouldn’t be ‘Oh, well, we’ll just fine them, or we’ll just increase the levels of fines.’”
“I think it needs to be a much more balanced and holistic approach as to how to deal with the regulatory issue that’s been created.”
A better approach, he added, is to “take a step back and think about firstly, how do we make sure that businesses understand how important personal information is and why it should be kept secure? Does any existing regulation lead to insecurity?”
Another solution is that telco companies don’t retain customers’ identity documents in the longer term.
“The real problem with keeping it is that it creates what’s called in cyber-attacks, a honeypot. The value of the data in a breach is higher because it has more items which actually identify the people involved,” the business law expert said.
But Nicholls noted that it is the government that has required telco companies to obtain customers’ identity documents as part of its Know Your Customer guidelines, to meet a 100-point ID requirement.
“I think they adopted a very conservative approach by keeping it so that they could show to law enforcement or to relevant regulators. But it increases the risk of cyber-attack.”
Hacker Walks Back Ransom Demands But Telco Giant Still Under Pressure
The company has alerted and apologised to customers over the incident, but O’Neil said it should provide free credit monitoring to millions of customers impacted.“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” the minister told Parliament on Monday.
Optus CEO Kelly Bayer Rosmarin described the data breach as “sophisticated.” She also told ABC Radio on Tuesday that the attack is “not what it’s made out to be” because the data was “encrypted” and Optus has “multiple layers of protections.”
But the suspected hacker, who has released more than 10,000 records, claimed they wouldn’t continue the ransomware attack anymore.
“Too many eyes. We will not sale [sic] data to anyone. We cant [sic] if we even want to: personally deleted data from drive (Only copy),” the hacker wrote in a note posted on an online data breach forum on Tuesday.
“Sorry too [sic] 10,200 Australian whos [sic] data was leaked.
“Ransomware not payed [sic] but we dont [sic] care any more. Was mistake to scrape publish data in first place.”
Meanwhile, Prime Minister Anthony Albanese has called the incident a “huge wake-up call for the corporate sector” in terms of protecting data.
