You would have to be living under a rock to have missed the well-publicised Optus API breach. Depending upon whom you believe, the breach is somewhere between a laughably simple attack of opportunity, to a highly sophisticated targeted attack. Regardless of the mechanism for entry, the immutable fact is that Optus has failed in its obligations to ensure that its customers data was protected. My big problem here is that Optus is by no means alone in their failure to take Cybersecurity seriously. I have been screaming in the wilderness for years about getting organisations to take Cybersecurity more seriously, and maybe, just maybe, this is the moment of change. This is by no means the first major breach we have seen, so why is it different this time?
Personally, I feel the difference is the level of interest from the media, which has resulted in a large outcry from Optus customers. And, I may say, a level of hysteria that I have not yet seen from the public around the misuse of their information. For the reality is, almost everyone has had a level of apathy around their personal information for years and no amount of reporting or articles seemed to sway people to take this a bit more seriously. To be frank, most of the people standing indignantly in lines at Transport Departments to get a new Drivers Licence will inevitably have very poor password hygiene, very poor social media information or configuration governance, or any real understanding of what information they have shared with numerous websites, companies, agencies or indeed freely with almost anyone that would ask. However, for all of my seething annoyance, this hopefully is a watershed moment where we may just see some change.
Certainly, Government has not been the catalyst of change. The laughably small fines (and almost complete lack of applying them) they set under the Notifiable Data Breach legislation has had no tangible impact on businesses improving their cybersecurity posture. The fact that our Minister for Cyber Security is finally taking this seriously gives me at least a small amount of confidence that we may see some more action. Unfortunately, governments have previously adopted a strategy that corporations would do the right thing by their customers. This of course was, and is, completely naïve. Corporations are driven by profit, and spending money on cybersecurity has previously been seen as providing no ROI. I am sure we will see in the medium term, as customers abandon Optus in droves, that there is a net value in NOT losing customers due to perceived cost savings. I digress, I was talking about government. What we need to see is increased fines and significantly increased application of those fines for corporations for failing in their obligations to protect their customers data. We need to look to Europe’s GDPR as a real example of a jurisdiction that is taking cybersecurity seriously. I would like to see us take the lead globally on this, and hopefully this is our moment to embrace change.
Indeed, we have just seen state governments allow people to change their driver’s licence proactively. Previous to this instance, you could only change your licence number if you had PROVEN evidence that fraud had taken place. I will say that most people have probably handed their driver’s licence out more times than they can even remember….and the likelihood is high that at some point that info has already been breached at least once. The answer here is not to have to change document ID every time a breach occurs, the onus really needs to be on the organisation that is using these documents to ascertain identity to ensure that it is legitimate. In fact we also need to see extensive fines for any organisation that allows anyone to use stolen credentials to set up an account. Honestly if a financial institution or company takes a document ID such as a licence or passport number without the physical document or adequately ensuring the identity of the individual, that organisation needs to fined out of existence.
This is by no means the last time we will see a trusted organisation come afoul of a cybersecurity failing. For years we have been attempting to impart the seriousness of cybersecurity to businesses of all sizes, my hope is that we can sow the seeds of change from this disaster.
Author | Martin O’Riordan | General Manager and Head of Cybersecurity, Mercury IT
