Wednesday, December 28, 2022

Singtel-Optus relied on Gladys Berejiklian to manage data breach, Berejiklian handled PR, media and government, but failed to prevent publication of Optus customers' private data including residential addresses - a textbook example of how not to handle a data breach

 by Ganesh Sahathevan 



Nine News reported in September 2022:


The federal government has been scathing in its criticism of Optus, following the leak of millions of users' personal data.
It was revealed this morning that Medicare numbers were exposed in the data breach. 
Previously Optus revealed the leak had included names, dates of birth, email addresses, phone numbers, postal addresses (which are likely to be residential addresses), drivers' licence numbers and passport numbers.


Singtel-Optus however sees the breach as a triumph of their director Gladys Berejiklian's PR, media management and government relation skills (see story below, published three months after the breach)

Overall, a text book example of how not to handle a data breach, for a successful PR campaign is wholly irrelevant to  customers seeking damages. 


TO BE READ WITH

How Gladys Berejiklian quietly supported Optus chief as the high-powered pair grappled with the telco giant's devastating cyber hack

  • Optus CEO Kelly Bayer Rosmarin reveals how she handled the Optus cyber hack
  • Insight into how NSW Premier Gladys Berejiklian took control is revealed
  • Cyber attack impacted almost 10 million current and former Optus customers
  • Personal data stolen included passport, drivers licence and Medicare numbers


It has been revealed former NSW Premier Gladys Berejiklian played a critical role in the response to the Optus hack as CEO Kelly Bayer Rosmarin detailed exactly what happened behind the scenes at the telco giant.

It was just another day in September when Ms Bayer Rosmarin received the news Optus had been hit by a company-wide cyber hack while waiting at an airport in the United States with Ms Berejiklian, Optus' managing director for enterprise and business.

The pair were ready to board a Qantas flight home when Ms Bayer Rosmarin got a call about suspicious activity on Optus' IT networks and was told the telco giant was facing a major crisis. 

Both were set for a long-haul 15-hour flight home and Qantas' lack of in-flight Wi-Fi meant they both may be unreachable for the entirety of the flight, so Ms Bayer Rosmarin made the decision to stay in the US while Ms Berejiklian, in charge of Optus' government and media relations, headed home.

The role of former NSW Premier Gladys Berejiklian (left) in the Optus hack has been revealed as CEO Kelly Bayer Rosmarin (top right) details how she handled the controversy

The role of former NSW Premier Gladys Berejiklian (left) in the Optus hack has been revealed as CEO Kelly Bayer Rosmarin (top right) details how she handled the controversy

Kelly Bayer Rosmarin (pictured) was informed of the hack while waiting at an airport in the United States with Ms Berejiklian. She stayed in the US to coordinate a response while the former premier returned to Australia to spearhead the media response

Kelly Bayer Rosmarin (pictured) was informed of the hack while waiting at an airport in the United States with Ms Berejiklian. She stayed in the US to coordinate a response while the former premier returned to Australia to spearhead the media response

'I immediately wanted to know when we were going to get some clarity on how big this was, and what had actually happened, and I was told, "Well it might take us a really long time",' Ms Bayer Rosmarin told the Australian Financial Review.

After multiple calls and meetings, Optus uncovered the hacker had accessed between 2.5 million and 9.7 million records of current and former customers.

This included customers' driver's licence numbers, passport numbers and Medicare details, ultimately meaning they were now at risk of fraud.

Ms Bayer Rosmarin told the publication several hours after the first frantic call boarded a late night flight to Australia after being assured she could access in-flight WiFi.

Meanwhile in Sydney, Ms Berejiklian coordinated a media response and put together an action plan.

By this time, Optus had managed to detect the hacker in their system and shut them out.

The telco then identified the biggest risk to their customers was a phishing attack and moved to prevent it.

'We have got a lot of technology and cyber knowledge on our executive team, and we understood that the best defence against a hacker – if what you care about is protecting customers – is creating a climate where they can't profit from the data,' Ms Bayer Rosmarin said.

Optus came to the decision to announce the cyber attack around 2pm on Thursday September 22 but Ms Bayer Rosmarin said 20 minutes before the telco giant released their statement, someone leaked the information to a journalist who had already started a media whirlwind

Optus came to the decision to announce the cyber attack around 2pm on Thursday September 22 but Ms Bayer Rosmarin said 20 minutes before the telco giant released their statement, someone leaked the information to a journalist who had already started a media whirlwind

Optus came to the decision to announce the cyber attack around 2pm on Thursday September 22. 

The move would create a space where the hacker could not profit and would allow the company to warn customers to be on alert for phishing scams.

Ms Bayer Rosmarin said she called multiple telecommunications CEOs and the big four banks to bring to their attention to potential scams before releasing their media alert.

But Ms Bayer Rosmarin said 20 minutes before the telco giant released their statement, someone leaked the information to a journalist, kicking off a media storm. 

With the media questions tumbling in, Ms Berejiklian took control, with one insider saying she was able to predict 'exactly' what the media wanted to know and how the media cycle would evolve. 

The insider even went as far as to say the former NSW Premier knew what questions journalists would ask and how media outlets would keep the story fresh. 

She faced a tough task though, as Optus announced the news on a public holiday and found itself in the middle of Australia's first massive corporate cyberattack.

Questions flooded in about who the hackers were, whether the perpetrators were from Russia or China, what data was stolen and how such a thing could happen, with Ms Berejiklian spearheading the company's response.

Ms Berejiklian found herself calling on contacts she acquired during her time as the NSW premier to fast track new identification documents- such as drivers licenses - to customers affected by the hack. 

As the media questions tumbled in, Ms Berejiklian took control, with one insider saying she was able to predict exactly what the media wanted to know and how the media cycle would continue to evolve

As the media questions tumbled in, Ms Berejiklian took control, with one insider saying she was able to predict exactly what the media wanted to know and how the media cycle would continue to evolve

While the former premier pulled the strings behind the scenes, Ms Bayer Rosmarin decided she needed to be the face of the crisis response.

She would be the one who faced the media, which kicked off with a livestreamed media conference on the Friday morning to take questions.

Ms Bayer Rosmarin apologised to customers and conceded the attack should never have happened. 

While Optus worked on rectifying the colossal error and put everything right, health insurer Medibank then suffered one of the biggest data breaches in Australia's history.

This took a lot of attention away from Optus and kickstarted Australia's cyber awakening, with the government and multiple corporations moving hastily to tighten cyber security.  

This happened while Optus faced the colossal task of building a new customer database for 10 million customers.

The telco was also coming under heavy fire from the government for not sharing enough information about the devastating hack, with new laws being introduced to stop a similar attack from happening to another company.

Under the new laws introduced companies, such as Optus, would be able to share data more easily with government agencies in order to prevent cyber-crime. 

The Optus hack impacted almost 10 million current and previous customers with the hacker accessing customer's driver's licence, passport and Medicare details

The Optus hack impacted almost 10 million current and previous customers with the hacker accessing customer's driver's licence, passport and Medicare details

Communication Minister Michelle Rowland said Optus believed sharing information about what data was stolen would breach the Telecommunications Act and therefore moved to amend the regulations.

'Optus put the view to the government that in their analysis they were not covered by one of these exemptions (to the Act),' Ms Rowland said.

'We considered it prudent having taken and considered the proper legal advice that the most effective way to enable this data to be shared beyond doubt was through amending these regulations.

'These regulations are specifically in response to these cyber-threats on a scale and scope that hasn't happened in Australia before.'

Ms Rowland said the changes were for the 'sole purpose of protecting consumers'.

While Optus continued to move to tighten security and ensure an attack similar could not happen again, a review was launched into how the hack occurred. 

In December Cyber Security Minister Clare O'Neil announced a review had been commissioned to look into both the Optus and Medibank data hacks. 

Rachael Falk, CEO of the Cyber Security Co-operative Research Centre was appointed to head the review, which is still ongoing.

No comments:

Post a Comment