One in three Aussies could be caught in Optus cyberattack but they have no recourse

The Optus data breach could go down as the biggest in Australia’s history — and thanks to our laws, there’s little recourse for anyone affected.

On Thursday, the telecommunications company acknowledged it was investigating a cyberattack that allowed intruders to access former and current users’ details.

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” Optus CEO Kelly Bayer Rosmarin said in a statement.

The company told Crikey that it went public and alerted authorities within 24 hours of “establishing that that customer’s information had been compromised”.

The Australian reported that 7 million customers had their name, date of birth, phone number and email address stolen. For 2.8 million of them, this also included postal addresses and passport and driver’s licence numbers.

This is an enormous number of people who’ve had important and — crucially — very difficult to change details exposed. If those affected were their own Australian state, they’d be the second in population behind New South Wales. Previous large hacks at Canva and Ubiquiti (which both affected tens of millions of people) were for global companies, whereas Optus is an Australian company with predominantly Australian customers.

The motivations of the hackers aren’t known yet. The intruders are from overseas (not from China, Nine reports), but it’s not known yet whether they are part of a criminal or a state-based group. None of the details obtained have turned up on the internet — yet. Home Affairs and Cybersecurity Minister Clare O’Neil has acknowledged the hacking. Her opposition minister James Paterson said he’s seeking an intelligence briefing on the attack.

So, what does this mean for Australians who’ve had their details exposed? Millions of people now have identifying information that could be publicly released at any point in the future. This information could be used for identity fraud, scams or to facilitate other harm (for example, using someone’s details to try to access their email or phone).

Optus has advised customers to have “heightened awareness” across their accounts and to refer to information provided by the Office of the Australian Information Commissioner (OAIC) and Moneysmart. Essentially, it’s on each of the 7 million individuals affected to protect themselves against the harm that may come from Optus’ management of their sensitive data. Good luck and may the odds be ever in your favour!

Kate Bower, consumer data advocate at consumer advocate group CHOICE, said that this response shows the limits of individualised response.

“There’s no monetary remedies or redress for those affected in these breaches. That’s becoming more of a problem as more of our information is out there with hundreds of companies,” she told Crikey.

Bower highlighted the need for a statutory tort for serious invasion of privacy (which would allow people to pursue legal recourse). As it stands, Australia has no tort of invasion of privacy. Going back a decade, the Australian Law Reform Commission was asked to design one by then attorney-general Mark Dreyfus. The commission’s report was ignored by the subsequent Coalition government when delivered in 2014. Groups such as the OAIC and Law Council of Australia have argued in their submissions to the ongoing review of the Privacy Act that a tort is sorely needed.

Bower also suggested introducing stronger penalties for breaches to incentivise companies to do more to protect Australians’ information while also providing more resources to the OAIC to help companies before it happens.

“Ultimately, it will happen. We need to be able to protect people as much as possible,” she said.

This article was first published by Crikey.