Optus data breach a catalyst for Privacy Act reform

Optus announced the unauthorised disclosure of data on 22 September. The nature and extent of what data has been stolen is still being ascertained, but in some cases the passport and drivers’ licence numbers, Medicare numbers, addresses and date of birth of customers have been exposed and held to ransom. With this information alone, comprising at least 100 points of ID, anyone in possession of it can access bank accounts, take out loans, or open new accounts.

On 26 September, in the face of heavy public criticism, not least from Home Affairs and Cyber Security Minister Clare O’Neil, who labelled it “quite a basic hack”, Optus offered free credit monitoring (via Equifax Protect) to the 9.8 million customers affected. Slater & Gordon have already mooted a class action on behalf of Optus customers.

Samantha Floreani is the Program Lead at Digital Rights Watch Australia, which was founded in 2016 to champion democratic and fair accessibility and interaction within the digital realm. Her work in both the private and public sectors has focused on privacy, gender equity in the tech industry and individual privacy within a digital realm where surveillance and lack of transparency is increasingly encroaching.

“The trouble is that the Privacy Act is woefully out-of-date. There has been a call for it to be updated to keep up with the digital age for years,” she says.

“There’s been a review under way since 2020, so the new government has inherited this review mid-way through … Reform to the Privacy Act is extremely overdue and I’m hoping that – as terrible as this breach is – it’s a wakeup call as to why we really do need to strengthen the Privacy Act.”

The OAIC (Office of the Australian Information Commissioner) has made two submissions to the Attorney General’s review into the Privacy Act 1988 in as many years.

Floreani’s view is there is an imminent need to review the amount of data stored by companies, and to implement greater incentives for companies – both public and private – to guard consumer data.

“The threat of financial penalties can be incentivising to do the right thing,” she says. “The privacy regulator would need stronger powers to be able to administer those fines. It’s currently capped at $2 million and that is not nearly enough for some of these major companies to take seriously. We need a well-resourced regulator equipped with the power to act when wrongdoing happens.”

Floreani says Australia’s Privacy Act (comprising 13 Australian Privacy Principles) is significantly weaker in its consequences for companies than similar international acts, a point Minister O’Neil made on ABC’s 7.30 Report. It also leaves room for companies to interpret the principles with some degree of creativity.

“Under the current Privacy Act, you’re only supposed to collect information that is for a given purpose. The trouble with that is that companies can massage that piece of the law and say ‘we do need this data for XYZ’, whatever business purpose they identify.”

She explains that while it would be ideal for telecommunications (telcos) organisations to be able to cite and verify documents to ensure the identity of their customers upon signing up, without needing to retain their drivers’ licences, Medicare or passport information, there is another conflicting matter. Telcos are required to retain customers’ metadata for two years, as enacted by the Metadata Retention Scheme of 2015. This data is often held for much longer, and potentially can be used for customised, targeted marketing and advertising, which is another problem inherent in the loose interpretations of the Privacy Act.

At present, there are conflicting views about the sophistication, or otherwise, of the Optus data breach and whether the company could and should have been able to prevent this.

“It is really tricky because there’s a lot of changing information coming out,” Floreani says.

“A lot of the updates have not necessarily been confirmed or don’t have evidence to back them up. It’s challenging to know exactly what, or how it happened. What we can gather from reporting is that an unauthenticated internet-facing API  – a piece of software that enables applications to exchange data – allegedly did not have sufficient authentication, and security, measures in place.

“That means this person could come along and scrape the data off that API. If that is true, and it’s hard to know for sure, then calling it a sophisticated attack is quite misleading and it shifts responsibility away from Optus and onto this hacker, for want of a better word.”

The nature of the data that has been compromised is potentially devastating to the customers who have had their identity documents and details stolen.

“Optus has such a huge wealth of personal information and if they collected and stored less, then the potential harm that arises from this kind of breach would be much lower … we need some really clear rules about how that information should be handled, how long it should be stored for and how it should be deleted,” Floreani says.

As for Optus’ 12-month credit monitoring offer, she remains sceptical.

“The provision of access to credit monitoring services is not a bad step, but the issue is that for those whose data ends up being compromised, the kinds of harms that can arise from that can go on for years and arise in unexpected ways.

“A one-year subscription to a service is nice, but it’s not going to solve all the problems. It underestimates the longevity of the harm this kind of breach can create. In terms of Optus’ response in general, people are rightfully angry and frustrated.

“Optus are obviously trying to deal with law enforcement and there are restrictions about what they can and cannot say, but it is coming across that they are being a bit evasive and not as communicative with their customers as they could be.”

Another measure that Digital Rights Watch is championing is the creation of a direct right of action for individuals.

“Currently, if you suffer a data breach, you don’t have many avenues for redress. You can only complain to the OAIC, the privacy regulator. That regulator is chronically underfunded and under-resourced. A direct right of action enables people to directly take companies to court in instances like this. We need stronger incentives for companies to take security mechanisms and privacy more seriously.”