The shock wave from the Optus cyber attack which occurred in September 2022 are still being felt by Optus and their customers.
The gravity of the attack and it’s financial and reputational damage are now being fully realised. Optus originally set aside AU $140M to deal with the fallout, however when factoring in the reputational and share price loss this number may well be in excess of 1 billion dollars.
It is estimated that 10% of Optus customers have already left the telco giant as customers deal with the increase in SMS and email scams directly related to their leaked data.
It is loss on the scale of a natural disaster.
So what happened to Optus?
A criminal investigation underway with much of the detail of the breach either contained during the investigation or unknown.
It is reported that the Optus breach occurred through an Application Programming Interface (API) used by Optus to allow systems to talk to each other. This API was public facing and was cracked by external overseas actors allowing access to customer information.
The hack was then complete and sensitive customer data was stolen.
The rest is history.
Implications for Businesses Large & Small
With the theft of the Optus customer data there is a serious and credible threat that hijacked information could be used as part of identity fraud with financial institutions.
The Federal Government has changed the laws mandating that compromised credentials be shared with a central register so that banks and government agencies can check if stolen data is being used fraudulently.
Not only did the government introduce changes to protect stolen data from identity fraud, they introduced legislation to drastically increase the penalty for not protecting private customer data.
The Privacy Legislation Amendment Bill 2022 increased the maximum fine from AU $2.2M to a whopping $50M, 3 times the benefit obtained from the misuse of the information or 30% of the company’s turnover (whichever is the greater).
These changes make it imperative that all businesses understand the new legal and financial ramifications of not protecting their customer’s data.
Renewed Focus on Customer Data Protection
With a potential 20 fold increase in fines comes a renewed need to focus on data protection for all businesses. Enterprises large and small need to allocate increased resources to cyber-security.
Your I.T. advisers or in-house cyber-security team need to have a seat at the heart of decision making. Appropriate financial budgeting for cyber-security measures should be considered at the highest level.
All organisations, from small business to enterprise corporates must develop a cyber-security plan and procure resources and tools to deal with the real world threats.
Whilst there is an increased cost to elevating cyber-security in your business, the cost of not taking action can and most probably will be much higher.
Minimising the Risk of Cyber Attack
It’s imperative that every business is resilient in this fast paced and ever changing online landscape.
Here are a few things your business can do to reduce your cyber-threat risk:
- Ensure your business has a dedicated person responsible for cyber-security;
- Elevate cyber-security in the everyday decision making process of your business;
- Allocate financial resources to cyber-security and budget for increased demand on cyber-threat mitigation;
- Talk to you insurer about cyber-security and what protection they can offer;
- Ask for help in developing a cyber-security plan from a Managed IT Service Provider.
- Hire an external provider to manage cyber security for your business.
Our Cyber Security Experts Can Help
Cicom can help you recognise potential cyber vulnerabilities and implement strategies to tools to lower your risk.
We have industry leading tools and expertise with:
- Email filtering for phishing, spam and viruses;
- Managed security firewalls;
- Device security protection;
- Managed detection and response;
- Backup and business continuity solutions;
- Website filtering;
- Remote monitoring.
Our expert IT technicians can install and manage the necessary protections to minimise your businesses risk and protect your data.