Tuesday 27 September 2022 09:08 AM Optus data hack an 'extinction-level event' says tech analyst Shara Evans trends now
Optus is facing an 'extinction-level event' after its massive loss of customer data to a hacker, a technology analyst says.
Shara Evans, who is the CEO of leading tech research firm Market Clarity, says the telco's response has been completely inadequate and could see it face massive fines both in Australia and Europe.
'This is an extinction-level event for Optus's reputation,' Ms Evans, who has worked for US tech and telco giants Alcatel, Sprint, Telenet and GTE, said.
Shara Evans, who is the CEO of leading tech research firm Market Clarity, says Optus faces an 'extinction-level event' after the mass hack that stole the personal data of up to 11 million of its customers
'This is a public relations fiasco.
'I have seen some reports that it could be up to 11.2 million people, so we are talking about 30 to 40 per cent of Australia's population.
According to Australia's Information Commissioner, otherwise known as the privacy commissioner, a data breach is defined as something 'likely to cause you serious harm'.
About 11 million Optus customers had personal details stolen in the massive data breach
Ms Evans said there was no question that 'Optus have a notifiable data breach'.
'The information that has been exposed is a combination of your name, date of birth, email, phone number or address associated with your account.
'There's no doubt in my mind that this constitutes the kind of information that could result in identity theft, financial loss through fraud, serious psychological harm.'
The maximum penalty that can be levelled against a company in Australia for a privacy breach is $2million, which Ms Evans called 'pocket change'.
Ms Evans said a hacker who had someone's date of birth could wait years before using it maliciously (pictured, a stock photo)
However, Optus could face much harsher potential penalties coming out of Europe.
'I am told there are [millions] of people in Australia who have dual EU citizenship, which means the EU's General Data Protection Regulation (GDPR) comes into effect,' Ms Evans said.
'Optus is liable under EU law for all EU citizens impacted by the breach.'
The maximum fines under the GDPR is €20 million ($29million) or 4 per cent of a firm's global revenue of the preceding year, if that is higher.
Ms Evans expressed her disbelief at how the telco had left so many of its customers in the dark.
'I think the burning question is: why were people not pro-actively notified?' she said.
'This should have been told to everybody involved as soon as they realised "Oh my God, this involves birthdates, driver's licences - all kinds of other information".'
Optus could face both fines in Australia, but also much bigger sums under EU law, for the data breach
Ms Evans believed Optus may well have been in breach of the law, which is enforced by the privacy commissioner and the federal attorney-general.
'It is the law to notify impacted people straight away,' Ms Evans said of the breach.
'There's different categories of information but without a doubt birth date falls into what is classified as sensitive information.
'It appears that everybody who has been breached had their date of birth compromised.'
The commissioner's website says a firm has 30 days to assess whether a data breach is likely to 'cause serious harm'.
Ms Evans is in no doubt the Optus breach falls into this category.
'If birth dates and driver's licences are released you don't need 30 days to assess if there is potential serious harm,' she said.
'You know that right away.'
'They have an obligation to push the information, not just through a press release. They've got your phone number!'
Ms Evans said the hack and especially the slow response of Optus was a 'public relations' disaster
Ms Evans was scathing about what she saw as the lack of urgency and transparency.
'On the Optus portal and on the app from day one there was zero notification about a potential breach,' she said.
'I just do not believe Optus has acted in good faith towards its customers in terms of disclosure by not notifying people when it is dead obvious what this data could be used for.'
Potentially the most sensitive piece of information the hacker appears to have harvested, possibly from every stolen account, is birth dates.
'If your date of birth is compromised you are subject to identity theft - full stop,' Ms Evans said.
'Once your birth date is gone the only thing you can do to repair it is die.'
Ms Evans outlined the approach she thought Optus should have taken.
Ms Evans slammed the offer by Optus to provide free credit monitoring to only a 'subset' of people affected
'There should have been banners on their app, on their portal, on their website, pro-active text messages to everybody saying "we really regret having to send this message to you but this is what's happened, log in into your secure portal - note a new URL - and you will find more information there".
'"And we continue to update you about your situation as we investigate further".'
Ms Evans said the company's offer of free credit monitoring to prevent identity theft was nowhere near enough.
On Monday Optus said it was 'offering the most affected