This appeared last week:
Inside the Optus hack that woke up Australia
A huge cyberattack on the telco in September caused a political storm and made Australians aware of the power of their personal data. Behind the scenes, it was a time of high drama.
Paul Smith Technology editor
Dec 22, 2022 – 5.00am
It began with a phone call from the other side of the world. Kelly Bayer Rosmarin was waiting at the airport after a run-of-the-mill business trip to the United States. Beside the Optus chief executive was her marquee hire, former NSW premier Gladys Berejiklian. The pair were waiting to board a Qantas flight home. The call, however, meant it was a flight Bayer Rosmarin would never make.
It was Wednesday afternoon in Sydney, and late evening on Tuesday in America. Chief information officer Mark Potter was on the line, and the news was not good.
Technology staff had raised concerns about suspicious activity on Optus’ IT networks the day before. Potter was calling his boss after a series of hastily convened meetings with other top lieutenants had determined that Optus faced an impending crisis.
While details were sketchy, they could have a serious problem on their hands. The executive team was worried enough to categorise it as a crisis.
“I immediately wanted to know when we were going to get some clarity on how big this was, and what had actually happened, and I was told, ‘Well it might take us a really long time’,” Bayer Rosmarin tells AFR Weekend in her first interview about the incident. She has warily agreed to speak, in the hope that those outside the company can understand the reality of dealing with a very modern business calamity.
“I told them they had four hours to come back with some answers.”
The first decision Bayer Rosmarin had to make that September day was whether to board her long-haul flight home. Qantas’ lack of in-flight Wi-Fi meant she and Berejiklian would be unreachable for further updates and discussions for at least 15 hours.
Bayer Rosmarin decided to remain in the US so she could stay in touch. Berejiklian, who was to be responsible for the company’s media and government-related response work, headed home.
“It then became clear on that next call that we had an incident of scale that could have exposed customers’ personal information,” Bayer Rosmarin recalls.
After a whirlwind of calls and meetings among Optus staff, the company discerned that a hacker had accessed the records of anywhere between 2.5 million and 9.7 million current and former customers. In some cases that data included driver’s licence, passport and Medicare details, meaning these customers could be at risk of fraud.
It was the beginning of a frantic period. Bayer Rosmarin, seven hours after that first call, boarded a red-eye flight with an airline that had more modern communications capabilities and worked the whole time. She went straight from the airport to Optus’ corporate headquarters, a low-rise office building among several others at Macquarie Park in Sydney’s inner north-west. By the time she arrived, Optus’ staff in Australia had mobilised to a war footing.
The company was about to find itself the focus of one of the biggest and most influential news stories of the year. The under-appreciated threat of cyber villainy had suddenly become the biggest immediate challenge for corporate Australia – and for the new Labor government.
The media would go into overdrive. Each new detail would be reported to a public demanding to know what, if any, personal details had been stolen and what it would all mean.
Within days Optus would become the focus of extraordinary government broadsides, with Cyber Security Minister Clare O’Neil angrily dismissing Optus’ assertions that it had been attacked by a sophisticated operator, accusing the company of making a schoolboy error and leaving the “window open” for the thieves to climb through.
Months later, the jury is still out regarding culpability, with external reviews and Federal Police investigations pending. Optus insiders believe the critics’ assessments are overly simplistic, but further pressure was piled on Bayer Rosmarin and her team as the crisis unfolded.
For the Optus execs, the immediate task was clear: find out what had been stolen, and fast.
Back at headquarters, Berejiklian and regulatory and public affairs boss Andrew Sheridan were marshalling nascent communications efforts. Bayer Rosmarin had a tech-heavy leadership team already on the scene including Potter, a tech strategy veteran who had been a colleague of Bayer Rosmarin’s at Commonwealth Bank; new head of national and cybersecurity Ben Davies, and Matt Williams, the managing director of marketing and revenue, who had been a key member of the crisis cabinet of leaders who co-ordinated the immediate response while Bayer Rosmarin returned home.
Richard Webby, the former technology director at shopping centre operator Scentre Group, was also on hand as the managing director of Optus Digital, so there was no shortage of people with large-scale enterprise technology experience. They just had to figure out where to start.
Rallying the troops
Optus’ staff faced a nightmare task. A dizzying list of things needed first to be understood then reported to numerous authorities, agencies and, most importantly, customers.
Complicating matters was the timing of the calamity, which was unfolding in earnest on Thursday, September 22, the designated national holiday to mourn the death of the Queen. The Friday was also a public holiday in Victoria for the AFL Grand Final. Facing a human resources challenge to go with the technology panic, all hands were called back on deck.
“By the Friday, we had set up a sort of war room in one of our larger spaces downstairs, which at its peak had about 120 people working in it,” Williams recalls.
“At one end of it we had people working through all the data, trying to figure out just what the hacker had, while we also had people handling all the regulatory interactions, and of course external communications and people trying to engage with the different authorities about all the different types of identity documents from across different states.”
Bayer Rosmarin and her leadership group decided the nature of data accessed by the hacker meant public announcements needed to be made. Optus had confirmed that the hackers had not actually got inside its systems, rather that they had “read-only” access to some customer records.
Importantly, there had been no compromise of arguably more troublesome data, which Optus and all telecommunications firms are required to retain for law enforcement agencies. Had details of consumers’ web browsing history, physical movements (via mobile tower pings) and phone activity been stolen, an even bigger privacy can of worms would have been opened.
Vastly more of the sage is here:
https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm
There is a lot of interesting material here and the full article is well worth a careful read.
I was interested to discover Government Regulations on data retention made the risk of real problems much larger if hackers got into some of the more securely held data-sets….
Enjoy the read.
David.
No comments:
Post a Comment