RAFAEL EPSTEIN: I’m joined now by Clare O’Neil. She is, of course, the ALP MP for the seat of Hotham here in Melbourne and she is Minister for Home Affairs and Cybersecurity. Good afternoon.
CLARE O’NEIL: Good afternoon, Raf, thanks for having me on the show.
RAFAEL EPSTEIN: How much of a mistake is this by Optus? How much are they to blame?
CLARE O’NEIL: It’s a very significant error on Optus’s part and they are to blame. The truth is that the nature of the cyber hack that was undertaken here was not particularly technologically challenging and one of the great disappointments for me as Cybersecurity Minister is that we had a large telecommunications provider in our country which left open a vulnerability of this size. And I can tell you that on behalf of Australians, the Albanese Government is incredibly angry because what they have done is left a security risk for Australians that has affected a very large share of the entire Australian population and we, of course, now need to do whatever we can to support those Australians to protect themselves.
But if you’re asking who’s at fault here, there’s a single answer to that and that’s Optus.
RAFAEL EPSTEIN: If you’re incredibly angry, do they cop a fine?
CLARE O’NEIL: Well, Raf, you opened talking about some of the policy issues here that this has really illuminated, and that is absolutely one of them. So, if this occurred in a number of countries around the world, Optus would be fined to the tune of hundreds of millions of dollars. We don’t have a legislative regime of that nature in Australia, so there will be – I’m sure this is going to be a very costly incident for Optus, but at this stage the Government doesn’t have the capacity to fine them, and this is something we will be looking at in the wake of the incident.
RAFAEL EPSTEIN: I’ll come to some of the details at the moment, but are they open – do you think they’re liable to be hit with a class action, they’d lose?
CLARE O’NEIL: Look, I can’t answer that question. We need to – you know, we haven’t got a class action in place at this stage, but I would just say Slater & Gordon are looking at this and anyone listening who’s an Optus customer, watch out for the news on that front.
RAFAEL EPSTEIN: Does Optus know precisely what was taken?
CLARE O’NEIL: So, Optus do, and they’ve provided the Government information on what’s been taken. So, I talked earlier today – we know that 9.8 million Australians have had some information about them revealed and then for 2.8 million Australians very significant amounts of personal data have been revealed, and it’s that latter 2.8 million Australians that I’m most concerned about at the moment. For many people who are in that category, the information that’s in the public realm amounts to 100 points of ID check, and because we live in this modern digital age, there’s vast amounts of data available about all of us online and combined with what’s been leaked and hacked through Optus, there is a significant issue that we now face.
And so, the Australian Government is doing everything it can to try to protect Australians, and that’s going to involve working with banks and financial institutions and also within government to make sure that we are stepping up protections for people.
RAFAEL EPSTEIN: So, if there are 2.8 million people with 100 points out there, I mean, I haven’t received an email, but it could be me so if I gave them say my licence and my passport to prove my identity, 2.8 million people have got all of that data out there, so it includes things like licence numbers and passport numbers?
CLARE O’NEIL: I mean, it’s – I don’t want to scare people unnecessarily, so in most cases you need a physical document to, you know, undertake to open new bank accounts and these sorts of things, so I don’t want to terrify people that financial crime is right around the corner, but I also don’t want to underestimate how significant and serious this is. This is an unprecedented cyberattack in Australia’s history. We have had plenty of incidents where information has become available, but the specificity and the detail that’s been provided about so many people is unprecedented and that is why the Government has stepped up and is undertaking some quite substantial work to try to help people protect themselves.
RAFAEL EPSTEIN: And has Optus told that close to three million people that they’re in that group?
CLARE O’NEIL: Raf, I’m not sure about that actually. I know Optus, as I understand it, has informed all of the customers who are affected and the emails that I have seen illuminate for customers a whole list of data about them that may have been made public. I’m not sure if Optus has told customers which category, they –
RAFAEL EPSTEIN: And do you think they’ve done enough to tell their customers?
CLARE O’NEIL: Look, how can they? I mean, Optus’s obligations here are so vast. I just think we’ve got people – I’m sure you’ve got them dialling into your text line –
RAFAEL EPSTEIN: Lots of questions –
CLARE O’NEIL: I’ve had hundreds of emails, literally hundreds of people coming to me as a local member of Parliament asking, “What’s been taken about me? How do I protect myself?” So, there are very significant obligations on Optus here to try to repair some of the damage that’s been done.
RAFAEL EPSTEIN: Is it data they are legally required to keep?
CLARE O’NEIL: Look, I’ve seen that reported and I think we need to go through a proper discernment exercise here. So, one of the things that’s very common in the wake of a significant cyberattack like this is for many falsehoods to be put into the public realm and I’m not sure if that is true. One thing I do know is that given the very sensitive and important role telco companies play in our overall security framework in Australia, and because they hold so much data, then there should have been much better cyber protection of the telecommunications company. So, whatever data requirements are put on telcos, they’re going to hold a significant amount of data about you and me and all of their other customers. For me, the main issue here is: why was a very large telco provider in this country not properly protecting customer data that it did hold?
One of the things that your listeners might be interested in is the former Government put in place a very significant new law to try to help us manage cybersecurity as essentially a national security issue, acknowledging that when something like this happens with Optus, this affects not just customers at a private level, but actually creates problems for the whole of our community. So, they created this new law but excluded telecommunications companies from that law. So, I as Cybersecurity Minister will have the power to set minimum cybersecurity standards for lots of sectors of the economy –
RAFAEL EPSTEIN: But you can’t for telcos?
CLARE O’NEIL: Exactly. Yes. So, I actually do think this is a real issue that the Albanese Government is going to be looking at in the wake of this to ask ourselves: is it appropriate? Telecommunications companies kept themselves out of that law saying that they didn’t need it, that their standards were high enough as is and that they’re regulated under sufficient other laws. I don’t think that’s demonstrated by what we’ve seen in the previous couple of days.
RAFAEL EPSTEIN: Clare O’Neil is the Cybersecurity Minister, part of Anthony Albanese’s Government. It’s 16 minutes after five o’clock. It’s a Singaporean company. Could they face any sanction under their laws?
CLARE O’NEIL: I’ll have to look into that one, Raf, and I have to say I am flat out trying to manage the operational risk to Australians at the moment so these are policy questions that will have their important moment, but right now there’s 10 million people out there whose data’s been breached and my focus is trying to provide them better protections.
RAFAEL EPSTEIN: I’m going to use me as an example just because I know what communications I’ve received. I got an email on Friday. I haven’t received one today. I have no idea what information they do or don’t have of me. What should I do?
CLARE O’NEIL: So, look, the most important thing is to watch for any type of suspicious activity. So, what you’ll see in some of these instances is, you know, emails that look a bit odd that might be using some personal information about you, any text messages that come to you that look unusual. Certainly, any information that you might get that flags a bank transaction that you’re not familiar with or anything along those lines you just get on the phone to your bank straightaway. So, I think just be on high alert for any activities.
One of the things that I have publicly asked Optus to do today, and they have agreed, is to provide credit monitoring for the customers who are most affected by the breach. So, what that means is Optus will put in place a special process that watches your credit accounts, essentially, that takes all the information available about you financially that they can find and they will alert you if something happens, and that will assist people in protecting themselves against identity theft, and I want to thank Optus publicly for undertaking to do that.
RAFAEL EPSTEIN: So, do everyone who’s receiving that service, do you know if they’ve been told about that?
CLARE O’NEIL: They won’t have been told about that yet. Optus has made the announcement literally a couple of hours ago that they are intending to put that in place.
RAFAEL EPSTEIN: Should people change their licence or their passports?
CLARE O’NEIL: We are working with State Governments and with the part of the Federal Government that deals with passports to try to manage how this might be made possible –
RAFAEL EPSTEIN: Oh, really?
CLARE O’NEIL: Yes. So, Raf, one of the things that is just, you know, noteworthy about this incident is all these different touchpoints with licences have – they have regulatory issues, and they have technical issues attached to them, which are –
RAFAEL EPSTEIN: You can’t re-issue millions of passports and licences, can you?
CLARE O’NEIL: Exactly. So, this is the task that Optus – this breach has left to us, and we are trying to find reasonable ways that we are going to help people provide better protections. I mentioned to you before we are working very closely at the moment with the banks to try to get information to them that will help them protect their customers, and passports and IDs is something that we’re looking at. Now, I’m not sure if that is something that’s going to be possible, but it’s something that certainly a lot of affected customers have raised with me and something we are trying to look at.
RAFAEL EPSTEIN: So, somehow the Government could step around the privacy protections and the Government could take all the Optus information and tell all the banks; is that something you’re looking at doing?
CLARE O’NEIL: What we would like to do is to support the banks to provide protection to people whose data has been breached, and again, the people of most concern here are the 2.8 million customers for whom quite significant amounts of information have been made public. So, we are looking at this at the moment. It sounds like perhaps to your listeners something that would be technically and legally straightforward. It’s absolutely not, but we are trying to do that because as an Australian Government, although this is a breach in the private sector affecting customers that belong to a particular organisation, we absolutely recognise that a breach of this size and nature obviously requires action on behalf of Government, and I can tell you there is a tower of work happening in the Australian Government to try to provide better appreciates.
RAFAEL EPSTEIN: Finally, is the hack, the claim for the million dollars, is that legitimate? Do you know if that’s real?
CLARE O’NEIL: It’s not appropriate for me to talk about that, Raf. Yep, not appropriate at this time.
RAFAEL EPSTEIN: Thanks for your time.
CLARE O’NEIL: Thanks, Raf. Much appreciated.
RAFAEL EPSTEIN: Clare O’Neil’s the Minister for Home Affairs and Cybersecurity. There’s a lot there. They’re going to try and link to your bank if your data’s been breached, but that’s not easy for them to do. They’re looking at whether or not you might be able to replace your licence or your passport. Again, that’s not easy to do. They would like to have legislation that would allow them to fine a company like Optus. Doesn’t look like they can. Whether or not they’re covered by Singaporean law – don’t know. Government is incredibly angry with Optus. I don’t know what that anger actually means or what it can translate to or how it can help you either. If you’re one of those who is texting me saying you tried to contact Clare O’Neil’s office, she’s getting hundreds of those messages. I don’t have anything for you other than keep an eye on everything. Keep an eye on your bank accounts. I don’t know how they change or alter three or four million passports or licences.
--END--
