The Optus data breach has had an enormous impact on Australians as it left approximately 10 million people vulnerable. Customers are now facing uncertainty and they are angry at the company for not being better prepared and able to store their personal information securely. The reputation of the company has been impacted and a lot of consumers do not consider it a reliable business anymore. It highlights the importance of businesses making the right decisions and establishing strong measures against cyberattacks.
Optus data breach
Personal information was leaked to hackers including full names, phone numbers, birth dates, emails and some customers also had their drivers’ licences and passport numbers stolen. The incident is still under investigation.
The hackers claiming to be behind the attack are asking for $1 million USD which is about $1.5 million AUD. Optus has not confirmed whether the person behind the demand is the person who stole the customer data. However, the alleged criminal is threatening to sell the customers’ personal information on the dark web if they do not receive their ransom.
Optus is refusing to let customers change their phone numbers, even though consumers are now facing the threat of SIM jacking, even if they are not current Optus customers. As a response to the Optus data breach, the Australian government is coming up with new laws that would require businesses to pay huge fines that could amount to millions of dollars. Currently, the penalty that Optus may face is up to $2.2 million but the government has not made it clear whether it will fine the company.
Main takeaways of the Optus data breach
The Optus data breach acts as a reminder to businesses and highlights how important it is to store customer information effectively. Multiple customers are vulnerable to identity theft as their passports and drivers’ license numbers have been leaked. This has caused many people to share on social media their intent to switch from Optus to another company. The organisation is losing many loyal customers as some of the individuals have been with the business for over 20 years. The financial impact of the Optus data breach will be great as consumers are asking for compensation or threatening to cancel their contract.
The Australian Federal Police are monitoring the dark web to detect whether data from the Optus data breach is being shared or sold while the FBI is trying to hunt down the hackers. Meanwhile, Optus is receiving hundreds of calls every day that it cannot respond to. The reputation of the business is not only suffering from the cyberattack itself but the lack of customer service as well. A lot of people cannot contact customer support and report issues with their service as phone lines are flooded with complaints about the data breach.
It is obvious that a cyberattack of this size can negatively influence a company in many ways which is why organisations need to prevent cyberattacks.
Polonious can assist in the investigation process of a security breach or privacy breach. The way Polonious handles its information meets strict international standards and we can help ensure that every stage complies with legal and organisational requirements.
How can companies prevent a situation like the Optus data breach?
Data breaches can happen to any company no matter its size. However, a cyberattack as big as the Optus data breach is rare and because of this, it has received a lot of media attention. It is considered one of the biggest cybercrimes in Australian history. What can companies do to prevent similar incidents? Some measures businesses can take include:
An attack like the Optus data breach can be hard to avoid, however by prioritising security, companies gain an advantage, As companies try to simplify their operations, security is sometimes overlooked. Every system should have multi-factor authentication and high-risk actions should be locked with passwords or require authentication before being accessed or completed. Software should also be updated regularly and staff should always look for vulnerabilities that can be patched.
Password policies should be implemented to make complex passwords mandatory. Passwords should include different characters, with symbols, capital letters, numbers and should not include any personal information. It should also be mandatory for employees to change their passwords regularly, especially for high-risk software. Usually, employees need to change their login details every 90 days but this can vary depending on the system they are using.
Networks should also be secured. The network for providing wireless access to the internet to customers should be on a different network than the one the business operates with. If your business does not have a firewall, then it is crucial that it sets up software that can act as a shield between the devices and the internet.
Third parties should comply with the requirements your business has and follow all relevant procedures to keep data safe. Moreover, third parties allowed on business premises or networks should show that they comply with privacy laws and regulations.
Not every employee needs access to sensitive information. The business should decide who should be able to view personal information of customers and employees. The passwords for those systems should be strong and it may be helpful for each staff member to have their own password. This will lower the chance of data being hacked as the probability of employees clicking on suspicious ads or mishandling information reduces. Account sharing should not be allowed for high-risk software and the company should keep a log of who has access to the data and when they access it.
If information needs to be shared, then it should be encrypted and protected with a code. Only the person receiving the data should have access to the code and it should not be told to others.
When working with third parties, only a few people should be given access to documents and private information should stay within the company to ensure confidentiality. The status of the third party should be checked to ensure that they have high standards of security.
Training employees creates a risk-aware environment and allows employees to recognise signs of vulnerability. It might seem obvious, that training is something every organisation does. However, human error has been the main fault for 82% of data breaches. Effective education and communication are necessary, along with reminding employees of the importance of following policies. Something that may seem insignificant could have great consequences for the safety of the data.
Employees should be educated on how to spot phishing and ransomware attempts and what a scam could potentially look like. They should be trained on how to recognise fake emails and how to distinguish phishing from authentic messages. To help employees with phishing, email filters should be implemented to block out as many spam emails as possible.
Training should also be provided to educate employees on how to respond to a cyberattack. A response plan is necessary to minimise, if possible, the impact of a cyberattack. Informing employees and customers and being transparent with them could potentially lower the damage to the company’s reputation.
Polonious maintains ISO27001 certification which means our software and processes are always maintained to meet the highest international standards for security. To prevent a data breach, we can assist businesses with internal audits that can detect weaknesses and improve operations and systems. Polonious also has cyberattack response workflows that will ensure a coordinated and consistent response to cybercrime in order for the organisation to recover quicker. Find out more by requesting a demo.
Cybersecurity is an ongoing process
The Optus data breach could have many consequences for both the business and its customers. However, it should remind companies that no one is safe from a cyberattack, all businesses must be prepared and strategies should be implemented even if the organisation is small with only a few employees.
The strategies the company has in place should be regularly reviewed so they stay relevant and the business can ensure that it responds to all risks it is facing. Managers may decide that they need new policies or should update current ones. However, policies are not effective when they are not enforced.
The business should also communicate with employees that cybersecurity is not a temporary threat. It is always present and strategies can only minimise the probability of occurring, not eliminate it. Hackers always adapt and develop more sophisticated ways of stealing information which can leave even the most secure company vulnerable.
Every time a new employee is hired and every time training is neglected, the possibility of cyberattack increases as human error is more likely to occur. It is crucial that every business implements induction procedures that stress the importance of cybersecurity and that mandatory training is provided to every employee. A lot of companies require their employee to complete online modules every few months to ensure that they are educated on the latest issues. They also send out reminders to ensure that employees do not skip the required training.
Treating cybersecurity like an ongoing process instead of a one-time risk can potentially prevent an incident similar to the Optus data breach and maximise your company’s growth.
Book a Demo Now
Learn more about how Polonious can help you with your cybersecurity.