Given the ongoing publicity around the Optus data breach and the controversial class actions that have ensued since, we thought it would be pertinent to give a brief review of what has become one of the biggest cyber security events in Australia’s history.
In September 2022, a group of cybercriminals suspected to be affiliated with a state-sponsored entity, infiltrated Optus’ internal network, exposing the personal data of nearly 10 million customers, representing close to 40% of the total Australian population. It remains to be confirmed how access was obtained by the criminals, though the most publicized theory is that it was through an unprotected and publicly exposed Application Programming Interface (API). This API operated without the need for user authentication, leaving it vulnerable to third party assailants online to establish a connection without the requirement of providing a username or password due to the absence of an authentication protocol.
The cybercriminals leaked the sensitive data samples on online forums shortly after, requesting a A$1.5 million ransom in cryptocurrency. Surprisingly, they backtracked on their demands a few days later under pressure from law enforcement, issuing an apology on the forum and claiming to have deleted all the compromised data. However, this initial ransom demand has proved to be just the tip of the iceberg in terms of the total cost that could be bourn by Optus as a result of the ongoing saga.
Preliminary estimates were that the company had put aside A$140 million for costs relating to the breach, which includes the cost of commissioning Deloitte to conduct an “independent external review”. It is yet to be confirmed whether this figure is accurate, particularly after the news of April last year, that Optus has found itself embroiled in a class-action lawsuit involving at least 1.2 million of the affected customers, the cost of which doesn’t appear to have been included in that figure.
Furthermore in terms of the quantum of brand damage, an estimate from a recent article in the Financial Review explained that whilst Optus was on track for one of its biggest years of growth in brand value before the cyberattack, the attack meant that instead of growing from its A$4 billion brand valuation in 2022 to a forecast A$4.5 billion in 2023, it instead fell to $3.3 billion. A $1.2 billion dollar blow.
The significance of this event cannot be understated in the history of Australia’s economy and the evolution of our cyber security landscape. Whilst not all the potential costs would have been indemnified under an appropriate Cyber Insurance Policy, it would have provided a strong basis of coverage response to the insured and in turn the affected Optus customers.
We will likely learn more about the specifics in that respect when the aforementioned Deloitte review is made public. However, Optus are doing their best to avoid that ever becoming a reality, having recently appealed against the courts decision to publicise the report, claiming it was “highly sensitive” because it contained a forensic investigation into the company’s cyber defences. With the contents allegedly “exposing national security concerns” according to the former Optus Chief Executive Kelly Bayer Rosmarin.
Nonetheless, we will continue to monitor further developments as they unravel in what will likely form a precedent case study of cyber risk and security for many years to come. On this theme, we are also going to explore further high profile cyber events in future blog posts, as well as giving insight into some of our own experiences with cyber claims that we have handled recently – with key takeaways and learnings to share with our network. So please subscribe to our Embrace Risk Blog and follow our Linked-In Page for more updates.
Also, we of course encourage you to reach out to our Emjay Team if you would like to better understand your businesses cyber exposure and potential insurance options to protect your organization in today’s highly exposed cyber environment.
========================================================================
References:
https://www.afr.com/chanticleer/optus-smart-to-get-cyber-insurance-20220927-p5blfq
https://www.afr.com/technology/all-optus-customers-can-do-is-hope-20220925-p5bku9
https://www.afr.com/companies/telecommunications/minister-rebukes-optus-for-breach-we-should-not-expect-to-see-20220926-p5bkzr
https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm
https://www.upguard.com/blog/how-did-the-optus-data-breach-happen
https://www.slatergordon.com.au/class-actions/current-class-actions/optus-data-breach