While it’s still early in the night for Optus’ date with data, it is certain to end messily. The company is already offside with customers who don’t really know if they’re compromised, as well as with the federal government, which believes Australia’s second-biggest telco is not being as forthcoming as it should be about the scale of the data breach.
Still to come are the wider repercussions, as every major corporation has to redouble security efforts to limit the impact on their businesses from customers who were unwilling parties to fraud or wish to reestablish their credentials — and who then decide now is a good time to stop the online transactions essential to everyday life.
The repercussions will last for years, not months. And does anyone seriously think big corporates will shrug off the cost and not try to recoup it from Optus, which fortunately has a balance sheet traceable back to the government of Singapore?
Politics aside, there are serious questions already about our national capacity to deal with contemporary crimes, such as the plundering of half the population’s private information.
Last week, coincidentally the day after the scale of the Optus breach became clear, the Swiss-based IMD World Competitiveness ranking had Australia 31st in the world in its cybersecurity capacity. It showed our digital capacity is rising but the needed security is not — partly because we have underinvested in skills development.
All this coincided with the first airing of the Royal Commission into the Robodebt Scheme, a spectacularly unsuccessful and costly effort to cross-match government data to stop welfare fraud.
The earnest and stern royal commissioner, retired justice Catherine Holmes, conceded in her opening remarks: “A good deal is known about how the robodebt scheme operated, but not much has been revealed about why; about what advice or consultation or reasoning or response to criticism was occurring behind the scenes at any stage. Many people at different levels of government will be asked to give an account of their role in the devising, implementation and continuing of the robodebt scheme, but the focus, appropriately, and in accordance with the terms of reference, will be on those in senior positions who had or should have had oversight of it.”
Presumably, this means former prime minister, treasurer and social services minister Scott Morrison, and his close friend and successor in social services Stuart Robert, will be explaining the processes they and their bureaucrats followed to implement a scheme that raised no money and ultimately led to a $100 million settlement to participants in a class action.
While this will delight the government, hopefully it will also shed some light on how federal bureaucracy goes about managing the nation’s transition to a digital economy that offers great promise beyond politicians directly circulating their smiling faces on Twitter, Facebook and Instagram or planning leadership coups in encrypted WhatsApp groups.
As well as promise, it contains many threats, just as the Optus breach has shown. Citizens should rightly expect that governments have regulations and tools in place to protect what is theirs, i.e. official data such as driver’s licences, passports and Medicare numbers. (Also, is scanning an array of such identification to forge a total of 100 identity points really a 21st-century approach to conducting our affairs?)
Amid all this, the ATO is knee-deep in trying to unravel a scam defrauding approximately $1 billion that ran amok on social media, principally through TikTok. The scam has encouraged at least 40,000 people to register an Australian Business Number, submit a fake return and then claim tax refunds.
How can 40,000 people be drawn into this before the ATO or anyone in government notices? Fortunately, not everyone lost money, but enough did for the ATO to now be aggressively pursuing participants. (The crackdown even carries a code name, Operation Protego, borrowed from the Harry Potter saga, where “protego” is a metaphorical shield to ward off bad spells.)
Hopefully the ATO does a better job than the robodebt architects.
And hopefully the government remains unfazed about using its full powers (and some new ones if necessary) to ensure the Optus security breach doesn’t start costing its victims real money — and that it takes the prompt to build a fortress around our personal data, whether it’s held by government or business.
What steps have you taken to secure your data? Do you feel protected? Let us know your thoughts by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.