Smaller firms ‘sitting ducks’ following Optus data breach
Following a massive data breach leaving the personal information of potentially millions of Optus customers compromised, smaller firms have been urged to take a deeper look at their cyber security measures — with some currently “sitting ducks” for cyber criminals.
Customers of Australia’s second-largest telco may have had their names, dates of birth, phone numbers and email addresses stolen in the data breach — which was announced on 22 September — as well as license and passport numbers in some cases.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Kelly Bayer Rosmarin, Optus CEO, said in a statement on Thursday that the telco shut down the attack as soon as they discovered it.
“We are devastated to discover that we have been subject to a cyber attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it," she said.
“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible."
On Monday, plaintiff law firm Slater & Gordon announced they would be investigating a possible class action against Optus, in what the firm called “potentially the most serious privacy breach in Australian history” — now the subject of an AFP special taskforce investigation.
Timely warnings for SMEs
Following this, law firms of all sizes — but particularly smaller firms — have been advised to become more diligent. Law Council of Australia president, Tass Liveris, said this is of the utmost importance in the current climate, especially given “the importance and sensitivity of the information held by law firms of all sizes”.
“Cyber security needs to be something lawyers normalise as part of their everyday working lives. Lawyers have a professional duty to protect their clients’ information. While there are some slight jurisdictional differences, the general duty is much the same throughout Australia. The issue of client confidentiality is now well accepted as being threatened by inadequate cyber security arrangements,” he told Lawyers Weekly.
“To this end, the Law Council, with assistance from its Constituent Bodies, developed the Cyber Precedent suite of resources to assist the legal profession to actively protect itself from cyber attacks. The Law Council is currently reviewing these resources to ensure that they remain fit for purpose against evolving threats.”
CPA Australia spokeswoman Dr Jane Rennie told Lawyers Weekly’s sister brand, Accountants Daily, it is now crucial that the federal government become more aware of the cyber risks for small businesses, who typically lack the resources of a large company to protect against online criminals.
“Australian small businesses are sitting ducks for cyber attacks. They simply don’t have the same resources as big corporates to protect themselves against cyber crime.
“New scams, phishing attacks, identity theft and other cyber crimes are occurring daily. A cyber attack can be costly, damaging a company’s reputation and putting customers, business owners and employees at risk.”
In response to the breach, Cyber Security Minister Clare O’Neil tweeted that reforms to companies’ cyber obligations would be announced this week – stating that the reforms will "enable companies such as Optus to more rapidly provide data to banks following security breaches."
With research showing two-thirds of small businesses had failed to review their cyber security in the past 12 months, these businesses need a helping hand getting up to speed.
“Too many small businesses are uninsured and unprepared for cyber attacks. Increasing digital literacy and cyber awareness in business owners and their businesses is critical,” Dr Rennie added.
“Technology training and resources for small businesses need to be increased. We want the federal government to provide this support in the upcoming budget.”
Travis Schultz, managing partner at Travis Schultz & Partners, echoed a similar sentiment — and told Lawyers Weekly that increased funding was needed to support smaller firms.
“It’s all well and good to have the best cyber security experts, modern antivirus software and optimum data protection capabilities, but at the end of the day, the weakest link is always going to be human. Small firms need to invest heavily in training of staff, reinforcing risk management techniques and constantly investing in updates so as to arm the team with the intuition to recognise and respond to cyber risks,” he said.
“The prevalence of cyber crime has increased enormously in recent years and there is no reason to think that its exponential rise is not going to continue. Funding is required at a national level to resource the Australian Cyber Security Centre and other agencies to provide greater support for small and medium-sized businesses who don’t have the financial capacity of larger organisations to employ gold standard cyber threat management practices.”
Barristers taking action
The importance of having cyber security measures was also discussed at the Australian Bar Association annual conference in April, during a panel discussion with barrister Michael Rivette and Australian information and privacy commissioner Angelene Falk, who both emphasised the importance of barrister’s legal obligations around cyber risk.
“I think the pandemic has really brought home to us the fact that individual privacy rights and protecting them appropriately is important for the public interest, and if we think about the pandemic and two years ago, you will remember our chief health officers standing before us, and they would give us general information but they would never reveal the identity of people who had contracted the virus,” Ms Falk said.
“And that was very deliberate because if people felt that their personal information would be revealed, it would drive down testing and it would discourage people from actually accessing health. So that's a public interest outcome, a collective harm that could result from an individual disclosure. And if we expand that out to the legal profession, I think there is a risk that major data breaches that occur through the hands of the legal profession could bring into disrepute access to justice and the confidence in the system.”
Because of this, Mr Rivette urged law firms and barristers to adopt a best-practice approach moving forward.
“The implications of how we deal with data, apart from being just basically ethical and responsible, given that we are the custodians of information that's given to us, we have to use best practice,” he said.
“We're moving into terrain with data where the ramifications of breach and sloppy practice can be enormous. It can be enormous to your reputation. You can have personal liability in certain circumstances, but, most importantly, the people who are paying our fees we may be putting at risk, and that's kind of an intolerable position.”