Optus customers, not the company, are the real victims of massive data breach
The Optus data breach has brought data security into the forefront of every Australian’s mind. While it’s good people are thinking about these issues, the best time to start thinking about them was years ago. The second-best time is now. It’s important then that we analyse how Optus has handled this breach so far, and what needs to be done to ensure it doesn’t happen again.
Privacy harm is real
Straight after the breach, Optus made claims that it was “not currently aware of any customers having suffered harm”. This suggests that Optus doesn’t consider the widespread damage to people’s privacy harmful. This is wrong.
Sign up to receive an email with the top stories from Guardian Australia every morning
Privacy harm is harm, one that companies like Optus need to take far more seriously. Privacy, once lost, cannot be easily regained.
When companies and governments emphasise that no passwords or financial information were exposed, they focus on things that are easily changed or replaced. For some people, having an abusive ex-partner learn their current address from a data breach is lifethreatening. Will Optus buy domesticviolence survivors a new house? Will it compensate them for having to move their children to a new school again?
And while most Optus customers have ‘mere’ financial fraud to worry about, their life now contains a lot of tedious, expensive, and time-consuming tasks like setting up credit monitoring, changing licence numbers and getting new passports.
Optus is not the victim
Optus positioned itself early on in the crisis as a hapless victim, despite claims in parliament that they had contributed to the breach. Some claim that Optus exposed an unpro
tected application programming interface(API)to the internet, in effect providing customer details to anyone looking. If this is accurate, then it wasn’t ‘sophisticated’; it was negligent.
Yet the specifics of how the breach happened don’t really matter.
Optus is a billion-dollar corporation, and its executives are paid millions to ensure that, among other things, its customer data is safe. These are the people who should be held to account for Optus’ failure to properly protect the information customers entrusted them with.
A series of choices were made that lead up to this event, and it is only right that serious and pointed questions should be asked of the people who made those decisions.
If this feels unfair or unreasonable, they should feel free to resign so that someone else who is up to the task can do it instead.
Too much data is being stored
You can’t lose what you don’t have. If Optus had collected less data from people, and hadn’t held it for as long, it wouldn’t have been quite so vulnerable to leaking the data to anyone. But companies have placed far too much value on collecting and keeping as much personal data as they can. Some justify this obsession with claims that magical algorithms, Big Data, and AI will make our lives better. And yet all that seems to happen is that we get shown more ads for things we don’t like.
Australian governments, state and federal, are complicit in this surveillance because they require companies to keep more and more data about us. Overblown claims about online predators are used to pass ever-more intrusive surveillance laws that compel private companies to spy on us on their behalf.
We need more robust privacy protections and we need them to be enforced. When companies like Optus collect data they don’t need, keep it for too long, or fail to protect it, there should be meaningful consequences. If the Optus data breach happened in the EU, Optus would be facing fines of up to 4% of its global revenue for the past year, about $640m based on Optus’ 2021-22 financial results.
Which is acceptable as a deterrent, but doesn’t help the millions of customers whose privacy has been violated.
We shouldn’t have to wait for underfunded regulators to slowly rouse themselves into action some years after the damage has been done. In 2014, the Australian Law Reform Commission (ALRC) recommended that a tort of serious breach of privacy should be created so that all of us, as individuals, can take action on our own when regulators can’t – or won’t – act for us. This would help us at least get compensation for the work we now have to do cleaning up the mess made by Optus.
Those with power in Australia must be compelled to value our privacy more than their own power, money, or status or we will continue to see data breaches like this. We have pleaded, begged, and asked nicely for decades and have been ignored.
Clearly the time for asking nicely has passed.
Justin Warren is the chair of Electronic Frontiers Australia, a not-forprofit organisation that promotes digital rights