Optus hack secrecy leaves questions of competence hanging

Medibank made exactly the same decision with the review into its breach, just without hiding behind the legalese.

This is a backflip from Optus’ leadership, which had implied when the Deloitte report was commissioned that its findings would be shared.

“We are determined to find out what went wrong ... This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” Bayer Rosmarin said in a media release announcing the commissioning of the report.

“This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”

Customers left out of loop

It is pretty hard for a report to help the rest of the community if it is filed in the CEO’s bottom drawer.

Optus claims it is sharing the lessons from the breach privately with other companies and government, and that sharing too much information publicly would help criminals. This may have some truth to it, but blatantly leaves its customers out of the loop.

When Deloitte was commissioned, Bayer Rosmarin also said the report would assist in Optus’ efforts to rebuild trust with its customers. It seems the company is satisfied that this job is done.

There are understandable reasons to not release such a report. First, it may reveal weaknesses that other cyber criminals could still exploit; second, the very act of Optus talking publicly about cleaning up its cyber act would precipitate increased attempts from hackers to prove it wrong – such is the nature of cybercrime.

It is also facing class action complaints, which it won’t want to assist.

However, important questions remain unanswered about the Optus breach and just how it happened.

Much of the public debate around the time of the breach was centred on the accusation that Optus had “left the window open” for an attacker to climb through, via an unsecured API. Given the scale of the breach, this would have shown humiliating incompetence, and would likely have seen heads roll.

Despite commendably speaking publicly numerous times about lessons learned from the data breach this year, where she has refuted that simplistic characterisation of the breach, Optus’ boss is still to explain why the accusation is wrong.

“While it might reassure some to think that Optus was an easy target or didn’t care about security or wasn’t investing enough, that’s not the case. It’s much harder and scarier to accept that even well-meaning, well-resourced companies who do prioritise protecting their customers can also be attacked,” Bayer Rosmarin wrote in the Financial Review in March, when she also appeared at this masthead’s annual Business Summit.

So what happened? Customers deserve to know, and other organisations really need to know.