On the evening of 20 September 2022, Kelly Bayer Rosmarin agonised over whether to board her scheduled flight back to Australia. The chief executive of Optus, a telecommunications giant based in Sydney, Bayer Rosmarin was sitting in a US airport when she received an unsettling call from her colleagues in Oz. Suspicious activity had been detected on the company’s networks, they said, though precisely what this entailed remained unclear. As her boarding gate was announced over the airport intercom, the executive had to make a choice: travel straight home, but in the knowledge that the lack of Wi-Fi on her Qantas flight would cut her off from events, or stay and try to manage the crisis from the US.
In the end, Bayer Rosmarin decided to stay put in Los Angeles and remain online – a prudent decision, in retrospect. What began as a vague description of anomalous traffic on Optus’ network quickly mutated into a major crisis, with cybercriminals hacking through an unprotected API to steal the personal details of nine million of the company’s customers, including home addresses, driving licence numbers and passport details. Australian cybersecurity minister Clare O’Neil called the breach “unprecedented” and said Optus had “effectively left the window open for data of this nature to be stolen”.
Worse was yet to come. Just a few weeks later, Medibank, Australia’s biggest health insurer, suffered a similarly devastating cyberattack. Hackers managed to access its network through a misconfigured firewall, pilfering the personal details of some 9.7 million current and former customers. Then, in mid-March, another breach hit consumer lender Latitude Financial. Some 14 million customer records were stolen in that incident, including 7.9mn driver’s licence numbers and 53,000 passport numbers.
Broadcaster ABC – which interviewed one unfortunate woman whose personal data had resided with all three companies – dubbed the hacking of Optus, Medibank and Latitude the ‘terrible trifecta’, a data protection disaster that’s impacted a third of Australia’s population of 27 million people. Little surprise, therefore, that the country’s federal government has announced bold steps towards overhauling its cybersecurity policies, even setting a target to become “the most cyber secure country in the world by 2030”. It’s a lofty aspiration for a nation that, just last December, scored the inauspicious title of ‘most frequently hacked nation in the world’. Will it be enough to turn Australia from a tempting target into a cybersecurity fortress?
Australia’s cybersecurity meltdown
Optus and Medibank were hardly the first Australian companies targeted by cybercriminals. Last November, a report by the Australian Cyber Security Centre found that criminals and state-sponsored hackers attacked Australia, on average, once every seven minutes between July 2021 and June 2022. The agency said it had received 76,000 cybercrime reports in that period – up 13% from the previous year.
What went wrong? It is true that cybercrime has been rising rapidly around the world, exacerbated in part by the escalating activities of Russian ransomware gangs, explains Susie Jones, CEO of Cynch Security. But it’s also fair to say that cybersecurity in Australia had, until the Optus hack, been largely neglected. “We just haven’t paid enough attention to this issue,” says Jones. “Until we saw these incidents, people and businesses didn’t really believe this sort of thing would happen in Australia – but there’s no doubt about it now.”
The breaches of Optus and Medibank were a painful wake-up call. “The moment the Optus hack happened – because so many people were affected – it instantaneously changed the way that consumers were thinking about how their data was being handled by the corporations that they trust,” says Jones. “All of a sudden they were asking questions of businesses that they would never have asked.”
Australia’s new Labor government was just as shocked. Elected in May 2022, the new administration had promised a new approach to solving the country’s cybersecurity problems, starting by actually appointing a cybersecurity minister, a portfolio that had been left conspicuously vacant by the previous Liberal-led administration. The response of that minister, Clare O’Neil, to the Optus crisis was to ratchet up the fines for any firms struck by similar breaches in the future, raising the penalties from AU$2.2m to either AU$50m, three times the value of any benefit had through the misuse of any information stolen, or 30% of a company’s adjusted turnover during a breach.
In February 2023, the Australian government also announced the launch of a new agency – the National Office of Cyber Security – to oversee government investment in cybersecurity and help coordinate responses to cyberattacks. Prime Minister Anthony Albanese told industry leaders that existing policies and regulations “are simply not at the level that we need them to be” when it comes to cybersecurity. “This is really fast-moving. It’s a rapidly evolving threat, and for too many years, Australia has been off the pace.”
That same month, the Australian government also published a discussion paper outlining plans for its new cybersecurity strategy and seeking feedback from businesses. It mulled a potential ban on ransomware payments and suggested that the 2018 Security of Critical Infrastructure Act should be expanded to enable the Australian Signals Directorate intelligence agency to commandeer a company’s IT systems whenever they’re subjected to a cyberattack.
Other nations stand to learn a lot from Australia’s rapid regulatory response, argues Andy Watkin-Child, founder of cyber-risk consultancy Parava. “Not only did they take a very public stance on what was going on, but they made it very clear that cyber was going to be regulated,” says Watkin-Child. As for Australia’s Minister for Cyber Security Clare O’Neil, Watkin-Child doesn’t hold back in his admiration. “O’Neil seems to have done more for cybersecurity in six months for Australia than most other leaders in other countries have done over 12–18 months.”
In January, Australia’s attorney general, Mark Dreyfus, announced that Australia would consider implementing European-style ‘right-to-be-forgotten’ privacy laws as part of a package of modernisations to the country’s Privacy Act. “GDPR certainly changed a lot of behaviours right across the globe,” says Jones. “I think if we had that sort of regulation here in Australia, that was really enforced as well, that that would certainly help.”
Might Australia even go as far as the US Securities and Exchange Commission (SEC), which is proposing much tighter regulations on cybersecurity disclosures? Ian Yip, founder of cybersecurity firm Avertro, thinks that would be a step in the right direction. “What the US is doing is along the right lines,” he says. “I think the regulators are starting to figure out that they need to do more than just encourage box-ticking exercises.” And Yip believes that Australia is likely to take inspiration from America. “As the US goes, the rest of the world tends to follow – even though we will never admit to it,” he says.
Nevertheless, Australia still has a lot of catching up to do. And, like many nations, it’s also still grappling with a cybersecurity skills shortage. Education, therefore, is the subject of the hour – but that’ll need to be matched by meaningful action, says Simone Herbert-Lowe, director of the advisory firm Law & Cyber. “The Australian Institute of Company Directors is really going hard trying to educate company directors about it. I don’t think there’s an awareness issue now at that higher level […] but there’s going to be a big lag between that awareness percolating down to everyone else and actually being actioned.”
Herbert-Lowe also believes that Australia should offer a robust package of financial support for any firms looking to do the right thing when it comes to shoring up their cybersecurity – especially SMEs.
New rules are great, argues Yip, but they need to be enforceable. “If they don’t enforce the regulation, then the behaviour will start to devolve back to the status quo.” Even so, the cybersecurity expert remains optimistic about the course Australia’s taken this past year – even though it took a spate of major breaches to make it happen. “The silver lining,” he says, “is that it’s forcing behavioural change [and] it’s forcing regulatory change.”