The Optus Data Breach Communications – A Case Study of What Not to Do in the Wake of a Breach
There has been a great deal of backlash in the wake of the Optus data breach announced on 22 September 2022. Much of the dissatisfaction comes from how Optus handled its crisis communications with government departments and its customers. In this post, we’re going to look at what went wrong – and we’ll tease out some key lessons for other organisations.
Optus Data Breach Communications – Early Stages
Lesson 1: Be certain of your facts
Optus came out hard on being the victim of a sophisticated cyber attack. A claim we’ve heard many times before and which suggests that, despite all their best efforts, a targeted attack from a sophisticated source is likely to be successful because organisations just can’t protect against everything.
However, quite quickly questions were raised about this characterisation. Starting with the ABC’s report from an insider that the ‘attack’ was largely due to an internal error that made the huge trove of data relatively easy to extract.
In fact, the Minister for Cyber Security, Claire O’Neil (who had been working closely with Optus) said she did not believe that there had been such an attack. In her view, Optus left the window open for a cyber criminal to conduct a simple hack.
This may have been the start of a souring of relations between Optus and the government.
Lesson 2: Co-operate with the government and regulators
The Australian Government has explicitly said that Optus is not cooperating and that its response is not good enough. The government has noted that, while Optus stated that it has alerted the 10,000 users whose information was published online via text and email, in its view this response was simply not sufficient.
The expectation was that people would be notified more quickly, in a more uniform way and provided with all of the information they needed to work out how to best protect themselves from further harm.
Optus hit back at the government in its message to its customers, published on 3 October. The Telco giant repeatedly blamed the delay in notifying affected individuals on various licensing authorities “all of whom have different rules, all of whom have different information that’s required in order to validate checks on those types of IDs.”
They went on to clarify that 2.1 million customers may need to take further action before outlining that these customers have been contacted directly.
Lesson 3: Keep communications clear and simple
Optus’ message to its customers provided some information about what to do plus some resources.
However, the customer-focused information was scattered amongst information about Optus’ response as well as a commentary about the strength of its cybersecurity.
Optus has also taken out a one-page ad in newspapers, in which it acknowledges that it has ‘heard’ its customers’ complaints about the communications to date.
One week on and Optus pays up for splashes in the Saturday newspapers apologising for last week’s saga breach and conceding the comms strategy wasn’t up to scratch. @SBSNews pic.twitter.com/YVmNW6O4SI
— Naveen Razik (@naveenjrazik) October 1, 2022
Optus’ response has not been effective, and its communications continue to be confusing and self-serving instead of customer-centric. Public-facing communications attempt to preserve Optus’ reputation. However, by ignoring customer concerns and focusing on self-preservation, its communications to date have not been well received.
For many Optus customers, their monthly bill was one of the earliest communications they received from Optus in the wake of the breach.
Consider the message to its customers:
Visitors to the page must scroll past a video and read 192 words before finding out that Optus is still contacting those whose data was not affected by the breach. There are no design features that make this crucial information more visible than information like “Upon discovering [the unauthorised access], Optus immediately shut down the attack.”
Other Key Takeaways for Australian Organisations
In addition to the communication lessons that can be learned, there are many other warnings for organisations.
In particular, all organisations should be careful to:
- Have a data breach response and communications plan in place before a data breach occurs.
- Only collect and store the information you need. Storing identity documents for long periods of time comes with significant risks that can often be reduced or eliminated through alternate data processing procedures.
- Ensure that communications in the wake of any data breach are accurate, honest and customer-focused. Lingering uncertainty will harm your organisation’s reputation, potentially permanently.
If you need help developing your data breach response, reach out. Our privacy lawyers would love to help.
Want to learn more about the Optus Data Breach?
Read our post about what should change in the wake of the Optus Data Breach and listen to Privacy 108’s founder Dr Jodie Siganto speak about the breach on ABC Radio.