Lessons Learned from the Optus Data Breach
Maybe you heard, but Optus, one of Australia’s largest telecoms, was recently the target of a massive data breach. The personal data of about 10 million customers were stolen. However, numbers alone didn’t make the Optus data breach such a massive incident. What did and what lessons can all companies take away from the Optus data breach?
The Optus data breach
For starters, the very weekend of the hack, an anonymous user published data samples from the hack, demanding USD 1 million.
Soon thereafter, another 10,000 customer records were released.
The user then suddenly apologized and deleted the data sets. The data sets, however, were already out in the public domain.
What’s more, this user served to contradict the Optus’ assertion that the hack had been a sophisticated attack. Instead, the data had been pulled from an accessible software interface.
This was later corroborated by Australian Cyber Security Minister, Clare O’Neil. In an interview, she replied that the hack hadn’t been sophisticated at all, chiding Optus for “[having] left the window open for data of this nature to be stolen.”
Making matters worse, alongside names, birthdates, home addresses, contacts, passport identifiers, and driver’s license numbers, customer Medicare details had also been stolen. Indeed, almost 37,000 Medicare cards had been affected in the breach.
The lesson to learn is prepare for an Optus data breach scenario
So, what then should we take away from the incident? You don’t have to just be a big brand to suffer a major reputational blow.
Nor was it just the size and scope of the breach but the company’s own crisis communications that exacerbated the incident.
And those crisis communications bespoke a lack of preparation to deal with such a complex disruption.
Unfortunately, it’s lack of preparation for complex disruption that’s becoming the norm in this resilience-challenged day and age.
What are we talking about?
Sure, surveys reveal increased adoption of resilience practices. For instance, over three quarters of organizations reported either having or developing an operational resilience program, according to a BCI survey.
But far from keeping pace with the deteriorating risk climate, the preparations many of these companies have in place remain inadequate.
Resilience practitioners, for their stead, are also sounding the alarm, worried that staffers don’t have the requisite knowledge or resources to lead the necessary transition to a more strategic, customer-centric resilience approach.
In the case of the Optus breach, specifically, media sources contend that crisis simulations at Optus focused on the network outage scenario to the detriment of the more complex, data breach scenario. That’s even though Optus’ own fillings called out cyber security as a significant risk, too, with a major data breach likely to trigger customer backlash, litigation, and fines.
Avoid the Optus data breach scenario by preparing for complex disruptions
What then can be done?
Tackling the complex data breach scenario requires getting serious about foreseeable, complex disruptions, especially those likely to last for long durations.
That requires tackling complex scenarios (whether large data breaches, pandemics, thorny reputational crises, or others) as standalone threats, i.e., by developing dedicated scenario plans for each.
What are the other common-sense organizational resilience arrangements to consider when addressing a possible Optus data breach scenario? Download our guide, Best-Practice Strategies to Maintain Resilience amidst Complex Disruptions, to find out.