It is rare to see the chief executive of a major national telecoms operator holding back tears whilst making a public apology. Australians have seen a lot of that recently, as Kelly Bayer Rosmarin, CEO of Optus (pictured) has struggled with the aftermath of a privacy breach that affects approximately 40 percent of the whole country. The breach has thrust Rosmarin into the limelight as politicians channel the anger of voters who feel both indignant about the need to change their identity documents and fearful of the prospect that their bank accounts may be raided. Could this mark a sea change in executive attitudes towards cybersecurity and data protection, as they realize that the failings of their business could lead to serious damage for their careers? Rosmarin has often been photographed with a beaming smile whilst giving upbeat interviews about the optimistic outlook of her company, but it is hard to imagine she will ever be trusted to be the public face of any PR-conscious Australian business again.
There are strong indications of serious data protection failings at Optus. Whilst data has been breached relating to 9.8 million people in total, a subset of 2.8 million suffered a compromise equivalent to ‘100 points of ID’, meaning that so much information has been revealed that somebody else could use it to successfully apply for services like a bank account. It is common practice in Australia to use a points-based system when checking somebody’s identity. Valuable identity information that has been breached includes the details of an individual’s passport and driver’s license, prompting a flurry of applications for replacement identity documents from the government. Optus has been forced to pay the fees when victims of the breach replace a driver’s license, and the opposition Liberal Party would also like to see Optus paying for replacement passports too.
You might think a hacker would have to go to extraordinary lengths to penetrate corporate systems in order to obtain access to a database containing such sensitive customer information. However, Information Security Media Group (ISMG) reported soon after the breach that the data was exfiltrated using an insecure Application Programming Interface (API) visible to anyone via the internet. Ironically, Optus had not implemented any authentication controls on the use of the API. An individual calling themselves Optusdata took credit for the breach on a hacker’s forum whilst posting the data for 10,200 victims. When contacted by ISMG and asked to explain how he obtained the data, Optusdata replied:
No authenticate needed. That is bad access control. All open to internet for any one to use.
ISMG corroborated this story with a second, unnamed source. Whilst hackers do lie about their methods, the most compelling reason to believe the claims made by Optusdata stems from the weakness of rebuttals made by Optus. They have spoken in vague terms about how well they protect data but offer no details about API controls they might have implemented, or any alternative explanation for how the data was breached. If anything, the lack of specificity in their public communications gives the impression that they lack either the skills or data to forensically determine what occurred. Meanwhile, Optusdata deepened their embarrassment by claiming they would have notified Optus of their vulnerability but could not identify any means to do so:
…we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.
Perhaps Rosmarin’s worst mistake was to deflect criticism immediately after the breach by exaggerating how elaborate the hack really was. She appeared on television and asserted:
We are very confident that this was a sophisticated attack.
That claim prompted a terrible backlash from the ruling Labor government, which was keen to shore up its support with ordinary Australians by placing all the blame squarely on Optus. The position of Minister for Cybersecurity is a relatively new role in the Australian government, and the holder of that position, Clare O’Neil MP, directly contradicted Rosmarin during another television interview held just three days later. When asked if she accepted Rosmarin’s claims that Optus had suffered a sophisticated attack, O’Neil fired back:
Well, it wasn’t. So, no.
In case anybody had missed the line, O’Neil then tweeted that part of the interview to make her feelings clear.
What happened at Optus wasn't a sophisticated attack.
We should not have a telecommunications provider in this country that has effectively left the window open for data of this nature to be stolen.#abc730 pic.twitter.com/KamkiapcZl
— Clare O'Neil MP (@ClareONeilMP) September 26, 2022
There were other indications that Optus was unsuccessfully trying to spin the media away from a proper examination of the company’s failings. Dr. Siva Sivasubramanian had been Optus CISO until August of this year, and he posted a message of consolation to social media soon after the breach, concluding with the line:
My prayers are with Optus in these difficult times.
Whatever your feelings about the role of prayer in cybersecurity, the post led to an extraordinary follow-up comment from Tom Piotrowski, the Group Chairman at Unixpac, a business which distributes and resells IT security solutions.
Hi Siva, you probably remember me, though our last contact must have been over a decade ago. Sad moments like this bring my memories of how clueless and careless Optus management was over the years, ignoring your hard work to secure such a vast repository of transactional data of clients. In my capacity as an Australian representative of several leading IT security vendors, I frequently dealt with Optus’ management’s ignorance to proliferate quality data security prevention tools, with your key contractors using an unauthorised number of licenses issued and hence likely propagating them without the necessary updates. Whilst that was a long time ago, I would not be surprised to learn that the practice could have continued until the later days. I am writing this also as a victim of the latest fraud, having received a letter from the Optus CEO, Ms Kelly Bayer Rosmarin, today advising me that the personal data I entrusted to the organisation was compromised.
I have nothing against Rosmarin personally, but when reviewing the news on the day following the breach I was struck by how she represents a way of doing business that continually emphasizes happiness over reliability. Prior to the breach she was photographed grinning alongside Formula 1 racing driver Daniel Ricciardo, who occupies the position of ‘Chief of Optimism’ at Optus. Rosmarin hugged former world no.1 tennis player Ashleigh Barty as she introduced her as the company’s new ‘Chief of Inspiration’. We can all understand that mobile phone operators are selling their services to a mass market, but where was the marketing that said Optus was trustworthy, dependable and secure? It is good to sell mobile phones to sporty young people who want to feel good about life, but some customers have other priorities too. If I had to apply for a new driving license, or complain to my bank because my money had been stolen, I would not be feeling good about life. Optus seemed to be so completely focused on ‘unlocking the power of yes’ that they paid insufficient attention to locking the power of APIs.
Though not intentional, Ricciardo is now an ideal choice for the Chief of Optimism in a business that is being bashed by the politicians of both major parties whilst being squeezed for money to make amends for its failings. Ricciardo is one of the most popular racing drivers because of his sunny personality and penchant for daring overtaking maneuvers. However, his Formula 1 career is likely nearing its end. Ricciardo’s form in recent years has been so poor that his current team would rather end his contract early and give him a year’s worth of salary to do nothing instead of allowing him to trail around towards the back of each race, far behind his teammate, for one more season. It is good to be optimistic, but we are ultimately judged on what we deliver.
Managing risk is not a happy, smiley way to pass the time. It is stressful, and hard, and the results are never perfect. We want risk managers to be serious and sometimes dour people because we expect them to care about the consequences of failure, even though we also need to have fun from time to time just like everybody else. We expect good risk managers to care before something goes wrong because any idiot can be relied upon to pull a sad face and say sorry afterwards. Sometimes I wish more executives would show how they care about the consequences of failure before the failure occurs. Instead of just projecting optimism and seeking inspiration, might we not sometimes expect CEOs to show how they value conscientiousness and prudence? Or do we need even more data breaches to make those values fashionable again?
There is something wrong with executive attitudes to the service that telcos provide to the public. It is Rosmarin’s misfortune to now represent the gap between the way executives should behave and how they often appear. Possessing incredibly valuable and sensitive information about millions of people puts telcos in the metaphorical position of sitting atop a wagonload of data explosives. But instead of presenting themselves as serious businesspeople who can be trusted with such a responsibility, there are too many telco CEOs who insist on portraying themselves as happy smiley dreamers without a care in the world. I do not want my data to be protected by somebody who spends her working day hanging out with a former tennis player and a soon-to-be former F1 driver. If there was the occasional marketing campaign that said a telco should be trusted, that might usefully remind the telco’s employees that they need to be trustworthy.
Whilst I tire of executives with perpetual grins, the antidote is not to see them sobbing into their hankies whilst they spend company money on full-page newspaper adverts that say they are deeply sorry. They should spend money on security. They should spend money on risk mitigation. And they should spend it before they need it, not afterwards. As the backlash in Australia has shown, I am not the only phone user who wants my data protected by somebody who projects solidity, and who has the actual solidity to back up appearances.