Last week, Australian telecommunications giant Optus revealed about 10 million customers – about 40% of the population – had personal data stolen in what it calls a cyber-attack.
Some experts say it may be the worst data breach in Australia’s history.
But this week has seen more dramatic and messy developments – including ransom threats, tense public exchanges and scrutiny over whether this constituted a “hack” at all.
It’s also ignited critical questions about how Australia handles data and privacy.
The alarm was sounded last Thursday
Optus – a subsidiary of Singapore Telecommunications Ltd – went public with the breach about 24 hours after it noticed suspicious activity on its network.
Australia’s second-largest telecoms provider said current and former customers’ data was stolen – including names, birthdates, home addresses, phone and email contacts, and passport and driving licence numbers. It stressed that payment details and account passwords were not compromised.
Those whose passport or licence numbers were taken – roughly 2.8 million people – are at a “quite significant” risk of identity theft and fraud, the government has since said.
Optus said it was investigating the breach and had notified police, financial institutions, and government regulators. The breach appears to have originated overseas, local media reported.
In an emotional apology, Optus chief executive Kelly Bayer Rosmarin called it a “sophisticated attack”, saying the company has very strong cybersecurity.
“Obviously, I am angry that there are people out there that want to do this to our customers, and I’m disappointed that we couldn’t have prevented it,” she said on Friday.
Then a ransom threat was made
Early on Saturday, an internet user published data samples on an online forum and demanded a ransom of $1m (A$1.5m; £938,000) in cryptocurrency from Optus.
The company had a week to pay or the other stolen data would be sold off in batches, the person said.
Investigators are yet to verify the user’s claims, but some experts quickly said the sample data – which contained about 100 records – appeared legitimate.
Sydney-based tech reporter Jeremy Kirk contacted the purported hacker and said the person gave him a detailed explanation of how they stole the data.
The user contradicted Optus’s claims the breach was “sophisticated”, saying they pulled the data from a freely accessible software interface.
“No authenticate needed… All open to internet for any one to use,” they said in a message, according to Kirk.
As data circulates, revelations of more stolen details
In another escalation on Tuesday, the person claiming to be the hacker released 10,000 customer records and reiterated the ransom deadline.
But just hours later, the user apologised – saying it had been a “mistake” – and deleted the previously posted data sets.
“Too many eyes. We will not sale [sic] data to anyone,” they posted. “Deepest apology to Optus for this. Hope all goes well from this.”
That sparked speculation about whether Optus had paid the ransom – which the company denies – or whether the user had been spooked by the police investigation.
Adding to the problem, others on the forum had copied the now-deleted data sets, and continued to distribute them.
It also emerged some customers’ Medicare details – government identification numbers that could provide access to medical records – had also been stolen, something Optus did not previously disclose.
Late on Wednesday, the company said this had affected almost 37,000 Medicare cards.
‘Potentially Australia’s most serious breach’
Optus has been inundated with messages from angry customers since last week.
People have been warned to watch out for signs of identity theft and for opportunistic scammers, who are said to be already cashing in on the confusion.
A class-action lawsuit could soon be filed against the company. “This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” said Ben Zocco from Slater and Gordon Lawyers.
The government has called the breach “unprecedented” and blamed Optus, saying it “effectively left the window open” for sensitive data to be stolen.
In an ABC television interview on Monday, Cyber Security Minister Clare O’Neil was asked: “You certainly don’t seem to be buying the line from Optus that this was a sophisticated attack?”
“Well, it wasn’t. So no,” Ms O’Neil replied. The moment drew lots of attention online.
Ms Bayer Rosmarin told News Corp Australia on Tuesday: “We have multiple layers of protection. So it is not the case of having some sort of completely exposed APIs [software interfaces] sitting out there.
“I think most customers understand that we are not the villains,” she said, adding Optus could not say more while the investigation was ongoing.
The company has faced calls to cover the costs of replacement passport and driving licences, as people scramble to protect themselves.
‘A decade behind on cyber-security’
The breach highlights how much Australia lags behind other parts of the world on privacy and cyber issues, Ms O’Neil says.
“We are probably a decade behind… where we ought to be,” she told the ABC.
Both sides of politics have traded blame on the issue. Opposition MPs have said the Labor government is “asleep at the wheel”, but the government points out it was only elected in May after a decade of conservative rule.
Ms O’Neil pointed to two areas needing urgent reform.
She argues the government should be able to better penalise companies like Optus. In some countries, the company would have faced hundreds of millions of dollars in penalties but Australia’s fine is capped at about $2m, she said.
She also wants to expand cyber-security laws that were introduced last year to include telecommunications companies.
“At the time, the telecommunications sector said: “Don’t worry about us – we’re really good at cybersecurity. We’ll do it without being regulated. I would say that this incident really calls that assertion into question.”
Security experts have also suggested reforming data retention laws so telecommunication companies don’t have to keep sensitive information for so long. Ex-customers should also have the right to request companies delete their data, experts say.
Optus says it is required to keep identity data for six years under the current rules.
Other industry figures have argued consumers should be able to take companies that lose control of their information to court, instead of the industry regulator.
An advert- and tracker-free search engine launches in the UK, France and Germany on Thursday.
Neeva has 600,000 users in the US, where it launched last year.
Creator Sridhar Ramaswamy, who worked at Google for 16 years and ran its ad business, told BBC News the technology sector had become “exploitative” of people’s data, something he no longer wanted to be a part of.
Trackers share information about online activity, largely to target adverts.
Neeva has raised $77.5m (£68m) from investors.
It offers free-to-use search, with other features such as password-manager access and virtual-private-network (VPN) service to be made available on a subscription basis.
Users are asked to create an account, to build subscriptions at a later date.
And the UK price was likely to be about £5 per month, Mr Ramaswamy said.
“We felt the traditional search engines had become about advertising and advertisers – and not really about serving users,” he said.
“Google has a dominant position in the marketplace – and the incentive for them to truly innovate, to truly create disruptive experiences, is not really there.
“And then also as a company they feel obligated to show more and more revenue and profit to their shareholders, so they just keep increasing the number of ads.”
Trying out Neeva
Search the word “migraine” on both Google and Neeva, and the first page of the results are fairly similar – links to news articles and factual information.
But with a brand, the difference becomes more stark.
When I try “BMW”, both search engines lead with links to the carmaker’s website and Wikipedia entry.
But while Google follows with a map, social-media feeds and links to used-car dealers, Neeva sticks with different BMW official pages.
Google certainly has more variety – but it is also blatantly pushing me towards buying a car.
Neeva’s Chrome browser extension lists the trackers installed on web pages visited.
I tried a few:
the Daily Mail had 351 trackers.
the BBC four, two of which were internal tools
Tesco five
Sainsbury’s 10
parenting forum Mumsnet 27
the front page of Reddit three
Amazon three – all its own
And almost all – but not the BBC – had at least one belonging to Google, meaning Google is receiving anonymised information about users visiting those pages.
While I had the extension activated, no ads displayed around the editorial content.
But ultimately, none of Neeva’s other rivals has dented the dominance of Google search.
“To Bing” or “to Duckduckgo” – another privacy-focused service – are not verbs in the way “to google” is.
And asked if Mr Ramaswamy could ever topple his former employer, Steph Liu, an analyst at Forrester specialising in privacy and search, said: “Realistically, no.
“It’s a sort of David and Goliath story. Google has too many users, it has too much revenue.
“The ultimate goal is to offer an alternative for the consumer base who are worried about their privacy, who don’t want Google hoovering up their data and targeting ads based on their search history”.
Billionaire Elon Musk has apparently changed his mind about buying Twitter, again, and is now willing to proceed with his takeover of the social media platform.
In a letter to the firm, Mr Musk agreed to pay the price he offered months ago before trying to quit the deal.
The surprise reversal comes just weeks before the two sides were due in court.
Twitter, which had sued Mr Musk to force the takeover to move forward, was seen as having the stronger case.
In the letter, attorneys for Mr Musk said he intended to move ahead to complete the transaction, pending receipt of the financing and an end of the legal fight.
A spokesperson for Twitter acknowledged the firm had received the proposal, adding “the intention of the company is to close the transaction at $54.20 per share” – the price that Mr Musk promised in April.
The apparent win for Twitter sent its shares soaring more than 20% to more than $52 apiece. But the value remained lower than the takeover price, in a sign of lingering investor doubts the deal will go through.
Later on Tuesday, Mr Musk wrote in a tweet: “Buying Twitter is an accelerant to creating X, the everything app”.
When Mr Musk first revealed plans to buy Twitter in a $44bn deal, he said he wanted to clean up spam accounts on the platform and preserve it as a venue for free speech.
But the billionaire, a prolific Twitter user known for his impulsive style, balked at the purchase just a few weeks later, citing concerns that the number of fake accounts on the platform was higher than Twitter claimed.
Twitter executives denied the accusations, arguing that Mr Musk – the world’s richest person with a net worth of more than $220bn – wanted out because he was worried about the price.
The back-and-forth followed a sharp downturn in the value of technology stocks, including Tesla, the electric car company that Mr Musk leads and is the base of much of his fortune.
The fight, which was scheduled to go to trial 17 October, saw the two sides face off in lengthy court filings, private messages and bitter public spats on Twitter, where Mr Musk has more than 100 million followers.
In one such exchange, Mr Musk responded to Twitter boss Parag Agrawal with an emoji for faecal matter.
Preparation for the trial had ensnarled many of the biggest names in tech, as lawyers for the two companies demanded communications about the deal.
Mr Musk, who could have paid a $1bn break-up fee to walk away, was set to be interviewed ahead of the trial this week.
Some industry watchers, who were taken by surprise by the development, questioned whether the latest twist was a concrete offer or a delay tactic.
A dramatic turnaround
It’s hard to keep track with this deal. On, off, now – it appears – on again.
However there’s a lot to read into Twitter’s brief statement.
The “intention” to go through with the deal suggests a nervousness that this is a delaying tactic from Musk’s team.
The statement effectively can be read as – ‘We are going to pursue this sale, whatever Elon Musk says or does’.
The way Twitter also, so pointedly, says it will sell the company at $54.20 suggests they are still worried about Musk lowballing.
So far Musk has been a highly erratic negotiating partner – hot and cold. Keen one minute, looking for the exit the other.
You can see why Twitter is playing it cautiously.
At Twitter, which has been thrown into turmoil since Mr Musk first turned his attention to the firm, staff told the BBC that their bosses were initially silent on the matter, even as the report spread widely.
Investors have long been sceptical that the takeover would go forward, especially since Mr Musk was seen as offering a heady price for a firm struggling to attract users and grow.
Twitter shares had been trading below $43 apiece at the start of the day.
News that Mr Musk had proposed to honour the original agreement sent shares in the company soaring almost 13% before trading was halted.
Wedbush Securities analyst Dan Ives said Mr Musk’s chance of winning in court was “highly unlikely”.
“Being forced to do the deal after a long and ugly court battle in Delaware was not an ideal scenario and instead accepting this path and moving forward with the deal will save a massive legal headache,” he wrote in a report after the news.
But he added, that Mr Musk’s ownership of the platform, a top venue for politicians and journalists to spread news and opinion, would still likely cause a “firestorm of worries and questions” in Washington and beyond.
Uber’s former chief security officer has been convicted of failing to tell US authorities about a 2016 hack of the company’s databases.
A jury in San Francisco found Joe Sullivan – fired from Uber in 2017 – guilty of obstruction of justice and concealing a felony.
Increasingly, companies negotiate with ransomware hackers.
But investigators said they must “do the right thing” when their systems are breached.
The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney’s office.
After Sullivan’s conviction his lawyer, David Angeli, said “Mr Sullivan’s sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people’s personal data on the internet,” the Washington Post reported.
But prosecutors said the case was a warning to companies.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie M Hinds said.
Ms Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he “took steps to prevent the hackers from being caught”.
At the time, the FTC was already investigating Uber following a 2014 hack.
When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .
Staff working for Sullivan confirmed data, including about 57 million Uber users’ records and 600,000 driving-licence numbers, had been stolen.
According to the DOJ, Sullivan arranged for the hackers to be paid $100,000 (£89,000) in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone,
The hackers were paid in December 2016, even though they had refused to provide their true names.
The payment was disguised as a “bug bounty”, a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.
The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair – both of whom have since been convicted of criminal offences – in January 2017 and required them to sign new agreements in their own names.
This conviction has sent shivers down the spines of many cyber-security executives.
With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.
Sullivan being personally convicted for a decision taken on behalf of his employer sets a scary precedent, some say.
For observers, the crimes Sullivan committed in 2016 also read as odd by today’s standards.
Negotiating with hackers and paying them to keep quiet is literally done every day now by corporations hit by ransomware gangs.
The key difference here, the jury found, is that Sullivan tried to cover it up.
Giving cyber-criminals what they want no longer carries the seriousness it once did, but companies, then and now, must always be transparent about how they respond to cyber-incidents that affect them and their customers.
The DOJ said that Sullivan “orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies”.
A new management team at Uber eventually reported the breach to the FTC in 2017 after carrying out their own investigation.
In 2018, Uber paid US states $148m to settle claims that it had been to slow to reveal the hack.
Shock ruling
The verdict was a surprise to many working in computer security. At the time Sullivan had reportedly informed some senior figures at Uber about the threat.
The court also heard that internal legal advice had suggested that there was no need to disclose the hack if the attackers were identified, and agreed to delete the data and not spread it further.
Responding to the judgement, Dr Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, wrote, “The Uber case is just another illustrative example of the unfolding global trend to hold cyber-security executives accountable for their companies’ data breaches.
“Serious misconduct, such as deliberate concealment of a data breach despite the regulatory requirement to report the breach to mitigate harm, may even entail criminal sanctions.”
Dr Kolochenko said cyber-security executives should urgently check that their employment contracts address issues such as coverage of legal fees in case of a civil lawsuit or prosecution in relation to their professional responsibilities. The contracts should also contain a guarantee that their employer will not sue them – as victimised companies may also do this in case of security incidents, she added.
Sullivan has not yet been sentenced, and may appeal against the judgement.