It took Cyber Security Minister Claire O’Neill five words to cut through the layers of Optus spin. Asked if she believed the company’s claims that it had been the subject of a “sophisticated” hack last month, she said: “Well, it’s not. So, no.”
The answer was bright and direct, which put the telecommunications company on the spot.
Cyber security experts have sharpened their knives themselves. Alastair McGibbon, former head of the Australian government’s Cyber Security Centre, said Optus’ management of the crisis was poor and made the situation worse.
Medibank – the victim of an even worse hack that revealed personal details such as whether someone was struggling with drugs – instead received full medical treatment from Team Australia. O’Neill, a master of strategically deployed invective, compared hackers to “dogs,” the “scum of the earth,” the lowest of the low.
But she didn’t have a bad word to say about Medibank, despite the company rolling out updates, each one confirming that the hack was worse than the previous update had suggested. What started with Medibank saying there was “no evidence” of access to customer data is now, two weeks later, a crisis covering all 4 million Medibank customers, and possibly close to that number in former members.
One would hope that Medibank would clarify this figure, but in reality it does not know the full extent of the breach. This is the crux of the critics’ complaints: instead of Medibank emphasizing in the early stages what it did not know, it stressed that there was no evidence that the worst had happened. It wasn’t a lie, but it’s a bit like being told the locks on your warehouse are broken and being told everything looks fine without checking the pawn shop on the way.
At first, it seems O’Neill had no more idea of the full scope of the hack than the rest of us. Opposition cyber security spokesman James Patterson used parliament on Wednesday to press for a response from the government suggesting O’Neill first spoke to Medibank in person on or after October 19, seven days after the hack was first discovered, although he informed her office. But even as the full scale became increasingly apparent, with revelations such as the use of a username and password providing “high levels of access” to Medibank’s systems, O’Neill did not attack the company.
“Given the privacy of the data involved, this should have been taken more seriously from the start,” Patterson said in the text. “Once it became clear that credentials had been compromised, there was no excuse.”