First the Optus hack, now a Telstra data breach; Australia’s major telecoms have hit a rough cybersecurity patch. The timing of the two incidents may well be a coincidence, but the breaches of two of the biggest service providers in rapid succession have raised serious concerns among both citizens and lawmakers.
The Telstra data breach appears to be limited to employees of the company that had worked there within the last five years, a far cry from the estimated 10 million records exposed by the Optus hack. Impacted employees have reportedly been contacted by the company, and in most cases it appears only names and email addresses were exposed as the breach was of a third-party signup service.
Australian government eyes stronger rules for private industry after Telstra and Optus Hacks
The Optus hack reportedly exposed the records of most of the telco’s customers, with about 150,000 passport numbers and 50,000 Medicare numbers among the data that has been confirmed to have been exfiltrated. Fortunately, the Telstra data breach is not nearly as devastating; 30,000 current and former employees (dating back to 2017) had records exposed, but it appears to be little more than names and email addresses given to a third-party service for a work-related rewards program signup. That should provide at least some comfort to Australians still scrambling to find out if and how much of their data was lost in the Optus hack, and to change numerous personal identification numbers.
The Australian government has recently passed an assortment of legislation aimed at beefing up cybersecurity, but it is not necessarily broadly applicable in the private sector. New laws that were activated in April created new requirements for critical infrastructure companies, telecommunications firms among them, and penalties for ransomware attacks have gone up. The telco incidents demonstrate that there is still work to do, however, particularly in supply chain and vendor security for data in transit and storage outside of company perimeters.
The government is now considering stronger rules for the country’s banks, requiring them to implement a security response when data breaches involving large amounts of personal information occur.
Data breach of employee files contained minimal personal information, but puts spotlight back on vendor security
Telstra has stated that its customers have nothing to worry about from the recent data breach and that its internal systems have not been compromised. The vendor that was breached appeared to also have exposed information from other companies that it had similar employee rewards program arrangements with, most notably National Australia Bank, but it appears that nothing approached the scope of what was lost to the Optus hack.
The two attacks also do not appear to be connected, save for the attackers using the same underground forum to announce the theft of data and offer it for sale. If the Telstra data is as basic as reported, it is likely to be dumped to one of these forums at some point.