KOMPROMAT

The Optus data breach: a lesson in bad crisis communications

Posted25/10/2022

Over the past few weeks, the Australian news cycle has been dominated by one of the largest cyber-attacks in our nation’s history – the unprecedented Optus data breach.

Having tarnished the telecom giant’s reputation amongst customers, the government, consumer advocates, regulators, and the Australian public, Optus further magnified the breach fallout with a series of mind-boggling failures, mostly due to its poorly executed communication strategy.

With events still unfolding in the media, the Optus debarcle acts as a timely reminder about the importance of ensuring your organisation is crisis ready and how much damage a poor crisis response can inflict, no matter an organisation’s size and status.

 

So, what exactly happened to Optus?
On 22 September, the personal details of approximately eleven million past and present Optus customers (almost half the nation) were compromised by what Home Affairs Minister Clare O’Neil suggested was a ‘basic’ breach of security – a statement many cybersecurity experts agree with.

The data exposed included leaked customer names, dates of birth, phone numbers and email addresses, as well as ID documents such as licence and passport numbers.

 

What’s a data breach?
The Australian Government defines a data breach as when personal information is accessed and disclosed without authorisation or lost.

The biggest risk that comes from this is identity theft and criminals demanding money or other benefits such as getting a mortgage, passport or a new phone account. For Optus, the hacker posted on an online forum stating they would release 10,000 customer records unless a $1 million ransom was paid.

 

How did Optus initially respond?
Well, put simply – they kinda didn’t. Despite the scale of the breach, the flow of information from Optus was shockingly slow, sparse and disjointed.

To begin with, instead of directly contacting all the affected customers, Optus chose to put statements about the incident on its media webpage and offered no further information about exactly whose data had been exposed, leaving many distressed customers in the dark and having to source details through the media.

An immediate mass email updating all 11 million customers would have been sufficient, however it took Optus another four days post-breach to finally send an email outlining the company’s priority to its compromised customers. Adding insult to injury, the email’s opening line expressed “great disappointment that Optus has been a victim of a cyberattack”, with no formal apology and no word regarding compensation.

 

How to navigate a crisis
At its core, crisis communication is the dissemination of information by an organisation to address a situation that negatively impacts its customers and/or reputation.

The idea is to be proactive, as it’s in your best interests to get in early and control the narrative. Not only this, but stakeholder satisfaction increases when information is clear and expectations are transparent.

If your organisation is faced with a crisis, the basic communications elements to remember are:

• To express sincere regret via a concisely worded and heartfelt apology (if it is legally appropriate to do so)
• To offer adequate compensation for damage to those affected
• To remedy the problem and ensure it doesn’t happen again
• To promptly and directly communicate with stakeholders.

 

While crisis communication is often reactive, it certainly helps to have an effective plan in place to ensure processes run smoothly for your organisation should the worst occur.

 

So, what’s happening now?
Several weeks on, Optus is still leaving stakeholders in the dark regarding compensation and asking its customers not to be concerned. Their response has prompted government calls for Optus customers to be proactive against the organisation.

Subsequently, Optus is now offering “the most affected” current and former customers a free 12-month subscription to Equifax Protect, a credit monitoring and identity protection service that can help reduce the risk of identity theft.

 

What have we learnt from this situation?
With a breach of this magnitude, consequences are always inevitable. However, the weak response from Optus has only worked to further on-going brand damage, and with the government now demanding Optus covers the costs of replacing passports and other identity documents, there is no doubt the organisation will be reeling for some time.

The main takeaway from all this is to ensure your orgnaisation has a clear and concise crisis communications plan in place. Besides this, it’s also important to examine your cyber security precautions, as the government is already signalling new laws for greater accountability and tougher penalties for companies which fail to proctect customer data.

To ensure your organisation is crisis ready, reach out to the team at Zakazukha and we’ll help guide you in the right direction.