Optus undertakes extensive security review as sanction for “significant” privacy breaches

Number-two telecommunications company SingTel Optus will undergo a wide ranging, independent review of its information-security systems after working with the Office of the Australian Information Commissioner (OAIC) to finalise an enforceable undertaking relating to what privacy commissioner Timothy Pilgrim has called three “significant” breaches of customer privacy last year.

The agreement – the first enforceable undertaking finalised under the major Privacy Act overhaul that came into effect in March 2014 – relates to the mishandling of personally identifiable information (PII) of 122,000 Optus customers who requested to not be listed in White Pages but were listed there anyway; a security hole left open during the deployment of 308,000 modems that left them vulnerable to spoofing attacks by malicious outsiders; and an authentication error that allowed access to certain customers' voicemails without a password.

Pilgrim's investigation concluded that Optus “did not have reasonable steps in place to safeguard the personal information held in its systems at the time the incidents occurred” as per the requirements of Australian Privacy Principle (APP) 11.

The severity of the breach was exacerbated by the fact that each incident affected large numbers of individuals and created “a risk of harm” for those people – particularly those whose details were published in the White Pages listing without their consent.

“In each case, there was a failure by Optus to detect the incidents,” Pilgrim's analysis concluded, noting that the incidents were brought to Optus's attention by third parties.

“This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals.”

Noting Optus' cooperation with the OIAC investigation, Pilgrim determined that the best outcome was the negotiation of the enforceable undertaking, which requires Optus to complete a series of reviews and certifications; provide copies of those reviews and certifications to the OAIC; implement any recommendations and rectify deficiencies identified in those reviews and certifications; and to deliver third-party confirmation of the rectification to the OAIC.

The reviews, which must be conducted in accordance with ASAE 3100, an Auditing and Assurance Standards Board standard for managing compliance engagements, will include careful and audited efforts in areas such as penetration testing – which must be conducted on fixed and mobile services, on all major IT projects; and as part of Optus' annual monitoring program.

Optus must facilitate a review of the IT architecture of its 20 most risk-exposed systems that handle storage and handling of personal information, as well as undergoing a review of its new voicemail system and conducting formal incident reviews of the three security breaches.

The company has 5 months to complete a detailed project plan and must engage an auditor to certify Optus's completion within 18 months of commencing its review. Vice president of corporate and regulatory affairs David Epstein will be charged with heading the effort to comply with the enforceable undertaking.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags security reviewinformation-security systemsSingtel OptusASAE 3100privacy breachesmobile serviceoptusTelecommunications

More about AssuranceCSOEnex TestLabOptusSingTel Optus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts