Optus - where events moved faster than words?
Just shy of 10 million Australians are grappling with what is at risk following a major data hack of personal information from the nation’s second-largest telecommunications outfit, the Singtel-owned Optus.
The company’s brand positioning is constructed around the word ‘yes’, but in the face of this crisis, it’s been struggling to land on a position between its default of ‘yes’ and other responses of ‘no’, ‘don’t know’ and ‘maybe’.
Trust in the company has been shattered. The scale of the data breach - impacting about 40% of Australia’s population - has meant ministerial-level intervention by the Australian Government and its cybersecurity and law enforcement authorities.
For more than one quarter of affected customers, the data in the hands of hackers and whomever else they choose to share it with includes identity information issued by national and state government authorities, including passport, driver licence and Medicare numbers and information. For nearly three million customers, the scope for identity theft, financial loss and mental stress is immense.
Exacerbating the brand damage to Optus which, by the way, will be deep and sustained for quite some time, has been abysmal communications, a process that has failed all basic measures. Even five days into the crisis, Optus CEO, Kelly Bayer Rosmarin, was fighting a war of words with federal Cybersecurity Minister, Clare O’Neil over how sophisticated the hack was. With industry cybersecurity experts broadly siding with the minister, it was a hiding to nothing for Optus.
Everything suggested Optus’ instinctive reaction was to put quantifying and limited its legal and financial liability ahead of supporting its customers. That will be a fruitless mission, with class actions inevitable. This is additional to the accumulating rectification costs the company faces as federal and state governments invoice it for reissuing driver licenses, passports and Medicare cards.
The only beneficiaries of the public opprobrium being directed at Optus is Australia’s recently under-siege national airline, Qantas and its CEO, Alan Joyce, who will be glad to no longer be topping mainstream media news and Twitter trends. Relaxation will not be on Qantas’ agenda, however. As the. operator of the nation’s largest and most successful customer loyalty scheme databases, it will be closely monitoring the process and ramifications of the Optus crisis.
There will be massive post-mortems conducted on Optus’ crisis management and the data hack. Many have already suggested it will be the pin-up example of how not to manage a crisis in the next rollout of Crisis Management 101 in business courses.
One of the biggest criticisms of the company has been that customers first learned of the data theft through the media. Even Australia’s Privacy Commissioner had not been informed of the breach before reading it in the press.
The company has already defended its approach, arguing that sending text messages to ten million customers would likely be misconstrued by many as a scan message that they’d chose to ignore. On that basis, it would appear that customers are more awake to the potential for being hacked than their provider.
For a leading telecommunications operator to determine that the channels at the core of its operations would be less effective in managing the crisis is an intriguing argument.
Why couldn’t the text message inform customers that they validate it by visiting the Optus website - not via a link, but through their web browser? You could bet that most would be quick to safe link back to the website to validate the message given the personal risk to which they were exposed.
Corporations holding sensitive personal information have been aware of the regulations and risks associated with malevolent hacks. Executive and corporate should be undertaking hours of scenario planning for precisely this. What were the conversations around communicating to the entire customer base and to regulators and other stakeholders?
Did Optus crisis planners recognise the inevitability of the intervention at the highest levels of government, its regulatory and law enforcement arms should government-issued identity documents disappear into the ether?
The amazing aspect of this is that the company itself seems to be victim of a continuously unfolding story, with lack of clarity from the start on exactly what data was accessed. Data theft on this scale has to assume the worst - that everything associated with every customer has been lifted. There’s time to fine tune segmentation later, even conceding that the nuclear approach may cause undue concern to some customers.
The perception from a communications perspective is that Optus was always playing catch-up with the event - each new phase turning out a new surprise. We may never know whether this is simply due to a failure of internal communications and poor briefing to the executive and the communications team, or a reflection of the reality.
The impression is that they have lost control of the crisis and the answer is not picking fights with government ministers or arguing the finer points of the technical sophistication of the hack.
The only certain thing out of the crisis is that a vast proportion of Optus customers will have completely lost confidence and will not be saying ‘yes’ to renewing contracts any time soon.
There will be little joy for the wider business sector and particularly for the telecommunications sector, which successfully argued for a carve out of more stringent privacy protection and cybersecurity regulations because they were so good at it.
Legislation, regulations and associated penalties in these areas are set to become more rigorous, prescriptive and onerous by multiple factors in the months ahead. The extent and depth of data collected and the period for which it is retained will be questioned and most likely more restricted.
Good luck to those who have enjoyed data mining’s heyday. It’s just passed.