Requirements Management Failures

By: Jörg Lindner, Simone Bernardi, Celeris AB

An Example from the Australian Telecom Industry

What happened to telecommunications company Optus in September 2022?

Optus is the second-largest telecommunications company in Australia and a wholly owned subsidiary of Singaporean company Singtel. The company provides a range of communications services including mobile, telephony, business network services, internet and satellite services, and subscription television. On September 24, 2022, Optus announced that it had experienced a cyberattack on September 22, 2022, which may have resulted in unauthorized access to current and former customers’ information.

What damage had been done and how has this been handled?

Optus has since advised the Australian Passport Office (APO) that over 100,000 Australian passport numbers were compromised through the recent data breach. The leaked information includes dates of birth, names, phone numbers and, in some cases, addresses and drivers’ license numbers. Nearly a week after the attack, an internet user claiming to have the data asked for a ransom of $US1 million ($1.5 million) on Saturday. The user claimed to be selling the data, which includes email addresses, dates of birth, first and last names, phone numbers, drivers’ license and passport numbers. The Australian government has since provided information about the risk of exposed personal documents being exposed and if and how to replace documents like driver license or passports.

Can we blame Optus for not complying with Privacy Requirements?

Right after the announcement by Optus, there were claims, that against current requirements Optus had collected too much information and held it for too long (beyond just verifying a new client’s ID). Optus says it is required to keep identity data for six years under the current rules.The Office of the Australian Information Commissioner (OAIC) is continuing to seek information from Optus to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme. Under the NDB scheme, organizations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.So, management at Optus did the right thing and despite potentially facing a huge PR disaster notified the OAIC and went public instantly.

Will all Australian companies comply with these requirements?

We do not know if there are many other cases of a similar scale that had been downplayed to protect a company’s brand reputation. Hiding those incidents comes with heavy fines so this should keep them motivated to play honest and go public always!Later March, after a recent cyber-attack Latitude Financial was responding to a personal information theft that impacts customers, past customers and applicants across Australia and New Zealand. The data includes up to 7.9 million drivers’ license numbers and 53,000 passport numbers. The attack is the largest-known data breach on a financial institution in Australia. Latitude have also just announced not to pay any ransom (unknown amount).If you think that a data breach could only happen in the private sector, you might be misled. In a recent event on 20 March, the NSW government department ‘Service NSW’ had created a data breach that exposed thousands of ID details for 90 minutes after a website update.

What are the learnings? Can this be prevented in the future?

To completely avoid future data breaches is wishful thinking that we should still aim for! What we can do on the other hand is to reduce the consequences by having less data exposed because of cyber-attacks or data leaks. It is certainly worth reviewing current rules and questioning companies (and authorities) appetite for data collection. So, in response to the Optus breach and other recent incidents in Australia, it has then been reported that the Federal Government may toughen privacy laws. In particular, the Government has indicated it may introduce significant reforms to increase penalties for data breaches under the Privacy Act and allow service providers to notify banks of a data breach more easily.

What can a company do to prepare?

Company ethics and commitment to compliance with current and future legislative requirements are essential. To stay on top of this ‘game’ it takes more than just the good will. Implementation and auditing of those requirements in all company operations can sometimes look overwhelming….

Source:Requirements Management Failures - An Example from the Australian Telecom Industry | LinkedIn