Fri Sep 23

Was the Optus data encrypted?

Following the Optus breach yesterday, one key question remains - was the data encrypted? See below for commentary from Senetas CEO Andrew Wilson on why this question is so important, and the pressing need to update legislation that mandates stronger use of encryption:

Andrew Wilson, CEO, Senetas said:

"The critical question that must be answered by Optus - Was the data encrypted? If not, why not?

If this is strongly encrypted sensitive data, as it should be, then Optus customers do not need to be alarmed. They likely have years to change their passports and other identity documents before the attackers can read and use what they’ve stolen. If it isn't, customers need to get onto that process today. That's quite a difference!

Further statements from Optus that this was a very “sophisticated” attack are unsatisfactory. Very sophisticated and increasingly malicious attacks are common. That's why 'data protection' is essential today - and that's encryption. It is the last line of defence. Whether the stolen data is encrypted or not should be in the first communication about a successful breach. It is concerning that this vital bit of information is missing so far.

Many have questioned whether the prevention systems like those used by Optus are sufficient, or if the company under-invested in its cybersecurity and this is the inevitable result. This is unlikely. No cyber-attack prevention system is bullet proof.

The focus should instead be on regulation - we need comprehensive federal cybersecurity legislation that punishes companies and government agencies that fail to encrypt sensitive data. Not every company can afford the type of prevention systems Optus has, but the lesson must not be that they shouldn't try or have a last line of defence in place should a breach occur."