Two substantial Australian data-breach disclosures have, through the past six weeks, produced a rapid Australian regulatory and legislative response that the customer-portfolio briefings need to absorb. Optus disclosed on the 22nd of September a breach affecting approximately 9.8 million customers — names, dates of birth, addresses, phone numbers, email addresses, and for some customers driver-licence numbers and passport numbers (Optus customer notification). Medibank disclosed on the 13th of October a breach affecting approximately 9.7 million customers including substantial sensitive health-record data, with the operators (a Russian-based extortion cluster identified as REvil-affiliated) progressively publishing the exfiltrated data through the rest of October (Medibank customer notification and updates).
The Australian regulatory response. The Australian government has, in the wake of the disclosures, introduced legislation to substantially increase the maximum penalties for serious or repeated privacy breaches under the Privacy Act 1988 — the new maximum is the greater of A$50 million, three times the value of any benefit obtained from the misuse, or 30% of adjusted turnover during the breach period (Privacy Legislation Amendment Bill 2022). The legislative response is, in shape and timing, comparable to the post-2018 European GDPR enforcement environment landing in a single jurisdictional move rather than over the multi-year period that the EU's enforcement environment has developed.
The technical content. Optus's breach was, on the public reporting, a misconfigured API endpoint that exposed customer data to anyone able to enumerate the relevant customer-account identifiers. The exposure was, in technical-finding terms, a routine application-security failure of a class that pen-testing engagements identify regularly. The fact that an organisation of Optus's scale shipped the misconfiguration in production for an extended period is a substantial commentary on the company's application-security programme. Medibank's breach was, on the public reporting, a credential-compromise pattern leading to substantial post-compromise data exfiltration; the technical specifics have not been fully publicly disclosed but the incident-response posture has been substantive.
The disclosure handling. Optus's initial communications were, on the public commentary, less clear than the post-Equifax-and-post-Uber norms have established as appropriate. Medibank's communications have been more substantive, including a clear no-pay posture against the extortion demand and a transparent acknowledgement of the data-publication consequence. The customer-organisation briefings this week have included both cases as worked examples — Optus on the disclosure-handling-and-application-security side, Medibank on the no-pay-with-data-publication-consequence dimension that has continued to be a structural theme through 2022.
For the customer-portfolio strategic conversation, the Australian regulatory response is the part that has the broader implications. The post-disclosure-driven legislative-response pattern that we saw with the post-WannaCry NCSC attention in the UK and the post-SolarWinds executive order in the US has, in 2022, also been visible in the Australian context. The customer-organisation conversations about regulatory-and-legislative environment globalisation are now substantive — the various jurisdictions are converging on broadly comparable enforcement frameworks, the cross-border consistency is increasing, and the customer-organisation programme work that addresses one jurisdiction's framework substantially addresses others.
I will return to this. The Australian situation is the most operationally interesting non-EU regulatory development of the year.