Breakdown of the Optus breach response

elevenM Principal Arjun Ramachandran takes a critical look at the communications response to a major data breach.

Crisis communications for a data breach are never easy. Things move fast, much is unclear, and it’s not always obvious how to apply well-established crisis communications principles to cyber security incidents. Commenting from the outside is always easier than having to make the calls from the middle of the maelstrom. 

Nevertheless, as comms people do, a few friends and I recently exchanged opinions about Optus’ public comms response to its recent cyber-attack, just as that response was unfolding. Below is a summary of some of my take-outs.

Overall, I reckon Optus put out a largely constructive response to what looks, at this stage, to be a serious data breach. The highlights? Responsive, empathetic, transparent, and largely free of speculation.  But let’s go into more detail below. 

First, what Optus didn’t do so well 

Victim-playing … kinda. The first quote from Optus CEO Kelly Bayer Rosmarin in the Optus statement (which was bound to get a run in all media coverage) read: “We are devastated to discover that we have been subject to a cyber-attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it”

“Devastated to discover … we have been subject to” – with this language, Optus strays towards painting itself as the victim. In some sense it is, but for a public response the only victims Optus should be focused on are the customers it was meant to protect. Which brings us to …  

Stepping back, not forward? Optus’ use of a string of passive phrases (“Devastated to discover”, “we have been subject to”, “that has resulted in”) comes across as Optus trying to create distance between it and responsibility for the breach. This won’t sit well, especially for those impacted.

Optus is ultimately responsible for protecting its customers’ data, and for any breach. Imagine a bank saying: “Today we were devastated to discover that we were subjected to a robbery that resulted in customers’ jewellery and valuables being taken by people who shouldn’t have had it.” Most would think: “Whatever dude, you were meant to protect it”. (Update: Today show’s Karl Stefanovic response this morning sums up this sentiment). The only vibe to convey is one of accountability. 

The use of “devastated” also felt overly emotive. In subsequent media appearances Rosmarin replaced “devastated” with “deeply disappointed” and “deeply sorry”, which more precisely strikes the tone of regret and contrition needed. 

What Optus did well 

In the final washup, the above issues weren’t overly influential because Optus actually did a lot right. 

Responsive. According to SMH, Optus disclosed this incident publicly after finding out about it late the previous day. That’s relatively pretty quick, despite some commentary. Companies can sit on these things for days, weeks and even months as they evaluate what’s happened. 

They showed contrition. Optus made clear it was “deeply sorry”, “very sorry” and well, “devastated”, by what had happened. Expressing empathy, understanding and regret for the potential harm (not “inconvenience”!) to individuals of a data breach is merely the other side of the accountability coin. 

They didn’t speculate. In pursuit of transparency (a well-known crisis communications principle), companies dealing with a data breach often fall into the trap of speculating or guessing about the details. This is dangerous and potentially embarrassing, especially if those details later need to be corrected once investigations progress. While media reports variously described “millions” or 2.8 million customers being affected, Optus repeatedly held the line against confirming any number (going only with “a significant number”), on the basis it is still investigating.  (Note, the flipside risk of this approach are the media outlets reporting a breach affecting “up to 10 million customers”, on the basis that this is how many customers Optus has).

Transparency, the cyber way.  Optus also clearly understands that transparency around cyber breaches is not just about conveying breach details. Their statement describes in detail the actions it was taking once the incident was known, including containment actions, investigations having commenced, and the rationale around communications decisions. All of these details shed light on how the situation is being managed. 

A banner link at the top of their website to a dedicated page containing their latest statement on the incident and FAQs is also best-practice for cyber incidents. It gives customers a single place to go for the latest information.

They used lots of active language. Notwithstanding earlier criticisms about the passive sections in the CEO quote, large parts of the Optus statement were actually in active voice (see image below). There’s a well-worn cliché in security – “it’s not a matter of if, but when you suffer an attack”. When the attack comes, you need to be swinging into action fast to contain, understand and otherwise respond to what’s happened – which helps demonstrate you are taking accountability for what’s happened and what comes next. The active language conveys Optus doing that.  

They brought in the big guns. “Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.” 

As a major telco, no doubt Optus has well-resourced cyber security and privacy teams. It’s nevertheless helpful to emphasise that you’ve engaged the authorities for help and are working with regulators openly. 

And the small mercies … No trite mentions of how much it “takes security very seriously”. Yes Optus! 

What non-mask wearers teach us about security awareness

elevenM Principal Arjun Ramachandran explores why observance of coronavirus restrictions and advice varies across countries and societies, and the potential lessons for those in the game of persuading people to adopt good security behaviours.  


“Wear a mask”. “Practice social distancing”. “Isolate”.

Clear, consistent, universal.

But cast your eyes from country to country, even community to community, and you see incredible variance in how the advice sticks.

The management of COVID-19 in the community highlights a core challenge in how companies cultivate positive security and privacy behaviours among their people. Clear guidance and engaging messages alone don’t always get the job done.

As public health practitioners have learned through the pandemic, and as those of us engaged in security and privacy persuasion must recognise, we work in a broader context.

The fingerprints of culture are evident in how different societies are responding to coronavirus guidelines and restrictions. Values like individualism, community, mutual obligation, respect for the elderly and deference to authority – and the extent to which they dominate a culture – clearly influence how communities behave, and how they will respond to advice and guidance.

“Maybe we’ll change our culture so that it’s not expected or brave of you to go to work sick. Maybe we’ll start to protect each other the way Asian cultures do. It’s pretty normal in Asian societies to wear a mask when you’re sick when you go out in public and to stay home if you can. We are the exact opposite. We wear masks to protect ourselves and we feel free to show up at a meeting when we have a fever.”
VICE

Sure – when you’re trying to inculcate good security or privacy practices, repeatedly broadcasting actionable advice will get these messages onto the radar of employees. Heck, if you’re clever enough to make the advice funny or entertaining, it might even go viral! You’ll have smashed a bunch of internal engagement metrics and hit some awareness goals.

But as with “Wear a mask!”, lack of awareness isn’t always the barrier. People can know what to do and still act contrarily. Or, they might follow the rules, but only in circumstances where compliance is monitored or defined.

If we want go beyond compliance, and if we want behaviours to be both lasting and self-applied across contexts, then our goal must be for employees to internalise and identify with those desirable behaviours.

That’s why we encourage organisations embarking on security or privacy education activities to look at shaping culture as a vital complement (if not a precursor) to their education and awareness activities.

Culture is ultimately an expression of shared values and beliefs expressed through collective behaviours and practices.

Research tells us that values, more specifically an alignment of values, creates conditions for people to internalise behaviours.

Yet while organisations abound in discrete bits of security advice (“don’t click this, make sure you do that”), the values underpinning the desired security and privacy behaviours are often never defined or articulated with employees. It could be as simple as revisiting the company’s existing set of corporate values and expressing how security or privacy are integral to that value set.

For staff to identify with values and desired behaviours, they will also expect to see them being exhibited and advocated by those they admire or respect. This is where an organisation’s high-profile security champions can play a role, and where its most senior leaders have a responsibility.

For more on security culture, check out our recent work.

News round-up June 2020 — PM’s cyber strategy announcement, ransomware attacks and email scammers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.

Four principles for contact tracing technology

elevenM Principal Melanie Marks takes a closer look at proposals to use digital technology to support contact tracing, as governments seek better ways to manage the COVID-19 pandemic.


With reports that Australia may follow in Singapore’s footsteps to build a tracking and tracing app which allows governments and citizens to get ahead of the COVID-19 pandemic, we must ensure that innovation and laws are channeled towards the “right” intended outcomes.

The benefits of introducing greater data sharing at a time of crisis are obvious. However, there are also risks, so it’s critical we proceed in a considered way.

For me the key principles are:

  1. Do what you can to save lives.
  2. There shall be no scope creep.
  3. Permissions shall be wound back when the crisis passes.
  4. Post implementation review is essential (covering law and processes).

We need to build for the short term or at least for a series of stages, featuring “gates” where civil liberties are checked before continuing. And we need guarantees that new architectures being introduced will not be put to secondary purposes. For example, whilst we might consider it okay to trace the movements of a COVID-19 affected patient in order to prevent exposure to others (primary purpose), we should not accept that the tracing can be used to identify how far a person strays from home, in order to hit them with a fine (secondary purpose). This is especially so if we consider that channels of procedural fairness may be harder to access in the circumstances (Robodebt comes to mind).

I had a chance to discuss these ideas recently with Jeremy Kirk, together with Patrick Fair and Susan Bennett, in an article published in DataBreachToday. Click here to read more.

2019 end of year wrap

It’s the end of another year (and another decade).

Close out your final tasks, prepare for the inevitable summer feasting, and join us as we recap five cyber security and privacy themes that captured our attention in 2019.

  1. The fractured world of cyber affairs – is cooperation fraying just as things heat up?
  2. The scourge that won’t go away – clearing bins, paving footpaths and paying ransoms: a checklist for city councils in 2019
  3. Play with your toys – on privacy regulators who are unafraid to fine
  4. An inconvenient comparison – the emerging parallels between climate change and digital issues
  5. And then a hero comes along – we pose a question: ‘who will be our Greta?’


The fractured world of cyber affairs

Let’s start on the world stage.

Did it feel like cyber security and privacy was overshadowed in 2019, without a global-scale, highly disruptive cyber-attack to catch our attention? After all, this is decade that gave us Stuxnet, the Sony Pictures breach, Cambridge Analytica and WannaCry.

In 2019, more column inches seemingly went to non-digital matters – ongoing civil dissent in Hong Kong, trade wars, and the US going perilously close to military action against Iran.

But peer a little closer and it was far from quiet on the cyber front.

In June, Israel responded to Hamas cyber-attackers with a physical strike. Hackers also caused disruption at a US power grid. Neither incident was of the scale of a “Cyber Pearl Harbour” – the kind we’re told repeatedly to fear, even here in Australia. But both were firsts of a kind –  physical retaliation to digital aggression and the first cyber disruption of the US power grid.

Then there was the cyber-attack on Australia’s Parliament, reportedly by China. Coming just months before Australia’s May Federal election, the hack raised the spectre of election interference akin to the 2016 (and 2020) US elections.

It all leaves us pondering the state of diplomacy in cyberspace in 2019. Co-operation and leadership on the global stage have arguably weakened, not just in cyber affairs but in matters of defence generally (see the prognosis on NATO).

Traditionally strong leadership from the US on cyber affairs has been under the spotlight. Key roles like that of White House cyber coordinator have been eliminated (by President Trump’s national security adviser John Bolton, who himself was eliminated as adviser by Trump halfway through 2019).

The result appears to be a strengthening of the hand of China, North Korea and Russia in discussions about how the internet will be governed. A few months ago the United Nations adopted a cybercrime resolution against the wishes of the US and civil liberty advocates.

The Australian Government’s contribution to this dialogue also came under fire from policy analysts this year. The critics decry that the future national cyber security strategy appears to have dropped its commitment to a free and open internet.

 


The scourge that won’t go away

Stepping down from the rarefied atmosphere of global affairs and nation states, let’s turn our attention to cities and towns. “All politics is local” goes the saying in the US, and in 2019 a sizeable number of cyber-attacks were too.

Baltimore, Pensacola, Atlanta and, most recently, New Orleans are just a few of the dozens of US cities and counties brought down by ransomware attacks in 2019. The attacks caused widespread disruption – halting property transactions, crippling the court system, preventing the payment of bills and costing millions of ratepayer fund in recovery costs.

The vulnerability of these US cities to ransomware is attributed to their reliance on ageing, legacy infrastructure that isn’t patched.

The spate of ransomware incidents also elevated the discussion about the merits of paying ransoms. Official advice (and some polling) comes out strongly against forking out. But hell hath no fury like a rate-payer scorned – and the pressures of explaining disrupted services to angry residents proved too onerous for many officials, with more than one city opting to pay the ransom.

Sadly, more ransomware infections and even higher ransoms are likely on the cards again in 2020. Solutions exist – both technical and human – but it appears they are not always so easily implemented.

 


Play with your toys

An inflatable pink flamingo for the pool, a USB-powered toothbrush or wifi-enabled socks – what odd trinkets and strange gadgets lie under your tree, waiting to be unwrapped on Christmas morning?

Data protection authorities got some big toys last year, like the General Data Protection Regulation (GDPR) and Notifiable Data Breaches scheme. By mid-2019 they were giving those toys a solid work out, especially the shiny new fining capabilities. The UK’s Information Commissioner’s Office (ICO) used GDPR to whack British Airways over the head with a sizeable £183 million fine for its 2018 breach. It then shot a £99m Nerf dart at Marriott for its breach in the same year.

Across the Atlantic, the Americans weren’t about to miss out on the fun. The US Federal Trade Commission warmed up by slapping a US$575 million settlement payment on Equifax for its 2017 breach. Then they fined Facebook US$5 billion (self-described as a “record-breaking” penalty) for a series of privacy violations, including the Cambridge Analytica scandal.

Closer to home, the Australian Government has just given privacy advocates an early Christmas gift by affirming its commitment to increase penalties under the Privacy Act.

 


An inconvenient comparison?

The year 2019 saw the convergence of major issues. When thousands of school children marched in support of action on climate change in September, our principal Melanie Marks noticed the links to our collective digital challenges:

I pondered why the climate rally had delivered so many to the streets now, when we have known about climate change for years?

Privacy harm is more nebulous. The potential policy issues are hard to solve for and engaging the public even more difficult.

– Melanie Marks, elevenM

Consensus, coalitions, cooperation, a need to address externalities … the ingredients for progress on climate change appear to overlap with our challenges in privacy and cyber security.

There was progress this year in establishing a standard for climate-change related financial risk disclosures. It’s a project driven by the Financial Stability Board, a G20 body that is also driving a coordinated approach to managing cyber security in the global financial system.

The premise is to make more transparent the financial risks posed by climate change. A local investor group puts it this way: “When you have the data around assets, countries and companies, you change the way you allocate capital, it changes the way you assess risks, and it ultimately changes the economy.”

The same moves towards more data and more transparency were clearly apparent this year in efforts to protect the Australian economy against digital risks. The Australian Prudential Regulation Authority’s new information security prudential standard CPS 234, which took effect in July, is a clear example of this.

“We’ll be increasingly challenging entities in this area by utilising data driven insights to prioritise and tailor our supervisory activities. In the longer term, we’ll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences.”

– Geoff Summerhayes, APRA executive board member

We see the same trend playing out with businesses we work with. At executive level there’s a strong desire for better quantification of digital risks and of how they’re being managed. Non-executive directors want to see privacy and cyber security measured and articulated like other risks in their enterprise risk frameworks.

Measuring the value and return of security investments also poses a challenge. There’s been a boom in security tools and products, but we’re now hearing more from Chief Information Security Officers who want to measure and extract value from that tooling –  a problem our Senior Project Manager Mike Wood delved into earlier this year.

 


And then a hero comes along

Greta Thunberg is 2019’s person of the year. “Meaningful change rarely happens without the galvanizing force of influential individuals”, said TIME magazine’s editor-in-chief in awarding the honour.

Maybe what we’re lacking is a figurehead for privacy, someone to catalyse global opinion and press for changes in how companies handle our personal information.

Audaciously, Mark Zuckerberg looked like he was trying to claim this mantle in April, when he stood under bright lights and a large banner proclaiming “The future is private”.

Social media might have atrophied attention spans, but not so much that we’d forgotten Cambridge Analytica, or missed Facebook’s other repeated privacy scandals this year. Most people clicked ‘thumbs down’ at Zuck’s proclamation and moved on with their day.

But our champion might have emerged, just less recognisable. Lacking the chutzpah of Miss Thunberg, but still much like an earnest school kid, Rod Sims raised his hand again and again in 2019 to be privacy’s biggest stalwart.

The ACCC chairman faced off against Google and Facebook repeatedly this year, arguing that they haven’t been playing nicely. In its Digital Platforms Inquiry, the ACCC and Sims laid bare how privacy is being fundamentally undermined in the digital age.

“It’s completely not working anymore. You are not informed about what’s going on and even if you were, you’ve got no choice because your choice is getting off Google or Facebook and not many people want to do that.

“We need to modernise our privacy laws, we need proper consent…we need new definitions of what is personal data, we need an ability to erase data and we need to require the digital platforms to just tell us very clearly what data is being collected and what’s being done with it.”

– Rod Sims, ACCC Chairman

This merging of privacy and consumer issues may well be the development of 2019.

Using Australia’s highly-regarded consumer law framework to prosecute the case for privacy would add the considerable muscle of the ACCC to the efforts of the Office of the Australian Information Commissioner in standing up for the privacy rights of Australian citizens.

Happily, in its response to the inquiry, the Government last week committed to many of the ACCC’s recommendations.

These steps forward on the enforcement of privacy are welcome. It’s still useful and crucial to remind ourselves why privacy matters to begin with. On Human Rights Day this year, elevenM Senior Consultant Jordan Wilson-Otto argued that we must go beyond advocating for privacy because of its utility as competitive differentiation or as a driver of innovation. Privacy is fundamentally about guaranteeing dignity and respect and preserving that which is important to us as humans.

 

Signing off

And that’s a fitting note on which to end our thoughts for the year.

Throughout 2019, we’ve been privileged to work with terrific people from a diverse set of clients. These are people who are highly talented, well respected in their industries, and passionate about protecting their customers and staff from digital risks.

We’re grateful for the opportunities we’ve had to be part of your journeys, and look forward to continuing our conversation and collaborations in 2020.

Have a safe and joyous festive season.

The team at elevenM.

 

Solving ransomware

We’re back in Baltimore. Unfortunately not to relive Arjun’s favourite pithy one-liners from The Wire, but to talk about something from the non-fiction genre: Ransomware.

In just a few years, ransomware has gone from nothing to a multi-billion dollar industry. And it continues to grow. It’s little wonder that law enforcement are quietly holding crises summits to ask for help.

In May of this year, the City of Baltimore was hit with a ransomware attack. The ransomware used was called RobbinHood and it encrypted an estimated 10,000 networked computers. Email systems and payment platforms were taken offline. Baltimore’s property market also took a hit as people were unable to complete real estate sales.

One click away

Like most public sector technology environments, there appears to have been a mix of old and new systems on the City of Baltimore networks. Precisely because they are old, aging systems are typically unable to be “patched” or updated for known security threats, making them vulnerable.

But getting funding to replace or update computing systems is difficult, especially when you are competing with critical services like police, fire and hospitals.

Given the hard reality that many large networks will have a high volume of outdated, and therefore vulnerable, systems that are only one mouse click away from becoming infected, should we not focus more on preventing malware from propagating?

Trust

Most global corporate networks operate using a trust principal. If you are part of the same domain or group of companies you are trusted to connect to each other’s network. This has obvious benefits, but it also brings a number of risks when we consider threats like ransomware.

Strategies

There are many strategies to mitigate the risk of a ransomware outbreak. Back up your files, patch your computers and avoid opening suspicious links or attachments are commonly advised. At elevenM, we recommend these strategies, however we also work closely with our clients on an often overlooked piece of the puzzle, Active Directory. The theory being: if your network cannot be used to spread malware, your exposure to ransomware is significantly reduced.

Monitoring Active Directory for threats

To understand this in more detail, let’s go back to Baltimore. According to reports, the Baltimore attack came through a breach of the City’s Domain Controller, a key piece of the Active Directory infrastructure. This was then used to deliver ransomware to 10,000 machines. What if Balitmore’s Active Directory had been integrated with security tools that allowed it to monitor, detect, and contain ransomware instead of being used to propagate it?

Working with our clients’ and Active Director specific tools we have been able to separate and monitor Active Directory based threat indicators including:

  • Lateral movement restriction
  • Obsolete systems
  • Brute force detection
  • Anonymous users behaviour

All the pieces of the puzzle

In mitigating cyber threats, defence teams today have access to many tools and strategies. Often, there emerges a promised silver bullet to a particular threat. But the truth is that most threats will require a layered defence, involving multiple controls and core knowledge of common IT infrastructure (like Active Directory). Or to put it again in the language of the streets of Baltimore: “All the pieces matter“.

Want to hear more? Drop us a line at hello@elevenM.com