Optus data breach a ‘wake-up call’ for Australian universities

A high-profile Australian data hack has left the country’s universities in an “absolute conundrum” as they balance the risk of holding on to people’s personal information against the consequences of discarding it prematurely.

A Brisbane forum has heard that last month’s data breach at telecommunications company Optus, when cybercriminals obtained the names, dates of birth, phone numbers and email addresses of an estimated 10 million Australians – and driver’s licence, Medicare and passport numbers of hundreds of thousands – has left universities in an invidious position.

“One of the ways we combat [fraud] is to require institutions to collect more and more identifying data on individuals to prove they are who they are,” Queensland University of Technology chancellor Ann Sherry told the National Conference on University Governance. But the Optus breach had demonstrated hackers’ ability to penetrate “very sophisticated systems”.

Universities had “a very rich treasure trove of data that we hold for a whole lot of reasons, that are often legally required”, Ms Sherry said. This raised questions about how to balance the “management of risks of fraud and the management of risks that come with cybersecurity breaches”.

Commercial lawyer and data governance expert Patrick Fair said organisations subjected to data breaches faced “huge costs” in analysing the lost information and notifying the people affected. “It’s just not worth…taking money from something else to do that, particularly the more you’re facing the risk of a data breach,” he told the conference.

He said privacy compliance audits routinely found that organisations had failed to destroy data they “no longer needed” – often because of a “misapprehension” that they needed to “keep everything” to avoid being sued.

“The Privacy Act says you shouldn’t keep anything for longer than the purpose for which you’ve collected it,” said Mr Fair, an adjunct professor with Deakin University. But that period could depend on the circumstances.

“If you build a dam, you might want the contracts for that dam to be there for some time in case the crack emerges after 30 years,” he said. Institutions also needed to weigh the risk of being pinged for “destruction of evidence” if they discarded data subsequently required for a lawsuit.

“It’s an absolute conundrum,” Mr Fair acknowledged. “I’m not sure how we can develop a methodology…where we anticipate in advance how long we’re going to keep information, and we tag it for destruction when it’s filed, so that that can be done quickly and effectively in compliance with the Privacy Act.”

Former home affairs minister Karen Andrews said the Optus breach had been a “serious wake-up call” for many enterprises, including research organisations. “The risk now for Optus, apart from the enormous reputational damage…is that it may well be that Optus has kept data that it didn’t need to keep.

“We won’t know that conclusively, probably, for some time now. But data has been kept. At least 10,000 identities are now being sold…on the dark web.”

She told the conference that the lone positive from the breach was that it had heightened people’s awareness. “Once that data is stolen, you will be quickly subject to most likely a ransomware attack. Globally, there’s a ransomware attack every 11 seconds. Ransomware attacks are the break and enters of the current century.”

john.ross@timeshighereducation.com