ARN

Deloitte drafted in for Optus attack review

Will review Optus’ security systems, controls and processes.
Kelly Bayer Rosmarin (Optus)

Kelly Bayer Rosmarin (Optus)

Optus has called on global systems integrator Deloitte to conduct an independent security review following its recent data breach. 

Deloitte will now carry out an external review of the recent cyber attack and Optus’ security systems, controls and processes. 

The review was recommended by Optus CEO Kelly Bayer Rosmarin and was supported by the board of Singtel, Optus’ Singapore-based owners. 

Optus claimed that Deloitte’s global specialists will work with its own teams and other international cyber experts to uncover the hack, which has seen more than 9 million customers’ details exposed.

The incident is now undergoing a criminal investigation and may face a class action instigated by law firm Slater and Gordon.

“We’re deeply sorry that this has happened, and we recognise the significant concern it has caused many people,” Bayer Rosmarin said. “While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong. 

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyber attack exists."

Over the long weekend, Bayer Rosmarin also revealed that more than 2 million customers had their personal identification documents compromised following the hack. 

In a video posted to Optus’ website, Bayer Rosmarin said roughly 1.2 million customers have had at least one number from an existing form of identification and personal information compromised. 

A further 900,000 customers also had numbers relating to expired IDs compromised, as well as personal information. 

Meanwhile, the remaining 7.7 million customers had information such as email addresses, dates of birth and phone numbers exposed, but not compromised.