Optus hack exposes metadata fault lines and privacy concerns

Last Thursday afternoon, on a public holiday called to mourn the passing of Queen Elizabeth II, I got a heads-up from technology editor Nicholas Bonyhady about a breaking news story involving Optus being hacked.

Typically, we have two news conferences a day, in the morning and afternoon, to discuss the major stories of the day. But when a significant news event occurs, reporters or topic editors will send a direct message, give me a call or wander up to my desk if they are in the office.

It was pretty obvious given the number of people involved that this was going to be a big story. If we have a live blog, we typically put breaking news there first, as it’s the fastest way to get information out to you. Our digital editors will either send an alert to the blog or read the draft of a separate standalone story as it is being written and start thinking about sending out alerts to let subscribers know what is happening. We also quickly let our print editor know of big stories so they can reorganise pages for next day’s paper to make room.

At 2.36pm on Thursday, we published an article with the headline “One of the most serious cyberattacks”: Customer data exposed in Optus hack.

The Optus story developed quickly over the next couple of days. On Saturday, I got a call from Sun-Herald editor Melissa Stevens. Bonyhady had uncovered information on a hacking forum where someone was claiming to have put the stolen data up for sale, giving Optus one week to pay a ransom or the information would be offered to other criminals. Our first question in this situation is how reputable does the information appear to be? In this case, we took a number of steps to verify the claims, calling some of the unfortunate people whose data had been released. That let us know this was genuine data, but still left unanswered the question of whether this was the real hacker, or somebody who may have accessed previously leaked information and wanted publicity. Of course, we approached Optus for a comment. Once we found out the matter was under formal investigation by police, we were confident we could publish a story, and the following went live: Optus $US1 million ransom threat investigated.

There is a fine line between what we should, and shouldn’t, publish that usually involves discussion between reporters, a number of senior editors and our legal team. In this case, because so many Australians’ data is at risk, we felt obliged to let everybody know what was happening, but we didn’t want to unnecessarily raise alarm or publicise what could be a hoax. These are hard calls and are not made lightly.

During the week, the hacking story has continued to develop, morphing from a technology story to a political issue, with news the federal government will overhaul the nation’s cybersecurity and privacy laws as the Optus hack exposed how metadata laws allow telecommunications firms to bank huge amounts of customers’ personal data.

Optus clearly has questions to answer here, about how it stores data and how secure its systems were, although its embattled CEO Kelly Bayer Rosmarin and federal Cybersecurity Minister Clare O’Neil are presenting very different views on just how sophisticated the attack was. But the broader issue of our metadata and how it is used has been revealed and has become an increasing focus of this coverage. This crisis has a long way to run yet.