Optus Drops the Ball with CEO Kelly’s Speech

Optus CEO makes first public appearance since last year’s data breach

Optus CEO Kelly Bayer Rosmarin made her first public appearance in March since last year’s data breach. Recall that Optus lost over 10 million customers’ information to hackers in September of last year, leading to criticism from the government and other organizations about how the telco handled the matter.

Many believe that Optus dragged its feet after the fact. In some cases, Optus took several weeks to alert customers about their lost data. Many also believe Optus didn’t do enough to prevent the hack in the first place. In fact, Optus now faces a class action suit over the data breach lodged by 100,000 affected customers.

But with cybersecurity threats becoming the norm in today’s technology world, others like Telstra have empathized with Optus. And now, Optus CEO Kelly Bayer Rosmarin has offered her take on the matter, but her excuses seem to have rubbed some Australians the wrong way. 

Recap – Optus’ data breach

On 22 September 2022, Optus experienced a significant data breach, leading to over 100 million customers’ information loss. As a result, sensitive data such as passport and driver’s license information were lost to hackers. After the breach, over 10,000 customers’ data were published online for everyone to see but later taken down.

We cited three reasons for the Optus hack in a previous article

  • Optus left their API open.
  • The open API left sensitive data accessible, such as names, passwords, addresses, etc.
  • Optus used incrementing customer identifiers. For instance, if you sign up as a new customer. Your name is replaced with a number. Rather than use randomized numbers, Optus assigned numbers in sequence – if you were customer number 1234, the next customer to sign up would be 1235.

These three factors made the data breach easier than it should have been, leading to criticism from the government and other organizations. The extent of the breach was quite significant, with the lost data going beyond names, dates of birth, and email addresses. Customers also lost driver’s license numbers, passport details, medicare cards, and more.

Following the attack, Optus released a statement on the same date, informing the public of the cyberattack and possible loss of customer data. However, many believed more was needed because Optus took longer – several weeks in some cases – to contact affected customers, especially individually.

Optus commends itself for handling the data breach; blames the media

After several months of silence, Optus CEO Kelly Bayer Rosmarin finally publicly appeared at the Australian Financial Review’s Business Summit in March. While many expected some remorse and empathy over the hack, CEO Kelly seemed defiant and combative.

According to CEO Kelly, none of the customers whose data was lost has experienced any misuse of their information. In other words, although the hack exposed customer data, CEO Kelly claims none has resulted in any customer becoming a victim of said stolen data. In her words, “Not a single customer has suffered any financial loss or fallen victim to a crime through misuse of the data.”

CEO Kelly also claims that Optus “did more than any other company in a cyberattack before had ever done, and [they] did it much quicker.” To defend this statement, CEO Kelly pointed out that Optus dispatched 16 million customer communications using 110 custom-made messages to different groups of customers.

While patting herself on the back, Optus CEO Kelly Bayer Rosmarin chastised the media. The CEO insists that the data breach has enough lessons to go around beyond Optus itself. Ms. Rosmarin specifically called out the media as one of the stakeholders to learn from its hack.

Specifically, CEO Kelly Bayer Rosmarin stated, “For me, it made it very clear that the media wasn’t always focused on what they should have been, which was accurate, good reporting, that actually was helping the public make sense of and respond appropriately to this incident. The fact that some of them were focused on where I happened to be on a particular day or the name of my dog – that’s really not newsworthy”.

As expected, CEO Kelly’s take on the matter hasn’t exactly been extolled as remorseful. For instance, EFTM writer Trevor Long, who was quite vocal following the breach, has described Ms. Rosmarin’s statements as arrogant. His take isn’t far-fetched – after all, throughout the lengthy discussion, the Optus CEO failed to articulate what the telco has learned from the massive data breach and how it plans to prevent such from happening in the future.

To be fair, though, other stakeholders have come to Optus’ aid. During the summit, Telstra’s Narelle Devine suggested that the criticism against Optus was unfair, supporting Ms. Rosmarin’s protestations. According to Devine, data breaches can happen to any organization. Ms. Devine stated, “Attackers have to be right once, and the [cyber] teams have to be right all the time. This could happen to anybody.”

100,000 customers sue Optus over data breach

While Optus commends itself for the way it handled the data breach, its customers are not in the mood for smiles and applause. Recall we published an article discussing how 100,000 customers filed a class action lawsuit against Optus in April for failing to protect their data.

The plaintiffs include current and former Optus customers seeking damages from the data breach. The suit suggests that Optus had a duty of care to protect customers from harm and failed to do so. The lawsuit also indicates that Optus breached both telecommunications and consumer law.

Despite Optus CEO Kelly Bayer Rosmarin’s claims that “not a single customer has suffered any financial loss or fallen victim to a crime through misuse of this data,” many customers have suffered inconveniences that could amount to something actionable.

Ben Hardick of Slater and Gordon, the law firm representing 100,000 customers in the class action suit, stated that publishing the personal information resulting from the data breach caused “great anxiety” for customers. Mr. Hardick pointed out that those working in “frontline occupations,” like police officers, now risk being exposed.

Finally, just because no customer data has been misused by criminals yet doesn’t mean it never will. Hacks like these leave personal information vulnerable forever – just because the data hasn’t been weaponized today does notmean it won’t be weaponized tomorrow. One of the plaintiffs, a Victorian man, put it quite perfectly when he stated, “It feels like only a matter of time before I get scammed or defrauded, which is a constant worry that I didn’t have before I was let down by Optus.”

Final words

The Optus CEO has clearly missed the mark here regarding the expectations of the press and public around a mea culpa. In most cases, if a mistake is made and someone accepts it, owns it, and apologizes, almost everyone will forgive them. After all, we all make mistakes and would also want to be forgiven, right?

On the other hand, dropping a bomb of the sort Optus did last year, one which robbed the Australian public of their peace of mind (a highly valuable and not often discussed asset) and then blaming the media for the response implies hubris, which will not help the brand repair what the company is undertaking.

In our view, this is a missed opportunity. In a previous article, we noted the partnership between Optus and Mastercard to offer a more secure ID, which has triggered a discussion around the value of a national system to reduce cybercrime. Perhaps that would have been a far stronger core point to CEO Kelly Bayer Rosmarin’s speech. 

Or even simpler, a sincere apology, a discussion of the lessons learned, and steps the country must now take to avoid a repeat – alongside an overview of the new Mastercard scheme – would have calmed, rather than reignited, the frenzied crowd.