Optus: Breach of Trust?

I’ve been an Optus customer for many years.

I first used its services when it wasn’t quite as well-established and mainstream as it is today. It provided competition in a moribund industry crying out for fresh ideas in telecommunications. And I've been trusting them with my personal data ever since. Most importantly, I expected Optus to comply with the Privacy Act and keep my data safe from third parties and potential misuse/abuse.

Along with almost ten million other customers, I recently became aware (via media) of the serious data breach, the size of which is probably unprecedented in Australia and potentially catastrophic for all affected customers due to the sensitive nature of the data stolen.

Based on what I’ve read and heard, this data breach is so serious I think it could be a ‘life and death’ moment for the company and its leadership. Never have so many customers had such a compelling reason to sever their relationship with Optus, irrespective of the contractual relationships in place.

One would expect such a severe incident, directly affecting customers of a major, well-funded corporate like Optus, would immediately trigger a sophisticated customer support and PR response. From my perspective, that definitely wasn't the case.

The data breach was widely reported in the media following Optus’s announcement on 22 September, but customers had to wait days to learn directly from their trusted service provider what had happened, how they had been affected, and what next steps they should take to protect themselves. There was no initial customer communication to acknowledge the breach and to let customers know there would be follow up communications with more details.

So far, I’ve received a single email communication from Optus, confirming the worst-case scenario – all my personally identifying data, including driver’s license and passport numbers, had been illegally accessed while in its custody. There may well have been other communication activities taking place with other customers, but I can only relay my experience.

The alleged hacker has since tried to extort Optus, then apologised and then claimed all the stolen data had been deleted. While that's of some limited comfort (if it can be believed), the damage to Optus’s trustworthiness and reputation has been done and will be difficult to recover unless it is able to convince its customers about four (4) key issues - its ability, humanity, integrity, and predictability.

Recent media announcements suggest Australian victims of the Optus breach will be able to change their driver’s license numbers and get new cards. Optus is expected to bear the multimillion-dollar cost of the changeover (but I’m still waiting for Optus to confirm this). The Commonwealth Government has made a compelling case for Optus to fund the replacement of passports for affected customers (adding to the already lengthy delays in issuing passports in the normal course). Still no direct communication from Optus about replacement licenses, passports or a reported offer from it to take up a 12-month subscription to a credit monitoring and identity protection service.

And then there is the situation involving expired and unexpired Medicare cards plus there is also talk of a class action lawsuit.

Although some progress has been made in the week plus since the breach was announced, the unwelcome news is, of course, in the uncertainty. Can we really trust the hacker when they claim they have deleted the data? They have proven to be a criminal, so why would we take their word for it? We can’t even be sure that the person posting that statement is the actual holder of the data.

I suspect the direct cost to Optus of helping to remediate the replacement licenses, passports, etc. will be significant, but orders of magnitude less than the damage to Optus’s trustworthiness, reputation and bottom line as customers seriously consider which telecommunications provider they should trust with their data going forward.

My personal view (and that of many others in my personal circle) is that Optus has done a very poor job of protecting its trustworthiness and reputation from the outset of the breach. Clearly, it had managed to gain the trust of millions of Australians over a lengthy period, but in my case it has almost evaporated in a cloud of confusion, inaction, and poor communication, characterised by lengthy delays in supporting a once loyal customer base.

As someone with expertise in the field of trust and trustworthiness, these are the key issues I alluded to earlier that I (and many other Optus customers) will now be assessing to determine if an ongoing relationship can be warranted.

ABILITY

Has Optus demonstrated it has the competence to deliver the services I require and meet my expectations around the use and security of my data?

While its ability to deliver telecoms services is not in question, the data breach has been so significant and potentially damaging that those services are now a secondary consideration. It's really hard to imagine how I could trust Optus with my data again. That’s a FAIL from me.

Optus should consider a number of initiatives including an end to end audit of its data policies, processes and practices and then make the results public so its customers can at least make an informed decision about staying in the relationship. Perhaps an endorsement from Government technical agencies would also assist.

HUMANITY

Has Optus treated me like a valued customer, where meeting my needs and supporting me throughout the post-data breach period have been paramount?

Although the Optus CEO expressed disappointment with the data hack in the one and only mass-produced email I received, this has not in any way convinced me that Optus has much empathy for my situation. Issuing media releases is no substitute for keeping customers regularly informed about the status of the situation and what steps are being taken to restore them to pre-breach conditions. So that’s a FAIL from me too.

The tone of future communications with customers needs to reflect the gravity of the breach, demonstrate a clear understanding of how customers have or could be been personally impacted and reflect special arrangements that make it as easy as possible for customers to overcome the risks and inconvenience.

INTEGRITY

Has Optus done what it said it would do?

I’ve had cause to contact Optus several times about my service delivery and billing, but they were only minor irritations compared with having my personal data hacked and being exposed to potential identity theft and fraud, etc.

Optus didn’t protect my data as per its obligations under the Privacy Act, so how could I think it has acted with integrity. That too is a FAIL from me.

From this point on, Optus must tick every box and deliver on each of its promises to customers. No ifs or buts.

PREDICTABILITY

?Has Optus delivered predictably?

Up until the data breach, I would say Optus was predictable. My phone and internet services operated as they should (99% of the time), my bill arrived at the same time each month and was paid automatically without problem, etc. But the data breach has produced a huge level of uncertainty in my mind about Optus going forward which makes it unpredictable. I don’t know if I can trust Optus with my data again. So, again that’s a FAIL from me.

Optus needs to become predictable again, but in a good way that benefits its customers.

Having failed all tests of trustworthiness, my ongoing relationship with Optus is tenuous at best unless it can quickly convince me on all counts that it can be trusted.

What about you? Have you been impacted by the data breach and how do you feel about the trustworthiness of Optus right now. Will you trust Optus again with your data?

Share your thoughts in the comments section below.