The cost to SingTel of exposing good customers to Australia’s worst data breach puts it at greater risk.
The cost to Singapore Telecommunications Ltd of exposing well-off customers to one of Australia’s worst data breach risks will wipe out more than a quarter of its annual profits.
Optus, SingTel’s Australian mobile-phone business, revealed last week that hackers had accessed the personal information of about 9.8 million customers — more than one-third of the population. About 2.8 million of them lost details on passports, driving licenses or government-issued medical identity cards, according to the government, raising concerns about large-scale identity fraud.
A week after the hack was revealed, the scale and fallout — as well as the potential cost to Optus — is growing
Prime Minister Anthony Albanese said the company should pay for replacement passports, while Australia’s largest states said Optus would pick up the tab for new driving permits. The government plans to tighten cyber security laws due to the breach.
Cyber attacks have become more common worldwide, exposing at least 11.43 billion customer records to hundreds of entities in more than a decade. Australian police are working with the US Federal Bureau of Investigation on the Optus hack. Home Affairs and Cyber Security Minister Claire O’Neill on Wednesday described the attack as “a big wake-up call” for corporate Australia.
The average cost of losing each customer record to a hacked company is $150 to $200, said Ajay Unni, chief executive officer and founder of cybersecurity consultancy StickmanCyber. This includes compensation, legal bills and the cost of public relations campaigns. “Some companies end up spending twice as much,” he said.
Only 2.8 million applied to the worst-hit Optus customers, which would equate to between $420 million and $560 million. Optus-owner Singtel posted a profit of $1.44 billion in the year ended March.
According to Unni, Optus could spend money on strengthening security and training. At the same time, Australian law firm Slater & Gordon Ltd is evaluating a class action against Optus and says it has received thousands of registrations.
Costs for Optus are hard to pin down. It offered its most vulnerable customers a free 12-month subscription to Equifax, a credit monitoring and identity protection service. It costs A$14.95 per month, so if 2.8 million customers take up the offer, it could theoretically cost A$502 million ($326 million). Of the identity documents exposed, passports are the most expensive, although it is unclear how many have been compromised. A replacement costs A$193.
Optus did not respond to an email seeking comment on the potential cost, or estimates of between $420 million and $560 million. The company has apologized for the data breach. It said late Wednesday that 36,900 medical identification numbers were among the exposed records.
“The Australian government should have a better ability to enforce cyber security provisions on private companies and that’s something I’d like to see done in terms of attacks,” O’Neill said.