Nine months after Telco giant Optus — overseen by former NSW Premier Gladys Berejiklian — announced a “review” into the nation’s biggest data breach it’s refusing to release the findings.
On October 3 last year, with the nation reeling from the news the personal details of 10 million Australians had been leaked online, Optus announced it had appointed “consultancy” Deloitte to “conduct an independent external review”.
“As part of the review, Deloitte will undertake a forensic assessment of the cyberattack and the circumstances surrounding it,” Optus announced.
Optus CEO Kelly Bayer Rosmarin said the “forensic review” would “play a crucial role in the response to the incident for Optus, as it works to support customers”.
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus,” Bayer Rosmarin said in the statement.
“We are determined to find out what went wrong”.
Yet nine months later Optus, Bayer Rosmarin — and Optus executive Berejiklian — are all refusing to say what Deloitte’s “forensic assessment” found.
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again” – Optus CEO Kelly Bayer Rosmarin
Optus announces the Delliotte “indepdendent external review” into the mass breach last October. Source: Optus
That refusal is particularly damning because Bayer Rosmarin has at all times claimed the breach was a “sophisticated attack” — despite providing no evidence to back the claim.
The Optus CEO has repeatedly and steadfastly made that claim, despite the Federal Government and Home Affairs and Cyber Security Minister Clare O’Neil — informed by the nation’s intelligence agencies who went in and investigated immediately after Optus disclosed the mass breach — outright rejecting the claim.
As far back as September 26 Minister O’Neil rejected Bayer Rosmarin’s claims saying it was a “basic” attempt by cyber criminals, and Optus had “effectively left the window open”.
“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” O’Neil told ABC’s 7.30 program.
“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen” – Home Affairs Minister Clare O’Neil
“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil told Federal Parliament the same day.
Optus is Australia’s second biggest telecommunications provider.
It is 100 per cent owned by Singtel, which is majority owned and controlled by the Singapore Government.
Cyber Security Minister Clare O’Neil in September says Optus breach was a simple hack. Source: ABC
The sham “review” at the heart of what was the biggest data breach in the nation’s history comes as the “Big Four” consultancies — of which Deloitte is one — are under huge pressure sparked by the PwC tax leaks scandal.
PwC took top secret Federal Government information it had gleaned while providing “advice” on new anti-tax avoidance laws and sold it for millions to offshore multinationals seeking to avoid Australian tax.
Deep criticism of the Big Four consultancies, which also includes KPMG and Ernst & Young, includes sham “investigations” or “reviews” they conduct for big business and government.
Instead of shedding light on matters, those “reviews” are regularly used by those in power to cover up failures or wrongdoing.
The revelations also come as the NSW Independent Commission Against Corruption (ICAC) is set to tomorrow morning release its long-awaited report into Berejiklian, and whether she engaged in corruption or other wrongdoing while NSW Premier.
Berejiklian denies any wrongdoing.
Berejiklian voluntarily resigned as NSW Premier in October 2021 after the ICAC announced it had extended its Operation Keppel investigation into disgraced former NSW MP Daryl Maguire to also include her.
It had earlier emerged Berejiklian and Maguire had been in a secret multi-year relationship, which Berejiklian had failed to disclose while awarding millions of dollars of grants to projects in Maguire’s electorate of Wagga Wagga.
Remarkably, Optus appointed Berejiklian to a senior role — with an undisclosed salary — just months later, announced on February 11, 2022, while the ICAC probe was ongoing.
“Remarkably, Optus appointed Berejiklian to a senior role just months later”
As “Managing Director, Enterprise, Business and Institutional”, a key part of Berejiklian’s job is to solicit business from government for Optus.
Optus is the Australian arm of Singapore’s Singtel, which is majority owned and controlled by the Singapore Government.
The ICAC heard explosive public testimony, as well as secret recordings between Maguire and Berejiklian, including one in which Berejiklian tells Maguire, who was seeking over $100m for a hospital project, that NSW Treasurer Dominic Perrottet “does what I tell him to do”.
At the heart of Operation Keppel is a $5.5m given to the Australian Clay Targets Association in Wagga Wagga for a new “club house and function centre” and millions for the Riverina Conservatorium of Music, also in Wagga Wagga.
The ICAC has heard the “fast tracked” gun club grant went ahead after an intervention from Berejiklian, despite strong objections from department officials, including because it failed to meet required criteria.
NSW Office of Sport director Michael Toohey said the business case was “deficient” and “flimsy”, with “imaginative” claims of community benefit.
The ICAC heard the project did not meet the “NSW Government’s own standards and policies”.
“The ICAC heard the project did not meet the NSW Government’s own standards and policies”
“We need to ensure that the funding goes to public infrastructure, not to private assets on private land”, Jenny Davis of Infrastructure NSW said before the grant was approved.
The gun club is a private asset on private land.
The $5.5m gun club grant a financial disaster. Source: The Klaxon
The Klaxon in April revealed the gun club project had been a taxpayer disaster, and even a financial albatross for the club itself.
None of the major conferences flagged in an “updated business plan”— used to get the highly-contentious grant over the line — had materialised in the five years since the 1000-person function centre opened its doors.
On October 10 last year, a week after Optus announced its KPMG “review”, The Klaxon revealed that Optus and Singtel own a “world class” global cyber security business, Trustwave.
Yet Optus, including Berejiklian, and Singtel have at all times refused to respond when asked whether Trustwave had been in place to protect the information of Optus’s 10m-odd customers.
That’s despite Optus and Singtel describing Trustwave, which they bought for over $1 billion in 2015, as the “global cybersecurity arm of the group” with “elite cyber security expertise” to “eradicate cyberthreats with world-class intel”.
The Klaxon has been seeking the outcome of the KPMG “review” from Optus, Bayer Rosmarin, Berejiklian, and Singtel since late last year, but at all times, all have refused to respond.
On Tuesday The Klaxon again asked Optus, Bayer Rosmarin, and Berejiklian for the outcome of the KPMG “review”.
We received an emailed response from the “Optus Media team” Tuesday morning stating: “Confirming that we have received your response and will endeavour to get back to you soon”.
We have received no response.
On October 10 last year The Klaxon reveals Optus runs its own global cybersecurity arm. Source: The Klaxon
“Optus is appointing internal professional services firm Deloitte to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes,” Optus announced on October 3 last year.
“The review was recommended by Optus Chief Executive Officer, Kelly Bayer Rosmarin, and was supported unanimously by the Singtel Board, which has been closely monitoring the situation with management since the incident came to light.
“Deloitte’s global specialists will work with the Singtel and Optus teams and other international cyber experts. Optus will also continue to engage with relevant stakeholders,” the statement says.
Since October last year The Klaxon has been asking Optus, Bayer Rosmarin, Berejiklian and Singtel for the “terms of reference” of the review, that is, the specific instructions they gave to Deloitte.
They have at all times refused to respond.
“I am committed to rebuilding trust with our customers and this important process will assist those efforts” – Optus CEO
Last month PwC announced it would conduct an internal review — which it falsely called an “independent review” — to be conducted by businessman Ziggy Switkowski, the chair of casino giant Crown Resorts.
On Friday The Klaxon revealed PwC, like Optus, is refusing to disclose the “terms of reference” it set for Switkowski. It is also refusing to say how much it is paying him to conduct the “review”.
In Optus’ October statement Bayer Rosmarin says the Deloitte review “may also help others in the private and public sector where sensitive data is held and risk of cyber-attack exists”.
“We’re deeply sorry that this has happened and we recognise the significant concern it has caused many people.
“I am committed to rebuilding trust with our customers and this important process will assist those efforts”.
Help us get the truth out from as little as $10/month.
The need for fearless, independent media has never been greater. Journalism is on its knees – and the media landscape is riddled with vested interests. Please consider subscribing for as little as $10 a month to help us keep holding the powerful to account.