Out-Law News 2 min. read

Lessons from Optus cyber attack for energy and infrastructure companies

The recent Optus data breach is a warning shot to all businesses, including those in the energy and infrastructure sectors, about the need to protect the security of data.

Optus, Australia’s second largest telecommunications provider, announced on 22 September that it was investigating “the possible unauthorised access of current and former customers’ information”. It has subsequently confirmed that 9.8 million customer records were exposed, and it has contacted customers whose personal data was released on the dark web. Optus has appointed Deloitte to conduct a forensic review of the cyber attack and formed a joint working group with the Australian government to inform a coordinated response to the incident.

The Optus data breach is the latest in a long line of data security incidents involving major corporations. As the infrastructure and energy sectors evolve to adopt new technologies and digitalisation becomes a norm on-site, they are generating increasing volumes of data of growing value. In this context, it has never been more important for those businesses to take action to improve their cyber resilience and safeguard data.

Technology, and in particular cloud-based systems and the internet of things, have become the norm in large scale infrastructure and energy projects. These innovations have allowed efficiency and cost savings, but they also introduce new risks and obligations to protect the data generated and stored through these technologies.

A significant amount of highly sensitive and personal data is created and obtained throughout the lifecycle of a project. Examples include information associated with tenders, building information modelling (BIM) systems, legal contracts – such as supplier agreements, and IT systems and equipment. It also includes project correspondence and other files, regulatory documents, performance reporting and work scheduling data and systems, building management systems, and project reports – including calculations, site surveys and test results.

Employee details such as tax file numbers, drivers’ licences, trade-specific licences and, in some instances, health information, where employees are required to undergo medical assessments, are also sensitive and potentially highly prized by hackers. So too are financial metrics for the project, contractors, subcontractors and other parties.

Data breaches and cybersecurity failures can have significant consequences for businesses, including penalties and loss of revenue due to business disruptions, project delays, operational instability, and potential exposure to litigation. Importantly, failing to prevent a data breach could also result in a business being blacklisted from tendering on future projects and can cause long term reputational damage. 

Energy and infrastructure companies must invest in robust security infrastructure and consider running penetration tests and simulations so that they have a clear action plan to mitigate damage in the unfortunate event of a breach. General counsel, project managers and other business leaders have a duty to ensure that all staff, labourers and subcontractors are trained and constantly reminded – perhaps during daily toolbox talks – of the role every individual plays in securing data.

As the construction and energy industries become more globalised, companies need to be aware of potential threats to their data in the various jurisdictions in which they operate – such as potential access to their data by public authorities, or the risk of sudden changes in legislation. 

To help businesses protect their data and systems, the Australian Cyber Security Centre (ACSC) has published, and regularly updates, the Information Security Manual (ISM). The purpose of this manual is to outline a cybersecurity framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats and to govern, protect, detect and respond to security risks. The ISM also provides guidelines covering security, information technology and governance to help businesses protect their data and systems.

Pinsent Masons has developed Cyturion, a one-stop-shop cyber response tool, that provides businesses with access to a response process tailored specifically to their needs.

Co-written by Harry Grewal of Pinsent Masons.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.