More and more information is becoming available about the breach of Optus (Australia’s second-largest telco). It looks like the hacker is more of an amateur than a professional criminal or a “state actor.” This makes the hack even more worrisome.

It looks as though Optus didn’t have its security house in order. This makes the issue all the more painful for the company. It will dent its reputation, and customers could become somewhat wary about dealing with the company. Having said that, the reality is that this is not the first breach and will most certainly not be the last one.

Nevertheless, the company will have to develop some serious customer service campaigns to show that it still earns the market’s trust. A few free months or something similar might soften the pain for the affected customers.

Over the last week, the company’s main activity has been to secure as much as possible of the lost data (from passports, driver’s licenses and Medicare cards). It is obvious—with a very unhappy government—that they will have to pay for reissuing new documents for those people who have been compromised. This is where the first big costs will occur. On top of that, there is the class action, and who knows what that will amount to?

This is an absolute nightmare for the company and a lesson for all large organizations that maintain private data from their customers. As mentioned, this will not be the last hack. I am sure there will be serious questioning happening in many boardrooms around the country and, indeed, around the world.

The Optus hack is bringing the issue very close to home. It doesn’t really matter that the hacker has indicated that he will not release more data; the reality is that this hack makes it clear what can happen and what an impact this has or can have.

This occurs at a time when the cyber threat has never been as serious as the present. The deteriorating geopolitical situation and the big shift in the way criminals operate in the cyber domain are creating the sort of disasters we see with the Optus breach.

One thing for sure is that in order to enjoy all the positives resulting from the digital economy, we need to be far more vigilant about the security of our personal information that we are often freely giving away to third parties.

In most cases, a hack is a result of a lack of security either on the side of organizations that host personal data or a lack of security on the user side. Obviously, criminals interested in these crimes prefer to go for the organizations as they can score large amounts of data from a single attack.

The Optus hack shows the enormous “reward” for the criminals involved. There are also very clear questions about Optus’ security regarding the personal data of its customers—did they really need to have all of that private data stored, and if that is the case, all in one place? A big question mark about that.

So, it is paramount that Optus—and, of course, all organizations, especially those with sensitive personal data—will have to maximize their efforts to increase their security. Often criminals are looking for weaknesses in a system that they can exploit to get access to the data stored there.

Typical situations that these people exploit are when maintenance, tests and new installations occur. Data systems are extremely complex, and if something unusual happens, such as testing, for example, it could well be that somewhere else in the system, an opening appears that hackers can exploit.

Therefore, it is critical that organizations upgrade their security so that before tests or other events happen, a full security check is conducted to ensure the work involved doesn’t create an opportunity for hackers.

On the user side, we have to be more and more prepared that data stored with the many organizations we deal with will get hacked. So be prepared for the worse. Users will, therefore, also have to maximize their efforts to protect their data from being misused. You need to protect yourself from criminals who do get access to your personal data. To make it more difficult for them to get access to your bank or phone account, there are steps that you can take.

A two-step protection system is a good start. Apart from your password, this requires you to enter a unique code that you receive from companies such as your bank or phone company by SMS or email before you can go into your account. This offers you a significantly higher level of protection.

Most of these systems also allow you, as an alternative, to use your fingerprint to get into your personal details. These codes and fingerprint protections are making it far more difficult for hackers to get access to your accounts.

None of the security systems is bulletproof, but on both sides (organizations and users), more can be done to better protect personal data.

The Government is also not off the hook. As with so many policies, there has been a serious lack of vision from the Government and, therefore, also no clear strategy attached to it. There are a dozen or so initiatives that are not aligned and sometimes conflict with each other.

As we are saying with the Optus hack as well, decisions are made on the fly without proper process. So much of what passes for government cyber-security initiatives have been knee-jerk reactions to external events, rushed through with no time for thoughtful inputs from experts in the field. Input from experts should be asked before policies are developed, not afterward.

There has not been any due process in the formulation of the policies. This is a serious undermining of trust in the Government being able and interested to work with the experts, industry and the community to put a solid policy in place.

I am just back from Europe, and you cannot communicate—in relation to your personal services—with any bank, telecom services or any other serious brand without double or even triple authentication procedures; the latter also uses QR coding.

Rather than coming out with regulations on top of regulations, Australia could consider using the EU privacy law and human rights law, known as the General Data Protection Regulation.

Authentication procedures are not an option—it is the law. Australian companies offering such personal services in Europe have these regulations already in place as it is compulsory, but also, our domestic operators should consider using GDPR.

Hopefully, the Optus hack is another wake-up call that we all need to take cyber security far more seriously.