Optus boss wanted telco to be ‘most loved brand’ but ended up becoming the face of biggest data hack

Optus had high hopes for Kelly Bayer Rosmarin when she was appointed chief executive in April 2020 – and the South African-born banker had even greater expectations of herself. 

‘We’ve done a lot of stuff but it will never be fast enough for me – I want to get to be the most loved everyday brand,’ she said less than a year into the job.

Bayer Rosmarin, a former Commonwealth Bank executive, came to Optus without ever having worked in the telecommunications industry and served a year-long apprenticeship before assuming the top spot.

Her first day in the role came as the nation was dealing with the early stages of the Covid-19 pandemic and it has been hard going ever since. 

Not only is Optus in an ongoing battle with market leader Telstra, which is twice its size and offers slightly broader coverage, but TPG Telecom has become a serious competitor after merging with Vodaphone in 2020. 

The cyber hack that has seen data belonging to 9.8 million current and former Optus customers being compromised puts Australia’s second biggest telco a long way from being ‘the most loved everyday brand’.

Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.

And a hacker claiming to be behind the security breach has reportedly released 10,000 customer records, demanding a $1.5million ransom.

The purported cybercriminal had been threatening to release 10,000 more records every day for the next four days if the ransom was not paid.

The mysterious hacker has since apologised for the attack but Optus customers have begun receiving threatening text messages demanding they pay $2,000 to have their details erased. 

Data involved in the breach includes names, email addresses, phone numbers, dates of birth, home addresses and driver’s licence and passport numbers. 

Bayer Rosmarin rightly insisted on Tuesday that the real villain in this security nightmare was the hacker but she is the public face of the disaster and for many observers, the buck stops with her. 

‘Well, look, I think most customers understand that we are not the villains and that we have not done anything deliberate to put any of our customers at risk,’ she told ABC Radio’s AM program on Tuesday.

No one is suggesting Optus deliberately exposed its customers to such a data breach but how most of them feel about the company is less clear-cut. 

Until now, the lowest point in Optus’s relationship with its subscribers was the debacle during the 2018 World Cup. 

For the first time, Australian fans of the round-ball football code could only watch most of the tournament’s matches by being an Optus customer or paying $15 a month to stream games on its app.

The licensing deal with SBS was described at the time as unprecedented and the experience for viewers was certainly unique. 

The technology failed badly early in the competition, with streams dropping out, buffering or not working at all. 

Then-prime minister Malcolm Turnbull called Bayer Rosmarin’s predecessor Allan Lew to ask what had happened and Optus eventually let SBS screen the remaining games because it could not guarantee fixing the problem.

Federal politicians have again been weighing into Optus’s woes, with Prime Minister Anthony Albanese describing the data breach as a ‘huge wake-up call’.

Home Affairs Minister Clare O’Neil has gone harder, launching a scathing attack on Optus in parliament in which she said the breach was a ‘basic’ hack.

O’Neil laid blame for the security failure firmly at the feet of the telco, describing it as potentially the result of simply leaving a ‘window’ open.

‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ O’Neil said on Monday.

‘We expect Optus to continue to do everything they can to support their customers and former customers.’

Bayer Rosmarin rejected O’Neil’s claim the hack was not sophisticated.  

‘Unfortunately I think our briefing of the minister happened after she gave that interview,’ Rosmarin told AM. ‘But given we’re not allowed to say much because the police have asked us not to.

‘What I can say that hopefully should help people understand that it’s not as being portrayed is that our data was encrypted and we have multiple layers of protection.’

Bayer Rosmarin reportedly has always enjoyed a challenge – she has described herself as ‘very clam in a crisis’ – and she has one on her hands right now. 

The 45-year-old joined Optus in March 2019 in the newly created position of deputy CEO, having served various senior roles since 2004 at the Commonwealth Bank. 

She had been named in the Top 25 Women in Asia Pacific Finance, the Top 10 Businesswomen in Australian and 50 Most Powerful Women in Australian Business. 

Running Optus was nonetheless a huge step up again. 

Covid immediately curtailed Bayer Rosmarin’s ability to physically visit Optus’s network of national offices and she found herself working from her Vaucluse home. 

By August 2020, Bayer Rosmarin was still upbeat when she told The Weekend Australian that Optus ‘absolutely could be No 1 in mobile share over time’.

‘I’d love to see it happen because we are so focused on customers that they choose us and they choose to stay with us,’ she said. 

Nine months after her appointment Bayer Rosmarin told Nine newspapers she believed the telco industry was lacking new ideas in the fight to make profits.

‘Despite being so fundamental and despite it being something that people actually love and use every day – it’s a sector that globally is struggling for profitability,’ she said. 

Under Bayer Rosmarin, Optus bought low-cost carrier Amaysim, which was viewed positively by the share market, and won approval from customers by freezing prices during the pandemic.

There have been other successes. 

Optus Sport has held the rights to the English Premier League since 2016 and renewed that deal as the competition’s exclusive local broadcaster in late 2021 for six more years.

Bayer Rosmarin is a Manchester United fan and former Football Federation of Australia board member and the company is confident it will never experience another broadcasting disaster like the 2018 World Cup. 

The Singtel-owned provider had also been close to securing a broadcasting rights deal with Rugby Australia in 2020 before the pandemic hit.  

If the current data breach had happened in Europe the company responsible would face potential fines worth hundreds of millions of dollars but Bayer Rosmarin did not back tougher penalties here.

‘Look, honestly I’m not sure what penalties benefit anybody,’ she told AM. 

‘I think what I can say is Optus is doing absolutely everything possible to be transparent, to be on the front foot. 

‘We’re communicating to every customer individually about which specific fields of theirs may have been accessed and we’re working through that.’

Bayer Rosmarin said Optus was working closely with the Australian Cyber Security Centre and Australian Federal Police to identify the culprits.

‘We definitely know that this is the work of some bad actors and really they are the villains in this story,’ she said. 

‘Now of course we will investigate thoroughly how it could happen, what went wrong, how we could have avoided it. 

‘And later on if something comes out of that indicates that Optus have made an error or done something bad we will of course take full accountability for that. 

‘But there’s a time and a place for that and we remain focused on doing everything we can to make sure no harm comes to customers as a result of this theft.’

Optus has announced it will be providing the most affected past and present customers with a free 12-month credit monitoring subscription to Equifax Protect. 

Asked if she had considered resigning, Bayer Rosmarin said: ‘At the moment all we’re focused on is protecting our customers, so someone has to be accountable for doing that and that’s exactly what I’m focused on.’