October 3, 2022
Simone Fox Koob and Nicole Precel
The Age
Monday 3 October 2022
The federal government says Optus still has not given government agencies full details of customers who had Medicare or Centrelink details exposed by the data breach and has accused the telco of a lack and transparency and accountability.
Cybersecurity Minister Clare O'Neil and Government Services Minister Bill Shorten yesterday said Services Australia, which is responsible for the delivery of government payments and services, had written to Optus on September 27 asking for the details of customers whose Medicare and Centrelink details were exposed.
"To date, there have been no impacted customers details provided by Optus in relation to this request," the government said.
"In the face of a breach on an unprecedented scale in Australia, Optus needs to come together with the Australian government to be part of the solution."
Services Australia needed the information so it could place additional security measures on affected customer records and prevent future fraud, the ministers said.
In the Optus data breach, the names, birthdates, phone numbers, addresses, passport, healthcare and driver's licence details of 9.8 million Australians were stolen by an anonymous hacker.
O'Neil who spoke to Optus chief executive Kelly Bayer Rosmarin yesterday, said the telecommunications provider needed to do more to help the 10,200 people whose data had already been shared by the hacker on the internet.
"Optus have advised me this morning that they have contacted the 10,200 people. I gave very clear feedback to Optus that an email was not going to cut it here. We are going to need to go through a process of directly speaking with those 10,200 individuals and Optus needs to take up the mantle here to ensure that people are aware when they are directly at risk," O'Neil said.
An Optus spokesman said they had been working closely with government agencies on a federal and state level to determine which customers were required to take any action. "We continue to seek further advice on the status of customers whose details have since expired," he said. "Once we receive that information, we can notify those customers. We continue to work constructively with governments and their various authorities to reduce the impact on our customers."
O'Neil is considering compelling companies to report data breaches and reconnect services after a hack as part of changes to cybersecurity legislation, saying current laws were "bloody useless" in dealing with the Optus attack.
Shorten, who is responsible for government services, called for "full and transparent co-operation" from Optus with the government. About 36,900 Medicare numbers are believed to have been accessed by the hacker.
"We seek Optus to step up its communication and transparency with government. Now is not a time to listen to the lawyers and the damage-control merchants. Now is the time to take the high road, embrace and work with us in all areas as they've been doing in some, [to] further extend that co-operation," he said "I think there should be more initiative displayed by Optus ... this shouldn't be a game of whack-a-mole where we work out what the problem is and then we go to corporation and say help us stop the problem.
"The drawbridge needs to come down."
Opposition cybersecurity spokesman James Paterson told Sky News yesterday the opposition was open to "sensible changes" of cybersecurity laws. "We do want to make sure that major companies in Australia are taking this very seriously," he said.
Joseph Longo, the head corporate regulator ASIC said the hack served as a classic wake-up call for companies and responsibility for cybersecurity started at the top.
"It's a whole-of-economy issue, cyber risk management is core business for any company or institution in Australia," he said.
"And it's a fundamental obligation that starts at the top of the house, at the board of directors."
