News

|

National Security

Optus not co-operating over breach: Labor

October 2, 2022

Tom McBroy and Max Mason

The Australian Financial Rewiew

Sunday 2 October 2022

Tensions between Optus and the Albanese government have deepened in the wake of the telco’s massive data breach, with Labor accusing the company’s leadership of not co-operating over lost Medicare and Centrelink information.

More than a week after Optus revealed 9.8 million customers had their personal information stolen through a historic failure by the company, Government Services Minister Bill Shorten said requests for help by Services Australia had gone unanswered.

After first asking Optus to co-operate by supplying the information last Tuesday Mr Shorten and Home Affairs Minister Clare O’Neil said the request was yet to be met, limiting help for Australians needing new Medicare and concession cards.

“Systemic risk has been injected into the Australian bloodstream about the privacy of their information,” an angry Mr Shorten said on Sunday.

“We know that Optus is trying to do what it can, but having said that, it’s not enough. We need this, not tomorrow or the next day, we really needed it days ago.”

Optus rejected the criticism, saying it was seeking advice regarding customers whose documents had since expired.

The leak of more than 10,000 individual’s details as part of an attempt to ransom Optus included more than 3200 drivers’ licences, 151 overseas passports, 110 passports, 55 Medicare cards, 55 proof of age cards, 41 photo cards, and 31 learners’ drivers’ licences.

Optus has revealed more than 37,000 Medicare numbers were exposed in the data breach – about 15,000 are active.

Last week, Optus buckled to Prime Minister Anthony Albanese’s demands to cover the cost of new passports, adding to the company’s mounting costs after it agreed to reimburse people for replacement drivers’ licences.

Ms O’Neil, who has rejected the company’s claims that the breach was a sophisticated cyberattack, said Optus should communicate clearly to the government and their customers about exactly what information has been taken.

She said emails to the 10,200 people whose data was posted online were insufficient. That group has been advised to urgently update their information.

“The Australian government’s advice is that if you have been told you are the subject of that particular part of the breach, you should proceed immediately to cancel relevant ID cards, to cancel your passport and do whatever else is needed to make sure that you are getting fresh identity documents,” she said.

“Transparency and accountability are paramount here. It is crucial that everyone who has been affected by this breach is properly notified of that.

“We are going to need to go through a process of directly speaking with those 10,200 individuals.”

In a statement provided to The Australian Financial Review on Sunday Optus said it was seeking further advice regarding some customers.

“We have been working very closely with federal, state and territory government agencies to determine which customers are required to take any action,” a spokesman said.

“We continue to seek further advice on the status of customers whose details have since expired. Once we receive that information, we can notify those customers.”

The Australian Federal Police have launched two investigations into the breach, and are receiving assistance from overseas law enforcement agencies including the FBI.

State and territory governments last week complained Optus was yet to hand over details of the scale of lost driver licences. It agreed to reimburse the cost of new licences, but motor registries and call centres reported being swamped by anxious customers.

In Queensland, 7000 replacement licence number requests were processed on the first day of publicity about the data breach, compared with the usual average of 30 a week.

Opposition cybersecurity spokesman James Paterson expressed concern the government and Optus appeared to be at loggerheads over the breach.

“It is frankly alarming the relationship between Optus and the government has broken down so badly that two cabinet ministers need to give a Sunday morning press conference to demand data the company should have made available quickly,” he told the Financial Review.

“Optus customers just want to know the company and the government are working together to do everything they can to protect them.”

The Coalition on Sunday offered to work constructively with any move by Labor to toughen legislative requirements or increase fines for corporations found not to have protected customer data adequately.

Attorney-General Mark Dreyfus said the breach was a wake-up call for corporate Australia and suggested the Privacy Act could be updated before the end of the year, including tough new breach penalties.

“It seems to have been the case with Optus keeping the very personal data of customers who had ceased to be customers years ago and I’ve yet to hear a reason why that was going on,” he told ABC.

Optus entered into enforceable undertakings with the Australian Privacy Commissioner in 2015, after it was revealed the company was responsible for a series of data breaches between 2008 and 2014, affecting as many as 400,000.

Customers using voicemail and modem services were affected, and Optus incorrectly posted hidden telephone numbers in online public directories.

The company was criticised for lax security and failure to detect the incidents, and agreed to an external audit and implementation of improved safety settings.

Recent News

All Posts