Key Points
- Cyber Security Minister Clare O'Neil said Optus needed to be upfront about what data had been taken.
- Government Services Minister Bill Shorten said about 36,900 Medicare numbers had been leaked.
The fallout from the Optus cyber attack is continuing, with a federal minister strongly criticising the telco for not being more forthcoming about the full nature of the breach.
Cabinet minister Tanya Plibersek said while people had been receiving their bills on time, the telco had not told customers whether their personal details have been stolen.
"One of the real problems is the lack of communication by Optus, both with its customers and the government," she told the Seven Network on Monday.
"I don't think the company is doing a particularly good job with its customers or providing the government with the information we need to keep people safe.
"It's extraordinary we don't have any Medicare numbers or Centrelink numbers that may have been compromised."
A 'wake-up call' for corporate Australia
Yet former home affairs minister Karen Andrews said the government's response to the breach had also been inadequate.
While she did not absolve Optus from its corporate responsibilities, Ms Andrews said the government had "failed quite dismally" in its response.
"The federal government funds an organisation called IDCARE which is ready, willing and able to assist people who have had their identity stolen and could have provided advice to Optus customers," she told ABC Radio National.
She said the breach was a "wake-up call" for all of corporate Australia about the importance of data protection.
Optus was heavily criticised by Albanese government ministers at a press conference on Sunday for not responding to requests for information to help protect almost 10 million Australians from fraud.
Services Australia wrote to Optus on Tuesday asking for the full details of all customers who had their Medicare cards or Centrelink Concession Cards compromised to boost security measures.
The government said Optus was yet to respond to the request.
At least 10,000 parcels of ID data taken in the breach were put on the internet for sale by the hacker, before they took it down.
Optus commissions independent external review
Meanwhile, Optus announced on Monday it is appointing international professional services firm Deloitte to conduct an independent external review of the recent cyberattack as well as its security systems, controls and processes.
The review was recommended by Optus CEO, Kelly Bayer Rosmarin, and was supported unanimously by the board of Singaporean telecommunications company Singtel, which owns Optus.
As part of the review, Deloitte will undertake a forensic assessment of the cyberattack and the circumstances surrounding it.
Ms Bayer Rosmarin said the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers.
“We’re deeply sorry that this has happened and we recognise the significant concern it has caused many people," she said.
"While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong.”
Ms Bayer Rosmarin said the review would help ensure understanding of how the data breach occurred, and how to prevent similar incidents from occurring again.
"It will help inform the response to the incident for Optus.," she said.
"This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.
“I am committed to rebuilding trust with our customers and this important process will assist those efforts.”
Morrison government criticised over 'absolutely useless' laws
Cyber Security Minister Clare O'Neil said Optus needed to be up-front about what specific data had been taken about individuals, with the government not knowing how many passport numbers had been stolen.
Ms O'Neil said the government was particularly concerned for those people whose sensitive data had already been published in the "ether".
Optus chief executive Kelly Bayer Rosmarin has apologised to customers, but is resisting calls to step down following the disaster.
Ms O'Neil criticised the former Morrison government, describing laws designed to protect Australia's critical infrastructure from cyber attacks as "absolutely useless".
"This company (Optus) has just overseen what is without question, the largest consumer data breach in Australian history," she said.
Opposition cyber security spokesman James Paterson said the Coalition would be open to bigger fines for breaches of the Privacy Act.
In a statement, an Optus spokesperson said the company was working with government agencies to determine which customers it needed to take action on.
"We continue to seek further advice on the status of customers whose details have since expired. Once we receive that information, we can notify those customers," the spokesperson said on Sunday.
"We continue to work constructively with governments and their various authorities to reduce the impact on our customers."
