Outdated data retention laws put former Optus customers at risk of breach, experts say

No longer with Optus? You could still be at risk of having your data breached – including details like your passport number and driver’s license – thanks to a law experts say is outdated.

Angira Bharadwaj and Lachlan Leeming

2 min read

September 26, 2022 - 8:49PM

Optus is offering customers affected by cyber attacks a subscription to Equifax

NSW

Don't miss out on the headlines from NSW. Followed categories will be added to My News.

Australia needs to urgently reassess its data protection laws after former customers who left Optus a year ago have still had their data exposed in the bombshell hack that’s left the telecommunications industry reeling.

The Telecommunications Act 1979 requires companies like Optus in Australia to keep some customer data for at least two years after the account has closed.

The provision is designed to help police carry out investigations but a leading cybersecurity expert is calling on the government to conduct a major review of the historic legislation.

Expert Susan McLean said the world looked very different in 2022 than 1979 and it is worthwhile questioning how much data telcos really needed to assist police.

“The data that is held should be the bare minimum. So once you have proven this is Billy Smith, do you really need to keep the passport number and driver’s license number?” she said.

More than nine million Australians have been impacted by the Optus hack. Picture: NCA NewsWire / Martin Ollman

“If the police need to find out who owns the number they have a name and address and it is not hard to find out their driver’s license and passport number.”

The government can have an overarching responsibility to have a really good look at it and see if the laws need to be changed.”

The state government has already vowed to look at possible reform options with Digital Minister Victor Dominello working closely with Optus.

Premier Dominic Perrottet said he had also been in contact with Optus.

“I am very confident with the work that Optus is doing at the moment. We will work very closely with them and if there are areas of law reform that we can work with the federal government on, we certainly will look at it,” he said.

Telecommunications providers can store data for at least two years after an account closes. Picture: Supplied

Mobile app developer Simon Haddadi, 30, left Optus as a customer 12 months ago but his data has still been compromised.

“This is why the whole concept of a decentralised system is coming in,” he said.

“(Optus) shut down the system as soon as they discovered the cyber attack. Why aren’t they saying how long it took them to discover that?”

Ex-customer Simon Haddadi was not safe from the hack despite leaving Optus a year ago. Picture: NewsWire / Monique Harmer

Optus did not provide details on how many former customers were impacted by the breach but is offering all impacted current and former customers a one-year subscription to a free credit monitoring and identity protection service.

The company is also working with the Australian Federal Police on an investigation.

Top law firm Slater and Gordon is investigating a possible class action.

“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia,” Class Actions Senior Associate Ben Zocco said.