Last week it was revealed that hackers had stolen the personal data of millions of past and present Optus customers as part of a major cyber attack.

Up to 9.8 million Australians have potentially been impacted by the security breach, which resulted in their names, emails, phone numbers, date of births, addresses and in some cases even drivers’ licence and passport numbers being exposed.

Worryingly, Optus currently only has about 5.8 million active users, meaning the other four million people potentially caught up in the attack are past customers.

Optus CEO Kelly Bayer Rosmarin said past customers dating as far back as 2017 could be impacted by the hack.

During a press conference on Friday, Ms Bayer Rosmarin claimed the company was required by law to keep the identification of customers for six years.

“The IP address (used by the hackers) kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe. And in terms of the customer data, I think it dates back to 2017,” she said.

News.com.au contacted Optus for further comment and clarification on the number of past and present customers affected but was told the number of people impacted could not be verified as the attack was being investigated by the Australian Federal Police.

“Optus can confirm that it has now sent email or SMS messages to all customers whose id document numbers, such as licence or passport number, were compromised because of the cyberattack,” an Optus spokesperson said.

“We continue to reach out to customers who have had other details, such as their email address, illegally accessed.”

Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

This has prompted outrage from many social media users, with some even calling for changes in legislation to stop companies keeping the details of previous customers for an extended period of time.

Candidate for the Australian People’s Party Steven Georgantis shared his fury at the situation on Twitter.

“Optus has around 5.8 million active users, so the rest up to 10 million must be previous customers so why are they keeping the private details of 4.2 million previous users? Govt must legislate businesses destroy those records after three months,” he said.

Another Twitter user claimed they thought they were “safe” having not been a customer of Optus for years, but was surprised when they received an email saying their data had been compromised.

One person suggested there needs to be stronger regulation around security systems of businesses storing sensitive customer information.

“Gov should legislate for all businesses storing personal data that their IT systems have been independently certified on a yearly (basis) as meeting security standards including penetration testing,” they wrote.

Major driver’s licence problem exposed

A victim of the Optus cyber attack has revealed a huge problem many would now be facing in the wake of the security breach.

A concerned Reddit user posted in the r/AusFinace group after contacting the Queensland Department of Transport and Main Roads after they were informed their driver’s licence number had been exposed.

Wanting to “get ahead of everything” they contacted the department on the live chat feature about getting a new licence number, only to be told it wasn’t possible.

They posted a screenshot of a conversation between them and a person who is reportedly an employee of the Department of Transport and Main Roads.

The employee claims the only way they can get their licence number changed is if it is used to commit fraud.

“I can’t get a new driver's licence number. Surely this can’t be correct? I have to wait until my details are used by a criminal first?” the person captioned the image.

This will undoubtedly be an issue many victims are now coming up against, though the process differs between each state and territory.

In NSW, for example, Transport for NSW will considering issuing a new driver’s licence number if the security of the licence had been compromised or if it has been used fraudulently.

In Victoria, a person will only be eligible for a new licence number if their driver's licence was used in an attempt to commit fraud or fraudulent activity occurred resulting in identity theft.

The federal government is reportedly planning to introduce a number of new security measures in response to the attack.

“This is a huge wake up call for the corporate sector in terms of protecting the data which is there. We want to make sure as well that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know,” Prime Minister Anthony Albanese said.

He said this would allow banks to protect their customers.

“This is a massive breach that has occurred. We know that in today’s world there are actors, some state actors, but also some criminal organisations who want to get access to people’s data,” Mr Albanese said.

Joined by several of her colleagues, ABC reported Home Affairs Minister Clare O’Neil met with the Australian Signals Directorate and the Cyber Security Centre on Saturday to discuss the impact of the breach.

Under several new changes being pursued by the government, which will reportedly be announced in the coming days, it would become a requirement for banks and other institutions to be notified quickly in the event of a security breach.

At the moment, privacy protections prevent banks from being immediately notified when a cyber breach occurs that impacts their customers.

The ABC reported Optus will also be directed to hand over customer data to the banks so they can monitor the accounts of customers who have had their data stolen in the cyber attack.

On Saturday, Ms O’Neil posted a tweet claiming she would have “more to say” about the Optus security breach over the coming days.

Fury at Optus’ 24 hour delay

Optus has received major backlash in the wake of the cyber attack, with customers blasting the telco for its response to the situation.

On Friday, it was revealed that Optus knew about the breach on Wednesday, though they didn’t release an official statement until Thursday afternoon, after The Australian had already published an article about the cyber attack.

Ms Bayer Rosmarin said she first found out about the attack “less than 24 hours before we went live to the press”.

“It was only late that night that we were able to determine that it was of a significant scope. I think that was sort of a late night call. And by 2pm the next day we had notified everybody and tried to get all our ducks in a row,” she said.

Public relations expert Nicole Reaney told news.com.au it was “never a good sign” when a customer hears information that impacts them via the media, rather than being told directly.

“In addition, direct information to its customers needed to be the priority – there was a delay to this and a vague instruction to impacted customers to watch their bank accounts and report any suspicious activity,” Ms Reaney said.

“Customer service platforms need to be in place to enable inquiries to be handled efficiently and supportively as possible. Customers should not be left ‘hanging’ but be regularly armed with up-to-date information from the telco provider.

“Communication is their bread and butter – and it’s crucial they demonstrate this capability at this time.”

More Coverage

Optus executive’s awkward interview

Ally Foster

‘A flurry’: First sign you’ve been hacked

Anton Nilsson and Adelaide Lang

Originally published as Worrying detail in Optus data leak amid fury from impacted Aussies