News.com.au has spoken to a Sydney victim who had changed telco providers five years prior to the hack and considers himself particularly vulnerable to personal information being shared on the internet because he has been stalked in the past.

Another affected Australian of the cyber attack told news.com.au they had not been a customer at Optus for the past four years.

The widespread leak of details of former customers who have not been with the telco for years has brought into focus data retention requirements for Australian companies, which experts say aren’t necessary and leave Aussies vulnerable.

The Victorian woman said she was “astonished” to receive the email informing her of the breach as she closed her Optus account in 2018.

She even insisted on her data being deleted when she left the telecommunications giant and says a staff member assured her it had been removed.

The recent hack, which has been hailed the most significant in Australian history, has also shone a spotlight on national data retention rules, which require ex-customer information to be stored for a number of years before it can be deleted.

Advocates have pointed to cyber security rules in the European Union that give ex-consumers “the right to be forgotten” where by law their data must be deleted if requested. No such privilege exists in Australia.

Last week, Optus revealed the names, dates of birth, phone numbers, email addresses, and in some cases addresses and ID document numbers such as driver’s licence or passport numbers of 9.8 million former and current customers dating as far back as 2017 had been stolen in a hack.

Rachel*, from Victoria, runs her own medium-sized business and in a stroke of bad luck, had an employee leak data about her company in 2018.

She said after this data breach she decided to switch providers, and claims she was assured by an Optus staff member in store her personal and company information had been deleted.

However, like millions of other Australians, she was notified last Friday that her personal information may have been compromised.

Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

When she rushed to an Optus store last week, her heart sank as she discovered that her private business information may have also been stolen.

“What I’m really frustrated about is they (Optus) have my ABN (Australian Business Number), they also have my annual income,” she said.

Rachel is now worried those details could have fallen into the hands of a hacker and says it could wreak havoc on her business and her finances.

Rachel said she discovered during her recent visit to an Optus store that rather than having her personal information removed from the company’s records, some details had instead been edited, including her date of birth changed to 01/01/1901. She told news.com.au she thinks this change made it appear her details were no longer on the system when an Optus employee tried to demonstrate as much to her on a screen in store in 2018, when the case was that they simply didn’t match up.

Optus did not comment on this claim when approached for comment by news.com.au.

Rachel has since discovered it was likely impossible for her information to have been removed from Optus’s records when she requested it four years ago anyway, due to data retention rules introduced in 2017 requiring telco companies to store data a further two years after a customer leaves.

In a statement to news.com.au, an Optus spokesperson said: “Optus are required under laws to keep records for certain periods of time, both in terms of specific requirements under the Telecommunications (Interception and Access) Act 1979, and the more general requirements that apply to data retention.”

Jason, from Sydney, was also shocked to receive the email about the Optus breach when he hadn’t been a customer for five years.

“The concerning thing for me is that I stopped being an Optus customer in 2017 and want to know why my data has been kept online since then,” the IT worker, 52, told news.com.au.

Jason said he had been an “on-and-off” customer at Optus for years and was always put off by the fact whenever he signed up to the platform again, he didn’t have to input any new details because they had been stored from the previous time and were within easy reach for the company.

In 2017, he found a better deal with another telco provider and switched companies for good. As five years had passed, he just assumed his data had been deleted.

“Many of the customers (impacted) are former customers,” he added. “That would imply they were using former customer data on this test network, which makes sense to do that, it’s been a long time that they’ve had that data.”

Jason said he had been stalked in the past, making him particularly concerned about a data breach of this kind, and says he even has a suppressed address on his driver’s licence.

Now he’s worried that his licence number and address have still been leaked in the hack and could be bought by his stalker.

In the next few days, Home Affairs and Cybersecurity Minister Clare O’Neil is expected to rush through new legislation so that greater fines can be placed on Optus for the significant security breach.

She is also expected to be putting forward reforms that will allow financial institutions to be informed as quickly as possible when a data breach occurs.

There are also plans to increase the punishment for buying or selling stolen data to 25 years in prison.

Nick Savvides, chief technology officer APAC at cyber security company Forcepoint, is calling on the government to look to the European Union’s laws to stop what happened to Rachel and Jason from happening again.

He pointed to the General Data Protection Regulation (GDPR), introduced by the EU in 2018 after a two-year consultation period, which he said had a “right to be forgotten” section that made the law the best in the world.

“As an EU citizen, I can say what information do you (a company) have on me, and then I can request you to delete it, and you must delete it,” Mr Savvides explained.

He also acknowledged that while customer data had to be stored two years for criminal and national security investigations, it should be stored separately. That data should not have been used for a testing system, according to the security expert.

The data “should be kept off ‘production’ systems”, he said.

On Monday, Optus said it would offer some customers a 12-month subscription to the credit monitoring service Equifax Protect.

“The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost,” the company said in a statement.

Optus said no passwords or financial details had been compromised in the hack that stole other personal information of up to 9.8 million of its users dating back to 2017.

Law firm Slater and Gordon has revealed it is considering a class action against Optus over what was “potentially the most serious privacy breach in Australian history”.

Slater and Gordon senior associate Ben Zocco said all legal options were being considered.

“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” Mr Zocco said.

“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.”

Jason has already registered his interest in the class action probe while Rachel plans to sign up in coming days.

Optus customers who may have had their data stolen are urged to:

• Be careful of possible scam calls;

• Consider strengthening password and other online security measures; and

More Coverage

Aussies upset by text from Optus after hack

Alex Turner-Cohen

‘Pay us’: Terrifying text to Optus customer

Ally Foster

• Be on the lookout for more information from Optus in the coming days.

* Names withheld over privacy concerns

If you have been impacted by the Optus data breach, email alex.turner-cohen@news.com.au.