- Updated
- Technology
- Optus data breach
This was published 2 years ago
Albanese insists Optus pay for passports as hack reveals legal holes
By Nick Bonyhady, Matthew Knott and Anna Patty
The government will overhaul the nation’s cybersecurity and privacy laws as the Optus hack of almost 10 million people reveals how metadata laws can be used to let telecommunications firms bank huge amounts of customers’ personal data.
Indicating fines for major data breaches will form part of the government’s response to the hack, Prime Minister Anthony Albanese said there needed to be “clear consequences” when companies failed to appropriately secure customer data.
“Clearly, we need better national laws after a decade of inaction to manage the immense amount of data collected by companies about Australians,” Albanese told parliament on Wednesday.
“We are dealing with this issue, we know that it does need to be dealt with and we know that this has been an absolute priority for Australians.”
Optus revealed on Wednesday evening that almost 37,000 Medicare numbers were exposed in the hack, with 22,000 of those expired, and said affected people could replace them through Services Australia.
Medicare numbers usually only change by one digit with a new card, although Optus has said customers should be reassured their medical data cannot be accessed with a number alone. It said customers with active cards would be contacted within 24 hours and those with expired cards in the coming days.
Foreign Minister Penny Wong on Wednesday wrote to Optus boss Kelly Bayer Rosmarin saying there was a serious risk passport holders exposed in the hack could be subject to criminal exploitation, including through fraud and identity theft.
The opposition had been pushing for the government to issue passports for free but the prime minister put the burden on Optus.
“We believe Optus should pay, not taxpayers,” Albanese said, adding the breach was “caused by Optus and their own failures”.
Experts have identified the amount of data stored by Optus as a central issue.
The law requires phone companies to keep names, addresses and “other information used by the service provider for the purposes of identifying the subscriber” of customers while their account is active and for two years after to help authorities trace crimes.
It does not demand companies keep passport, driver’s licence and Medicare numbers but a spokesperson for the attorney-general’s department said the law did not specify what “other information” means companies must collect. Experts believe the ambiguity could be what Optus was using to keep data, though it does not explain why it appeared to retain the numbers years after customers left.
Alastair MacGibbon, a former head of the government’s top cyber agency, said he agreed telecommunications customers should be required to prove their identity, saying it served as a “vital investigative tool” for law enforcement agencies.
But he said companies should avoid holding on to sensitive data for longer than required and called for the government to provide greater clarity about how much customer data companies have to store and for how long.
“Data is like asbestos — you really don’t want to hoard this stuff,” he said. “It’s nasty.”
Bayer Rosmarin said on Friday that "the reason that we hold on to customer data for a period of time is that it is the law. We have to be able to go back in our records for six years and so we do hold information for the required length of time."
Asked which laws Bayer Rosmarin was referring to, an Optus spokesman said it was the metadata law and also “the more general requirements that apply to data retention”. The company has previously emphasised it is working with governments to help affected customers but made no public commitment to pay for passports.
Associate Professor Rob Nicholls, an expert in telecommunications regulation at UNSW, said a telco could claim it was keeping personal identification data under the metadata laws to show it was properly identifying customers.
It could also argue that it should retain the data for years after accounts were closed in an effort to satisfy audit requirements. But, Nicholls said, “that’s a horrible answer” and created a honeypot for hackers.
Tony Forward, a former chief information officer of billion-dollar companies including QBE Insurance, said Optus did not need to keep the document numbers after consumers signed up. “If you don’t retain the data, you can’t lose it to criminals,” Forward said.
Home Affairs Minister Clare O’Neil stood by her earlier criticism of Optus in an A Current Affair interview on Wednesday night but would not say whether she thought Bayer Rosmarin should resign.
“There are companies that have held themselves out to be experts in cybersecurity who are failing on these types of attacks,” O’Neil said.
Labor MP Peter Khalil, chair of the powerful parliamentary joint committee on intelligence and security, said Optus needed to accept responsibility for the data breach but that the previous government had not turned on extra cybersecurity rules for telecommunications companies.
“We need to get those laws up to scratch,” he said.
State governments have moved to let people affected by the hack replace their driver's licenses but customers in NSW are concerned about the level of protection it will provide because the licence number often used to check their identity would not change.
Customer Service Minister Victor Dominello confirmed that Optus customers who apply for a new licence will only get an updated card number and expiry date to avoid a longer process.
Dominello said the new expiry date and card number would offer extra protection because those two details would be different to those on their old licence. He said banks that did not check the card number and expiry date were putting their institution and customer security at risk.
One inner west Sydney resident was not reassured, saying “my concern is that it is my driver’s licence number remains the same as the number leaked to the hacker - Service NSW provides no option to get a new driver’s licence number.”
Optus said on Tuesday that where the NSW government determines that a licence should be replaced, Optus would be contacting those customers in coming days.
However, Dominello said that was “news to me” because Optus held the data about its customers and had given an undertaking to notify those who will require a licence replacement.
The Coalition’s foreign affairs spokesman Simon Birmingham and cybersecurity spokesman James Patterson said in a statement that the government had been slow and inconsistent on the hack, pointing out a departmental site had initially told Australians “if you choose to replace your passport, you’ll have to pay”.
"Immediate action should be taken to guarantee victims the opportunity to obtain a new passport now without charge, while terms to cover costs are negotiated with Optus," Birmingham and Paterson said. "This government needs to learn to walk and chew gum at the same time."
Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.