This was published 2 years ago
‘Drawbridge needs to come down’: Government says Optus must show more transparency
By Simone Fox Koob and Nicole Precel
The federal government says Optus still has not provided government agencies with full details of customers who had Medicare or Centrelink details exposed by the data breach and has accused the telco of a lack and transparency and accountability.
Cybersecurity Minister Clare O’Neil and Government Services Minister Bill Shorten on Sunday said Services Australia, which is responsible for the delivery of government payments and services, had written to Optus on September 27 asking for the details of customers whose Medicare or Centrelink details were exposed.
“To date, there have been no impacted customer details provided by Optus in relation to this request,” the government said in a statement.
“In the face of a breach on an unprecedented scale in Australia, Optus needs to come together with the Australian government to be part of the solution.”
Services Australia needs the information so it can place additional security measures on affected customer records and prevent future fraud, the ministers said.
In the Optus data breach, the names, birthdates, phone numbers, addresses, passport, healthcare and driver’s licence details of 9.8 million Australians were stolen by an anonymous hacker.
O’Neil, who spoke to Optus chief executive Kelly Bayer Rosmarin on Sunday morning, said the telecommunications provider needed to do more to help the 10,200 people whose data had already been shared by the hacker on the internet.
“Optus have advised me this morning that they have contacted the 10,200 people. I gave very clear feedback to Optus that an email was not going to cut it here.
“We are going to need to go through a process of directly speaking with those 10,200 individuals and Optus needs to take up the mantle here to ensure that people are aware when they are directly at risk.”
An Optus spokesman said they had been working closely with government agencies on a federal and state level to determine which customers were required to take any action.
“We continue to seek further advice on the status of customers whose details have since expired,” he said.
“Once we receive that information, we can notify those customers. We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”
Asked whether she had confidence in Optus’ leadership team, O’Neil said she did not think it was helpful for the Australian government to be expressing a view on who should be running Australia’s biggest companies.
O’Neil is considering compelling companies to report data breaches and reconnect services after a hack as part of changes to cybersecurity legislation, saying current laws were “bloody useless” in dealing with the Optus attack.
Shorten, who is responsible for government services, called for “full and transparent co-operation” from Optus with the Australian government. About 36,900 Medicare numbers are believed to have been accessed by the hacker.
“We seek Optus to step up its communication and transparency with government. Now is not a time to listen to the lawyers and the damage-control merchants. Now is the time to take the high road, embrace and work with us in all areas as they’ve been doing in some, [to] further extend that co-operation,” he said.
“I don’t think we should have to necessarily write to Optus to say, ‘Please, we want to protect government data which people have given’. I think there should be more initiative displayed by Optus to provide us; this shouldn’t be a game of whack-a-mole where we work out what the problem is and then we go to the corporation and say help us stop the problem.
“The drawbridge needs to come down.”
Opposition cybersecurity spokesman James Paterson told Sky News on Sunday the opposition was open to “sensible changes” of cybersecurity laws.
“We do want to make sure that major companies in Australia are taking this very seriously,” he said.
The head of the corporate regulator, Joseph Longo, said the hack served as a classic wake-up call for companies and responsibility for cybersecurity started at the top.
“It’s a whole-of-economy issue, cyber risk management is core business for any company or institution in Australia. And it’s a fundamental obligation that starts at the top of the house, at the board of directors,” said the chair of the Australian Securities and Investments Commission.
“Obviously the IT department plays a key role in helping companies comply, but you can’t just leave it to the IT department. It’s up to the leadership of the institution or company to really place the right level of importance and frankly resources and attention to this subject.
“ASIC will continue to prioritise consideration of directors’ compliance with their duties in this regard.”
He said the data breach could have happened to a range of entities in Australia.
“The capability of hackers is extraordinary, and the resources required and the investment required to repel their efforts to disrupt companies and institutions has to be maintained.
He said it was one of the top risks any company in the country should be focusing on.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.