NewsBite

Optus, government rift deepens as telco launches internal review

Senior ministers accused the company of failing to hand over Medicare and Centrelink data despite privately giving it a deadline that had yet to expire.

2.1 million Optus customer's ID's compromised

Senior Albanese government figures accused Optus of not co-operating in handing over details of compromised Medicare and Centrelink data despite having given the telco a Tuesday deadline to provide the information.

In an escalation of tensions between the government and the company, Government Services Minister Bill Shorten suggested on Sunday that Optus was not moving fast enough to provide details of some 37,000 Medicare numbers exposed by the breach.

“We need this, not tomorrow or the next day, we really needed it days ago,” Mr Shorten said.

Privately, the accusation was met with alarm at Optus, which was working to the October 4 deadline given to the company by Services Australia in a letter sent in late September.

On Monday, Optus said it had engaged Deloitte to conduct an investigation into its security systems, controls and processes – although it will not release the review publicly once it is complete.

In an interview, Optus chief executive Kelly Bayer Rosmarin denied there was a rift with the government and said her embattled telco was co-operating fully with all requests for information.

Optus CEO Kelly Bayer Rosmarin addresses customers in a video. Picture: Supplied
Optus CEO Kelly Bayer Rosmarin addresses customers in a video. Picture: Supplied

“We are working very closely and collaboratively at the working level with all aspects of government, including more than 20 different governments and licensing authorities,” she said.

“We’re being open and transparent along the way. The (Office of the Australian Information Commissioner) has the full breakdown of data so I don’t think there’s any issue with us being focused on our customers, communicating with customers, and making sure that the government has what it needs to help us in our mission to protect customers.”

Optus CEO Kelly Bayer Rosmarin in Bowral with her husband Rodney Rosmarin, pictured for the first time since the Optus hack. Picture: Liam Mendes
Optus CEO Kelly Bayer Rosmarin in Bowral with her husband Rodney Rosmarin, pictured for the first time since the Optus hack. Picture: Liam Mendes

Her comments came only hours after Environment Minister Tanya Plibersek became the latest senior government figure to criticise the company, attacking the “lack of communication”.

“It’s extraordinary we don’t have any Medicare numbers or Centrelink numbers that may have been compromised,” she said.

Government sources said they expected Optus to deliver the requested data by Tuesday morning, in line with the deadline originally given to the company.

The breach, disclosed on September 22, is the largest in Australian history and exposed personal information from 10 million customers. Of those, some 2.8 million customers had passport, driver’s licence and phone numbers, email and home addresses and dates of birth compromised.

Optus on Monday said 1.2 million customers would need to have their licences or passports updated, and all those customers had now been contacted. Some 900,000 customers with expired identity information may also need to take action, though Optus is still working to determine whether that’s the case.

Many Optus customers say they are still to receive communications about the breach and whether they’ve been impacted.

Ms Bayer Rosmarin said she was not aware of any misuse of customer data so far. “To our knowledge, the only information that has been leaked is the 10,000 names (online) and the Australian Federal Police is investigating that and has launched Operation Guardian to safeguard those customers,” she said.

“Aside from that, which was on the web for a few hours, we are not aware of any other surfacing or use of this information.”

Optus is facing at least two potential class action lawsuits from customers. Its parent company, Singapore-listed Singtel, on Monday said it would “vigorously defend” any claim. “While no legal notice of a class action has been received, lawyers have been engaged to advise. Any class action will be vigorously defended.”

Rachael Falk, chief executive of Cyber Security Co-operative Research Centre, said it was clear that Optus either didn’t know which data had been stolen or didn’t want to make it known – or a combination of both.

“It’s a question that everyone has on their lips and it seems somewhat strange, if not crazy, we’ve got ministers on a Sunday publicly saying they haven’t the data yet,” Ms Falk told ABC Breakfast on Monday.

“But it would appear the pressure is on Optus to provide that information and to be working day and night to sort through potentially what has been taken or what they think has been taken. But I suspect they’re still working through the incident.”

The Australian Federal Police is working to protect the most vulnerable customers, believed to be more than 10,000 people, as part of Operation Guardian. Optus has also agreed to pay the costs of replacing passports that were compromised in the telco’s data breach, following demands from the government.

Add your comment to this story

To join the conversation, please Don't have an account? Register

Join the conversation, you are commenting as Logout

Original URL: https://www.theaustralian.com.au/business/companies/optus-launches-independent-review-into-breach/news-story/29fed73911740cb14b8b0dac5ace3962