Optus warned: ‘Don’t hide behind lawyers’

Optus management is under fire for failing to provide details to authorities of Medicare and Centrelink customers exposed by the company’s data leak.

Rachel Baxendale and Chloe Whelan

4 min read

9:51PMOctober 02, 2022

Bill Shorten says ‘we’re asking Optus to upgrade their transparency’. Picture: Liam Kidston

Optus management is under fire for failing to provide details to authorities of Medicare and Centrelink customers exposed by the company’s data leak with Government Services Minister Bill Shorten demanding executives get out from behind their lawyers and help protect people’s privacy from criminals.

Optus had still not responded to a request last Tuesday by Services Australia to detail customers who had used Medicare or Centrelink numbers as identity verification for phone services, he said.

“We call upon Optus to understand that this breach has introduced systemic problems for 10 million Australians in terms their personal identification,” Mr Shorten said.

“Business as usual, motoring along in third or fourth gear is not enough. We’re asking Optus to upgrade their transparency.

“I acknowledge that they had a full-page newspaper ad in the paper on the weekend, but an ad is not a strategy. An ad is not a plan.

“Now is not a time to listen to the lawyers and the damage control merchants, now is the time to take the high road, embrace work with us in all areas.

“It’s now a matter of protecting Australians’ privacy from criminals,” Mr Shorten said.

Cyber Security Minister Clare O’Neil said she had earlier spoken with Optus chief executive Kelly Bayer Rosmarin.

Cyber Security Minister Clare O’Neil. Picture: Martin Ollman

While she thanked the company for co-operating with elements of the government’s response to the hack, Ms O’Neil indicated Optus was taking too long to provide crucial information to customers and government agencies.

“We would like Optus to be transparent about the numbers of people who have had specific identity documents compromised, and that information has not yet been provided,” she said.

“I would like Optus in particular to make sure that the 10,200 people whose data has already been made available briefly online know that that has occurred.

“Optus have advised that they have told those people. An email is simply not sufficient under these circumstances, and they will need to go through a process of directly speaking with those 10,200 individuals, and Optus needs to take up the mantle here to ensure that people are aware when they directly at risk, as those people are.”

Ms O’Neil said the Australian Federal Police had established Operation Hurricane, aimed at finding the person or people responsible for the data breach, and Operation Guardian, focused on the current and former Optus customers whose data has already been made available online.

Ms O’Neil signalled the government would look at reforming cyber security laws, saying laws passed by the previous Coalition government had been “absolutely useless”.

“The instructions on the label told me that these laws would provide me with all of the powers that I would need in a cyber security emergency incident to make sure that we can repair the damage, and I can tell you that those laws were absolutely useless to me when the Optus matter came on foot,” she said.

10 million identities compromised by Optus breach

Attorney-General Mark Dreyfus indicated that the government was looking at measures to prevent companies holding private information for longer than necessary.

“I think that companies should not store information forever. That seems to been the case with Optus – keeping the very personal data of customers who had ceased to be customers years ago,” Mr Dreyfus told ABC TV.

“I have yet to hear a reason why that was going on, and Optus failed to keep the information safe,” he said.

“One of the settings in the Privacy Act is that information that belongs to Australians is only to be used for the purpose for which it’s collected.

“If the purpose here was to identify someone who is opening an account, or getting a phone from Optus, that’s the end of it.

“This is a wake-up call for corporate Australia.

“We will look very hard at the settings in the Privacy Act. I may be bringing reforms to the Privacy Act before the end of the year, to try to both toughen penalties and make companies think harder about why they are storing the personal data of Australians.”

Opposition Home Affairs spokeswoman Karen Andrews hit back at Ms O’Neil for a “lack of direction” on cyber security reform, saying it was “not good enough”.

Ms Andrews has introduced a private members’ Bill to crack down on cyber criminals. It includes a new stand-alone offence for cyber extortion and tougher penalties for those preying on vulnerable Australians online.

“The opposition provided an example of legislation on a silver platter last week with the introduction of a private members bill on ransomware,” Ms Andrews told The Australian.

“While the Labor government flounders by providing no alternative legislation while blocking laws previously introduced to parliament.

“The minister needs to explain what she is doing to protect Australians,” she said.

An Optus spokeswoman said that the company had been “working very closely with federal, state and territory government agencies to determine which customers are required to take any action”.

“We continue to seek further advice on the status of customers whose details have since expired,” the spokeswoman said. “Once we receive that information, we can notify those customers. We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”