Time for Optus to be transparent, says Cyber Security Minister Clare O’Neil
Clare O’Neil tells Optus an email to 10,200 current and former customers whose private data was made public is ‘not sufficient’, foreshadows cybersecurity law changes.
Cyber Security Minister Clare O’Neil has urged Optus to be transparent about how many of its current and former customers have had their identity documents compromised, 11 days after the telecommunications giant fell victim to Australia’s largest ever cyber attack.
Speaking in Melbourne on Sunday, Ms O’Neil foreshadowed changes to cybersecurity laws, and said she had earlier spoken to Optus CEO Kelly Bayer Rosmarin.
“There are ways in which Optus is collaborating with the federal government and I thank them for that. I am grateful that Optus has agreed, at our request, to provide credit monitoring to the Australians who are most affected by the breach,” Ms O’Neil said, noting that Optus has been engaging with technical professionals within government, and the Australian Federal Police.
“What I would like to say today to Optus is that transparency and accountability are paramount here. It is crucial that everyone who has been affected by this breach is properly notified of that,” she said.
“We would like Optus to be transparent about the numbers of people who have had specific identity documents compromised, and that information has not yet been provided.
“I would like Optus in particular to make sure that the 10,200 people whose data has already been made available briefly online know that that has occurred.
“Optus have advised that they have told those people. An email is simply not sufficient under these circumstances, and they will need to go through a process of directly speaking with those 10,200 individuals, and Optus needs to take up the mantle here to ensure that people are aware when they directly at risk, as those people are.”
‘An ad is not a strategy’: Shorten
Government Services Minister Bill Shorten similarly called for Optus’s “full and transparent co-operation”, saying Optus still had not responded to a request made by Services Australia on Tuesday for the company to identify customers who had used Medicare or other Centrelink information in applying for phone plans.
“I understand that Optus is trying to do its best now to fix up some of the problems that have been created, but we call upon Optus to understand that this breach has introduced systemic problems for 10 million Australians in terms of their personal identification,” Mr Shorten said.
“Business as usual, motoring along in third or fourth gear is not enough. We’re asking Optus to upgrade their transparency.
“I acknowledge that they had a full-page newspaper ad in the paper on the weekend, but an ad is not a strategy. An ad is not a plan.
“It’s been 11 days since the breach. It is peculiar that we still cannot identify who, for example, used the Medicare information and number for identification. We need this not tomorrow or the next day, we really needed it days ago.
“We want to protect Australians’ information and that is held by the government, we want to prevent further fraud, and we seek Optus to step up its communication and transparency with government.
“Now is not a time to listen to the lawyers and the damage control merchants, now is the time to take the high road, embrace work with us in all areas … It’s now a matter of protecting Australians’ privacy from criminals.”
‘Time for Australians to be vigilant’: O’Neil
Ms O’Neil warned Australians to be on the lookout for “dodgy” emails, calls and text messages and report anything suspicious to cyber.gov.au.
“This is a time for real vigilance for Australians. We should not be in the position we’re in, but Optus has put us here, and it’s really important now that Australians take as many precautions as they can to protect themselves against financial crime,” she said.
Ms O’Neil said she had spoken with the head of the Australian Signals Directorate and Australian Cyber Security Centre on Sunday morning.
“I have advised previously that the Australian Signals Directorate is working with other Australian telecommunications providers,” she said.
“This is really important, because what we’ll often see around the world is cyber security breaches come in sets, and we are doing a lot of work with telecommunications providers to ensure that their networks are free of vulnerabilities, and that work is progressing very well.”
Ms O’Neil said the AFP had established Operation Hurricane, aimed at finding the person or people responsible for the data breech, and Operation Guardian, focused on the 10,200 current and former Optus customers whose data has already been made available online.
“I want to make sure that Australians understand that 10,200 people have already had their data in some way shared on the internet,” she said.
“Optus have advised me that they have advised those 10,200 people who they are, and I want to say to those people that I would advise you and the Australian government’s advice to you, is if you been told you are the subject of that particular part of the breach, you should proceed immediately to cancel relevant identification cards, to cancel your passport and do whatever else is needed to make sure that you are getting fresh identity documents based on the email that was provided to you.”
Current cyber security laws ‘absolutely useless’
Ms O’Neil signalled the government would look at reforming cyber security laws, saying laws passed by the previous Coalition government had been “absolutely useless”.
“The instructions on the label told me that these laws would provide me with all of the powers that I would need in a cyber security emergency incident to make sure that we can repair the damage, and I can tell you that those laws were absolutely useless to me when the Optus matter came on foot,” she said.
“I’m not flagging any specific directions for reform, but I simply note that we do not have the right laws in this country to manage cyber security emergency incidents and this is something that we are going to need to look at.
“We can’t foreshadow exactly what the repercussions of any future cyber security incident could be, but what we do need is a federal government which has got the laws at its fingertips to make sure that we can do things: for example, mandating reporting to customers when their data has been breached within a certain time period.
“That is one of a whole plethora of things that I believe the federal government should be able to do in a situation like this. The laws that you’re referring to, were meant to help us with this, and I can tell you they have provided absolutely no use when we actually needed them.”
“We live in a digital age, cyber security issues are part of our lives now, and this incident is a huge wake up call to corporate Australia. It’s a wake up call for government too, and it’s a wake up call for everyday Australians.
“We need to undertake here a whole of nation effort of improving the security around data protection, around cyber security, so that we are better equipped in the 21st century for what will be, unfortunately, a recurring part of our lives.”
Coalition cyber security spokesman James Paterson defended the existing laws, but said the opposition would support any “sensible changes”.
“If the government believes that new evidence has come forward during the Optus attack and that changes to either of those (Coalition-enacted) acts are necessary to make them even stronger, well the opposition will be very constructive and bipartisan about that,” Mr Paterson told Sky News.
Opposition Home Affairs spokeswoman Karen Andrews hit back at Ms O’Neil for a “lack of direction” on cyber security reform, saying it was “not good enough”.
Ms Andrews has introduced a private members’ bill to crack down on cyber criminals. It includes a new stand-alone offence for cyber extortion and tougher penalties for those preying on vulnerable Australians online.
“The opposition provided an example of legislation on a silver platter last week with the introduction of a private members bill on ransomware,” Ms Andrews told The Australian.
“While the Labor government flounders by providing no alternative legislation while blocking laws previously introduced to parliament. The Minister needs to explain what she is doing to protect Australians.”
Optus has been contacted for comment.
More Coverage
Trump’s agenda won’t work in Australia
His muscular, nationalistic mission to ‘make America great again’ will excite and horrify many Australians and throw an unpredictable factor into our electoral equation.
Populist revolution may yet save elites from themselves
Progressives have, ironically, regressed so far into extremism that it’s at risk of dying.