The federal government has called on Optus to “step up” its handling of the major data breach, saying it still has not provided government agencies with critical information about customers who had their Medicare or Centrelink details exposed.
- The Government Services Minister says Optus has failed to hand over data to the government five days after it requested it
- The Home Affairs Minister said Australia does not have the laws necessary to manage cyber security emergency incidents
- The Opposition says it would be open to bigger fines under the privacy act
The cyber attack occurred almost a fortnight ago, with the names, birthdates, phone numbers, healthcare and passport details of up to 9.8 million Australians potentially compromised.
Government Services Minister Bill Shorten said Services Australia wrote to Optus on September 27, asking for the full details of all affected customers whose Medicare and Centrelink details were leaked.
But he said in the five days since that request, Optus has failed to hand over that data to the government.
“The drawbridge needs to come down,” he said.
“We know that Optus is trying to do what they can, but having said that, it’s not enough.
“It’s been 11 days since the breach — it’s peculiar that we still can’t identify who for example used their Medicare information — their number — to be able to get identification.”
The government said Services Australia would use the information to place additional security measures on the records of affected customers.
“We need this not tomorrow or the next day, we really needed it days ago,” Mr Shorten said.
“We want to protect Australians’ information that’s held by government, we want to prevent further fraud and we seek Optus to step up its communication and transparency with government.”
Cyber Security Minister Clare O’Neil also criticized Optus for only contacting the 10,200 people whose data was leaked online by email.
“It is crucial everyone who has been affected by this breach is properly notified of that,” she said.
“An email is simply not sufficient under these circumstances,” she said.
In a statement, Optus said the company was working “very closely” with federal, state and territory agencies to “determine which customers are required to take any action”.
“We continue to seek further advice on the status of customers whose details have since expired,” Optus said.
“Once we receive that information, we can notify those customers.
“We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”
Coalition’s critical infrastructure laws ‘useless’: Home Affairs Minister
Ms O’Neil, who is also Home Affairs Minister, also criticized the former Coalition government’s 2018 laws designed to protect critical infrastructure.
“The instructions on the label told me that these laws were going to provide me with all of the powers that I would need in a cyber security emergency incident, to make sure we can repair the damage,” she said.
“I can tell you those laws were absolutely useless to me when the Optus matter came on foot.
“We don’t have the right laws in this country to manage cyber security emergency incidents, and this is something we are going to need to look at.”
Shadow Cyber Security Minister James Paterson said the Coalition was open to discussing changes to both those laws and telecommunications security legislation.
“If the government believes that new evidence has come forward during the Optus attack and that changes to of those acts is necessary to make them even stronger, well the opposition will either be very constructive and bipartisan about that of course,” he told Sky News .
“We’ll support any sensible changes that the government brings forward.”
Earlier, Attorney-General Mark Dreyfus told the ABC’s Insiders he would review Australia’s privacy laws to stop companies retaining a large amount of personal data for a long time.
“Companies throughout Australia should stop regarding all of this personal data of Australians as an asset for them, they actually should think of it as a liability,” he said.
“This is a wakeup call.”
Senator Paterson said while he believed Optus would be up for millions of dollars of fines under the Privacy Act, the Opposition would also be open to increased fines for breaches.
“We do want to make sure that major companies in Australia are taking this very seriously because they do have a very important responsibility to their customers” he told Sky News.