The government has stepped up pressure on Optus to immediately hand over the information it talks about people whose data has been compromised by the telecommunications giant’s hacking.
Optus has also been bluntly told that it is insufficient to use email alone to inform more than 10,000 people whose data has been uploaded to the internet by the hacker so that it can be widely shared.
Government Services Minister Bill Shorten and Cyber Security Minister Clare O’Neil said the government needed all the information for those who have used Services Australia’s credentials for identification so that action can be taken to protect them.
Services Australia wrote to Optus on September 27 to ask for details of affected customers who had used Medicare cards, Centrelink concession cards and the like.
It would use this information to take additional security measures for affected customer files and to prevent further fraud.
But on Sunday morning, Optus had not yet supplied the requested material.
Shorten told a joint press conference with O’Neil that he understood whether Optus should have a legal strategy, but “the first priority must certainly be to protect Australians.
“I don’t know why they’re not on the phone every few hours to tell us how it’s going, to get the data ready in a form we can use.
“The drawbridge has to go down.”
O’Neil said she was most concerned about the 10,200 people whose records had been briefly online, stating that Optus had not informed them adequately.
“Optus has announced that they have informed those people by email. But that is simply not enough under these circumstances.
“We will have to go through a process to talk directly to those 10,200 people.”
O’Neil said she spoke to both Optus and the Australian Federal Police on Sunday morning.
She had told Optus, “an email wouldn’t make it here.
“These are 10,200 people whose data is somewhere on the air and we don’t know where and we don’t know who has it.
“I spoke to the Australian Federal Police Commissioner a number of times this morning and asked the two organizations to work together to agree on what additional communication efforts should be made with regard to those specific people.”
O’Neil criticized legislation passed by the former government to protect cybersecurity.
“A series of laws have been passed that were intended to provide comprehensive cybersecurity reform.
“The instructions on the label told me that these laws would give me all the powers I would need in a cybersecurity emergency […] I can tell you those laws were absolutely useless to me when the Optus case came on foot.
She signaled no specific reforms. But “we don’t have the proper laws in this country to manage cybersecurity emergencies, and this is something we need to look at.”
She pointed to the need to notify customers in a timely manner when their data has been breached. This was just one of many things the federal government should be able to do in a situation like Optus’s.
Attorney General Mark Dreyfus said companies should not keep personal information forever, indicating urgent action is needed on privacy.
“Maybe before the end of the year I’ll bring reforms to the Privacy Act to try to toughen the penalties and get companies to think harder about why they’re storing Australians’ personal data,” he told ABC.