Cyber Security Minister Clare O’Neil has blamed Optus for the massive leak of the personal data of millions of Australians, as the federal government prepares to unveil new cybersecurity protections.
Ms O’Neil is expected to announce the measures after she said changes were needed to how companies protected customer data and urged Optus to offer free services to monitor customer accounts for fraud.
“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Ms O’Neil told Parliament on Monday, in her first major statement since Optus revealed the leak last week.
“A very substantial reform task will emerge from a breach of the scale and size and there is a number of policy issues that I think the public will soon become quite aware of.
“One significant question is whether the cyber security requirements in place for large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this
size will result in fines amounting to hundreds of millions of dollars.”
Within an hour of Ms O’Neil’s statement to Parliament, Optus said it would offer the most affected current and former customers a free 12-month subscription to a credit monitoring and identity protection service.
“No passwords or financial details have been compromised,” the company said in a statement.
Optus revealed last Thursday it had been the target of a cyber attack that exposed the personal information of up to 9.8 million Australians, including details such as driver’s licence and passport numbers.
Optus said it had emailed or texted all customers who had identification documents compromised in the cyber attack.
“We continue to reach out to customers who have had other details, such as their email addresses, illegally accessed,” it said.
Payment details and account passwords have not been compromised.
However, the company has warned customers to be particularly vigilant about suspicious text messages and emails in coming weeks.
“Optus will not be sending links in any emails or SMS messages to you,” it said in an email.
“If you receive one asking you to visit a link, it may be a scammer. Never click on any links that look suspicious, and don’t provide your passwords or any personal or financial information in these instances.”
Last week, it emerged that someone who claimed to have the Optus data had said it would be sold on the dark web unless the company paid it $US1 million ($A1.53 million) in cryptocurrency.
Global IT security expert Jeremy Kirk told the Seven Network he found the ransom note and was worried about what might happen if the hacker’s demands were ignored.
“It could be used for a variety of scams and the effects could last years,” he said.
“It could affect our credit record for years if people try to take out loans in their name.”
On Monday, Prime Minister Anthony Albanese described the leak as a “huge wake-up call”. He said new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.
“This is a huge wake-up call for the corporate sector in terms of protecting the data,” he told Brisbane radio 4BC on Monday.
“We know in today’s world there are actors – some state actors but also some criminal organisations – who want to get access to people’s data.”
Also on Monday, opposition home affairs spokeswoman Karen Andrews introduced a bill to parliament to crack down on cyber criminals.
The bill includes a standalone offence for cyber extortion and introduces tougher penalties for those preying on vulnerable Australians online.
Cybercriminals who use ransomware would face 10 years in prison, while those targeting the country’s critical infrastructure would face a maximum 25 years.
“It’s designed to disrupt and deter cybercriminals who engage in ransomware and cyber extortion activities targeting Australians and Australian businesses,” Ms Andrews told parliament on Monday.
“It hits the cybercriminals where it hurts the most and that’s in their hip pocket. These are all sensible measures that will create a greater deterrence and therefore reduce the incidence of ransomware attacks.”
The opposition has accused the government of dropping the ball on cybersecurity.
Spokesman James Paterson criticised Ms O’Neil’s response to the news of the attack and said Optus “owed their customers a full explanation and a genuine apology”.
“It’s appropriate that when there’s an investigation going on that they follow the AFP’s advice but that should not be used as an excuse not to be completely up front with the public about how this happened and who’s responsible for it, when those facts are known,” he said.
Ms Andrews also hit out at the government for overhauling federal cyber security strategies.
“Why would you say you’re getting rid of something when you don’t know what you’re going to replace it with?” she said.
“Cyber criminals are coming up with new ways every day to use malware and, specifically, ransomware to do us real and long-lasting harm.”