News, Culture & Society

Optus hack leads to huge cyber-security law changes

The federal government has announced sweeping changes to cyber-security laws in the wake of the devastating Optus hack.

Under the new laws telecommunications companies, such as Optus, will be able to share data more easily with financial bodies and government to prevent cyber-crime.

The changes will be for the ‘sole purpose of protecting consumers’, Communications Minister Michelle Rowland said at a joint press conference with Treasurer Jim Chalmers on Wednesday.

Ms Rowland said the new laws will allow ‘telcos to better coordinate with financial institutions to detect and mitigate the risks of malicious activity, including ID theft and scams’.

The new information-sharing arrangement would only apply to financial bodies regulated by financial watchdog the Australian Prudential Regulation Authority (APRA).  

‘Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identity theft,’ Ms Rowland said.

‘The approved recipients must satisfy very robust information security requirement and protocols for the transfer and storage of data. 

‘And information received must be destroyed when it’s no longer required.’

To prevent fraud telcos will also be allowed to share ‘limited information’ about customers with Government agencies, such as Services Australia. 

‘What this is all about is to try and reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring,’ Ms Rowland said.

Mr Chalmers echoed Ms Rowland’s assurances that the shared data would be kept safe and only used for the purpose of preventing identity fraud.

‘We’ve worked really closely with the industry, with APRA, the ACCC, the Information Commissioner and other agencies to ensure that we can facilitate as best we can the safe and secure sharing of data between Optus and regulated financial institutions,’ Mr Chalmers said.

‘They’ve (the new laws) been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available temporarily to prevent and respond to cyber security incidents, fraud, scams and related activities. ‘

Mr Chalmers banks and other financial institutions have been proactive in limiting the damage of September’s massive Optus security breach, which saw personal information stolen from around 10 million of the telco’s customers. 

Banks and other financial bodies had ‘put in place heightened controls to protect their customers’ and the new laws would ‘build on those’ to allow heightened monitoring and added safeguards. 

The information that could be more readily shared was ‘government identifier’ data, Mr Chalmers said such as driver licence numbers, Medicare and passport numbers.

Names, addresses, dates of birth or other personal information would not be shared.

To receive the information institution would need to make  ‘undertakings in writing’ and meet privacy and information security laws

‘They need to ensure that the information they’re seeking is necessary and proportionate,’ Mr Chalmers said. 

‘They need to satisfy robust security requirements and protocols for data transfer and storage, and they need to ensure that the information that they get is destroyed when it’s no longer required.’

Mr Chalmers said for security reasons the institutions that share data with Optus won’t be revealed. 

Optus has come under fire from government ministers for not being forthcoming with details on the data that was stolen.

The hacker leaked personal details of 10,200 customers online as part of a ransom demand that they later suddenly backed off from promising not to leak any more.

Ms Rowland said the US law enforcement agency the FBI had been recruited by Australian Federal Police to help with the search to find the hacker.

She said there was a separate police operation to protect the 10,000 customers who had their information ‘released on the dark web’.

Government ministers lined up on Sunday morning to lay into Optus over its massive hacking scandal, blasting the company for not doing enough and that saying ‘sorry’ isn’t good enough.

Attorney-General Mark Dreyfus said he was yet to get an explanation why Optus hoarded sensitive personal information of people even after they left the telco, with data going back to 2017.

Cyber Security and Home Affairs Minister Clare O’Neil said that Optus had not done enough to alert those most at risk, the 10,200 people who had their details leaked online by the hacker.

‘Optus has advised it has told those people – an email is simply not sufficient under these circumstances,’ Ms O’Neil told a media conference.

‘We are going to need to go through a process of directly speaking to those 10,200 individuals.

‘Optus needs to take up the mantle here to directly ensure people are aware when they are directly at risk, as those people are.’

She said Optus had failed to provide the government with information on who and how many were at risk.

‘We would like Optus to be transparent about the numbers of people who have had specific identity documents compromised and that information has not yet been provided.’

The criticism was echoed by Services Minister Bill Shorten who said his department had written to Optus on 27 September asking for details on all those whose had Medicare numbers or other Centrelink information stolen, but as yet had no reply.

‘It’s been 11 days since the breach,’ he said.

‘It is most peculiar that we still can’t identify who has had their Medicare information number to be able to get their information.

‘We need this not tomorrow or the next day, we really needed it days ago.’

Mr Shorten acknowledged the Optus ad apologising to customers but said ‘business as usual’ and ‘motoring along in fourth gear’ was not enough.

‘An ad is not a strategy, an ad is not a plan,’ he said.

‘We’re asking Optus to upgrade their transparency.

‘Systemic risk has been injected into the Australian bloodstream about the privacy of (their) information we know that Optus is trying to do what it can but having said that it’s not enough.’