Millions more people could be exposed in Australia’s biggest ever data breach even if they’re not customers of Optus, as legal experts say victims could pursue legal action against the telecommunications giant.
As many as 11 million customers – both past and present – have potentially had their personal addresses, dates of birth, phone numbers, passport details and drivers licences stolen in the Optus cyber attack.
The telco giant only has about 5.8 million active users, with the remainder of the victims no longer with the service provider.
This is because under the Telecommunications Act 1979, companies like Optus must keep some customer data for at least two years after closing an account.
Experts fear millions of former customers, even those who only joined Optus for a brief time, may be exposed even if they joined as far back as 2017.
Millions more people could be exposed in Australia’s biggest ever data breach even if they’re not customers of Optus
Simon Haddadim, an app developer, said he had been warned his data was part of the leak despite leaving Optus 12 months ago.
‘This is why the whole concept of a decentralised system is coming in,’ he told the Daily Telegraph on Monday.
‘(Optus) shut down the system as soon as they discovered the cyber attack. Why aren’t they saying how long it took them to discover that?’
The legislation is in place to help assist police investigations, but experts believe the practice is outdated.
Cybersecurity leader Susan McLean said the current data climate had drastically changed and storing information may no longer be safe.
‘The data that is held should be the bare minimum. So once you have proven this is Billy Smith, do you really need to keep the passport number and driver’s license number?’ she said.
‘If the police need to find out who owns the number they have a name and address and it is not hard to find out their driver’s license and passport number.’
As many as 11million Aussies have potentially had their personal addresses, dates of birth, phone numbers, passport details and drivers licences stolen in the Optus cyber attack (stock image)
Steven Georgantis, a candidate for the Australian People’s Party called for the government to bring in a new law which would force companies to delete customers’ details after three months.
‘Optus has around 5.8 million active users, so the rest up to 10 million must be previous customers so why are they keeping the private details of 4.2 million previous users?’ he wrote on Twitter.
The concerns come as a federal police investigation has been launched into the data breach.
Operation Hurricane has been established by the AFP to identify the people behind the hack, as well as prevent identity fraud of those affected.
Assistant Commissioner of Cyber Command Justine Gough admitted the investigation into the source of the data breach would be complex.
‘We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,’ she said.
‘Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them.’
The task force will work with the Australian Signals Directorate, overseas police as well as Optus.
Ms Gough said customers should be more vigilant in monitoring unsolicited texts, emails and phone calls in the wake of the Optus breach.
‘The AFP will be working hard to explain to the community and businesses how to harden their online security because ultimately it is our job to help protect Australians and our way of life,’ she said.
Under the Telecommunications Act 1979, companies like Optus must keep some customer data for at least two years after closing an account
Home Affairs Minister Clare O’Neil launched a scathing attack on Optus in parliament.
Ms O’Neil said responsibility laid squarely at the feet of the telco giant and that the government was looking at ways to mitigate the fallout.
‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ Ms O’Neil said on Monday.
‘We expect Optus to continue to do everything they can to support their customers and former customers.’
The minister called on the telco to provide free credit monitoring to former and present customers who had their data stolen in the breach.
Prime Minister Anthony Albanese said the Optus data breach was a ‘huge wake-up call’.
Kylie Carson, a special counsel specialising in general compensation at Shine Lawyers, said if an Optus customer had a financial loss as a result of the data breach, they would potentially be able to pursue a claim
Meanwhile, Kylie Carson, a special counsel specialising in general compensation at Shine Lawyers, said if an Optus customer had a financial loss as a result of the data breach, they may be able to pursue a claim.
‘To pursue a claim, it would have to be viable and you’d have to prove that Optus didn’t do enough and didn’t put sufficient things in place to protect your data,’ she told Daily Mail Australia.
Ms Carson added something like human error would also have the potential for victims to make a claim.
‘Optus is vicariously liable for the actions of their employees,’ she said.
Ms Carson herself was the victim of the data breach.
She added Optus was providing customers with ‘more questions than answers’ and urged people to stay vigilant.
Optus Director of Corporate Affairs Regulatory and Public Affairs Sally Oelerich was left red faced when she told 2GB’s Chris Smith all effected Optus customer had been contacted by the telco – only for a woman to ring in and say that wasn’t the case
‘Everyone should be a bit cautious about the messages and texts they get sent, if it looks suspicious it probably is,’ Ms Carson added.
Optus on Monday announced the ‘most affected’ customers would be given a 12-month subscription to credit monitoring and identity protection service Equifax Protect.
‘The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost,’ the company said.
Equifax suffered its own massive data breach in 2017, with 147 million people in the United States affected. The data that was leaked included names, addresses, dates of birth, Social Security numbers and credit card numbers.
The breach was announced six weeks after it was discovered and led to a $425million settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories to help those affected.
Meanwhile a mysterious hacker claiming to be behind the breach has since demanded Optus hand over $1.5million in ransom money in the form of cryptocurrency Monero, or they will publish the data
Australian law firm Slater and Gordon on Monday said they were investigating a possible class action against Optus.
The firm’s senior associate Ben Zocco said they were assessing possible legal options for those caught in the cyber attack.
‘This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,’ Mr Zocco said.
‘We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.
‘Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’ advice to be on the look-out for scam emails and text messages.’
Sydney-based solicitor Jahan Kalantar said he’d already been inundated with Optus customers seeking legal advice about the breach.
Pictured is an email sent to one Optus customer informing them their data had been breached
‘People will be no doubt making various complaints to the Information and Privacy Commission NSW,’ he said.
‘And there’ll be no doubt furious scrutiny on Optus to how this has happened.’
He said those who subscribe to the telco should do everything they can to minimise the exposure like changing their passwords, and making detailed records of the conversations they have with Optus since the breach has happened.
It comes as a mysterious hacker claiming to be behind the breach has since demanded Optus hand over $1.5million in ransom money in the form of cryptocurrency Monero, or they will publish the data.
On Saturday morning the ransom demand, which tech experts believe is legitimate, appeared on an online forum with the hackers warning the telco it had one week to respond.
‘Optus if you are reading! price for us to not sale data is 1.000.000$US We give you 1 week to decide,’ part of the message read.
On Friday morning, CEO Kelly Bayer Rosmarin made an emotional apology to the millions of Optus customers whose details had been compromised.
She confirmed payment details and account passwords were protected but admitted she felt ‘terrible’ the breach had happened under her watch.
‘I think it’s a mix of a lot of different emotions,’ she said.
‘Obviously I am angry that there are people out there that want to do this to our customers, I’m disappointed we couldn’t have prevented it.
‘I’m very sorry and apologetic. It should not have happened.’
***
Read more at DailyMail.co.uk