Government ministers lined up on Sunday morning to lay into Optus over its massive hacking scandal, blasting the company for not doing enough and that saying ‘sorry’ isn’t good enough.
Attorney-General Mark Dreyfus said he was yet to get an explanation why Optus hoarded sensitive personal information of people even after they left the telco.
The data stolen by the hacker came from 10million current or former Optus customers and dated back to 2017.
Attorney-General Mark Dreyfus said Optus hadn’t answered the question as to why it was keeping customer information for so long
‘I think that companies should not store information forever, as it seems to be the case with Optus keeping the very personal data of customers who had ceased to be customers years ago,’ Mr Dreyfus told ABC’s Insiders.
‘I am yet to hear a reason why that was going on. In particular that’s a concern because Optus failed to keep that information safe.’
Mr Dreyfus said companies needed a new mindset when it comes to personal data.
‘One of the settings in the Privacy Act is that information that belongs to Australians in only to used for the purpose for which it is collected,’ he said.
‘If the purpose here was to identify someone whose opening an account or getting a phone from Optus that’s the end of it.’
‘I have said throughout the week that companies though out Australia should stop regarding all this personal data of Australians as an asset for them, they should actually think of it as a liability.’
Mr Dreyfus has flagged toughening the rules around the length of time companies can keep private data
Mr Dreyfus flagged toughening the rules around data storage.
‘This is a wake-up call for corporate Australia and we are going to look very hard at the settings in the Privacy Act,’ he said.
‘I may be bringing reforms to the Privacy Act before the end of the year to try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians.’
Optus took out a full-page ad in newspapers on Saturday to say it was ‘deeply sorry for the data breach’ but on Sunday morning two government ministers said it was nowhere near enough.
Optus took out a full page-ad and apologised to its millions of customers whose personal information was stolen in the country’s largest ever data breach
Cyber Security and Home Affairs Minister Clare O’Neil said that Optus had not done enough to alert those most at risk, the 10,200 people who had their details leaked online by the hacker.
‘Optus has advised it has told those people – an email is simply not sufficient under these circumstances,’ Ms O’Neil told a media conference.
‘We are going to need to go through a process of directly speaking to those 10,200 individuals.
‘Optus needs to take up the mantle here to directly ensure people are aware when they are directly at risk, as those people are.’
She said Optus had failed to provide the government with information on who and how many were at risk.
‘We would like Optus to be transparent about the numbers of people who have had specific identity documents compromised and that information has not yet been provided.’
The criticism was echoed by Services Minister Bill Shorten who said his department had written to Optus on 27 September asking for details on all those whose had Medicare numbers or other Centrelink information stolen, but as yet had no reply.
‘It’s been 11 days since the breach,’ he said.
‘It is most peculiar that we still can’t identify who has had their Medicare information number to be able to get their information.
‘We need this not tomorrow or the next day, we really needed it days ago.’
Bill Shorten slammed Optus for taking almost two weeks to notify the government about what exact information had been stolen from its systems
Mr Shorten acknowledged the Optus ad apologising to customers but said ‘business as usual’ and ‘motoring along in fourth gear’ was not enough.
‘An ad is not a strategy, an ad is not a plan,’ he said.
‘We’re asking Optus to upgrade their transparency.
‘Systemic risk has been injected into the Australian bloodstream about the privacy of (their) information we know that Optus is trying to do what it can but having said that it’s not enough.’
Ms O’Neil said two federal police taskforces had been set up to investigate the incident, one to catch the hacker and the other to help the 10,000 whose data had been leaked.
She provided some advice as well as deliving another stinging rebuke to Optus.
‘Anyone who believes they are caught up in the hack or become aware of dodgy conduct to go to cyber.gov.au and find advice there and make report,’ she said.
‘If you see dodgy emails coming through to you don’t click on any links, if you are getting text messages that look odd don’t answer, even if you are getting phone calls from numbers that look dodgy don’t pick up the phone.
‘This is a time for real vigilance for Australians, we should not be in the position that we are in but Optus has put us here.’
In Saturday’s ad Optus said it was working ‘closely with authorities, something Ms O’Neil acknowledged before highlighting what the telco hasn’t done.
Home Affairs Minister Clare O’Neil said that Optus had not done enough to alert those most at risk after the hack
‘We’re deeply sorry,’ the apology read.
‘We’re deeply sorry that a cyberattack has has happened on our watch.
‘We know this is devastating and that we’ll need to work hard to regain your trust. The attack was quickly shut down, and we are working closely with authorities to understand how this attack on your privacy occurred.’
The apology comes as it’s revealed fewer NSW customers will need to change their licence numbers because of tougher document verification standards.
Ms O’Neil said the investigation into catching the hacker was ‘progressing well’ and the AFP would talk about it in the coming week.
After threatening to release all the data if Optus did not pay a $US1million ($1.5million) ransom in seven days the hacker suddenly backed off mid-week saying there were ‘too many eyes’ on them and even apologising for they did.
Before doing that, however, they released the data of 10,200 people to show the threat was genuine.