Virgin Mobile and Gomo customers’ information leaked in Optus data hack

Two more Australian telcos owned by Optus have warned customers their data could have been exposed in the recent security breach.

Current and former Virgin Mobile and Gomo customers’ personal information was leaked last week alongside 10million Optus customers in Australia biggest ever cyber attack.

Optus reported people’s names, addresses, emails and dates of birth were exposed along with 2.8 million passport, licence and Medicare numbers.

The data leak was initially thought to only affect direct Optus customers but recent emails seen by Guardian Australia show the company’s subsidiaries are also at risk.

The network also sells mobile network services to Amaysim, Dodo, Circles.Life and iiNet.

Optus announced it will compensate customers needing a licence replacement but has so far ignored calls from the federal government to replace passports. 

Daily Mail Australia has contacted Optus for comment.

Optus also sells its mobile network services to Amaysim, Dodo, Circles.Life and iiNet

Optus fully bought the final share of Virgin Mobile Australia, giving it full ownership, in 2006.

Gomo, operated by Optus, was launched in 2020 and has customers in Singapore, the Philippines, Indonesia and Thailand.  

The Office of the Australian Information Commissioner announced it is probing Optus’ compliance with data breach requirements.

‘All organisations need to assess the risk a data breach poses to compromising their own customers’ data and ensure additional safeguards are in place,’ Commissioner Angelene Falk said on Thursday.

The commissioner also raised concerns companies are holding on to personal data – like driver’s licence, passport and Medicare details – they don’t need to.

‘They must take reasonable steps to destroy or de-identify the personal information they hold,’ she said.

‘Collecting and storing unnecessary information breaches privacy and creates risk.’

The Optus scandal had also highlighted the need to ‘shift the dial’ and make organisations ultimately responsible for protecting their clients.

Federal Financial Services Minister Stephen Jones stressed Optus had a responsibility to the almost 40 per cent of Australians affected by the breach.

The government earlier this week expressed its shock that Medicare details were part of the theft, although card holders are being told their health details can’t be accessed with their client number.

The data breach has prompted nearly all states and territories to allow affected residents to apply for new driver’s licence numbers for free, with any costs expected to be ultimately paid for by the telco.

Prime Minister Anthony Albanese has demanded Optus pay the cost of replacement passports, saying the hack was the telco’s fault.

‘Companies need to be held to account here, and that is something my government is determined to do,’ he said on Thursday.

Foreign Minister Penny Wong wrote to Optus chief executive Kelly Bayer Rosmarin on Wednesday, saying there was ‘no justification’ for taxpayers to foot the passport bill. Optus has yet to respond.

Meanwhile, reforms to Australia’s privacy and data laws will be rushed through in the wake of the crisis.

Legislative changes could be introduced to parliament by the end of the year, Attorney-General Mark Dreyfus said on Thursday.

‘It is certainly not just simply about increasing penalties, although that will be part of the reforms we are going to look at,’ he said.

‘We need to make sure that companies who are keeping Australians’ data pay absolute attention to keeping that data safe.’

Mr Dreyfus said he saw no reason why telcos needed to keep data used to validate identification, such as a driver’s licence or passport, for a decade.

But the federal opposition has criticised the government for not implementing reforms to online privacy recommended in a previous coalition government review.

‘It should not have taken the cyber attack on Optus to wake up this government,’ opposition communications spokeswoman Sarah Henderson said.