The government has stepped up pressure on Optus to immediately hand over the information it has on people whose data was breached by the hacking of the telecommunications giant.
Optus has also been told bluntly that it is inadequate just to use email to inform more than 10,000 people whose data was uploaded by the hacker to the internet, allowing it to be widely shared.
Minister for Government Services, Bill Shorten and Cyber Security Minister Clare O’Neil said the government needed all the information for those who have used Services Australia credentials for identification so action could be taken to protect them.
Services Australia wrote to Optus on September 27 asking for the details of those affected customers who had used Medicare cards, Centrelink Concession Cards, and the like.
It would use this information to place extra security measures on affected customer records and to prevent further fraud.
But as of Sunday morning Optus had not provided the requested material.
Shorten told a joint news conference with O’Neil he understood if Optus had to have a legal strategy but “the first priority has to be surely to protect Australians.
“I don’t know why they’re not on the phone every couple of hours telling us how they’re going, getting the data ready in a form which we can use.
“The drawbridge needs to come down.”
O’Neil said she was most worried about the 10,200 people whose data had been briefly online, declaring Optus had failed to adequately inform them.
“Optus have advised that they have told those people by email. But that is simply not sufficient under these circumstances.
“We are going to need to go through a process of directly speaking with those 10,200 individuals.”
O’Neil said she had spoken to both Optus and the Australian Federal Police on Sunday morning.
She had told Optus “an email was not going to cut it here.
“This is 10,200 people whose data is somewhere in the ether and we don’t know where and we don’t know who has it.
“I’ve talked to the Australian Federal Police Commissioner a number of times this morning and I’ve asked the two organisations to liaise to agree on what additional communication efforts need to be taken with regard to those specific people.”
O’Neil criticised the legislation passed by the former government to protect cyber security.
“There was a set of laws passed that were meant to be the be-all-and-end-all of cyber security reform.
“The instructions on the label told me that these laws were going to provide me with all of the powers that I would need in a cyber security emergency […] I can tell you that those laws were absolutely useless to me when the Optus matter came on foot.”
She was not flagging specific reforms. But “we do not have the right laws in this country to manage cyber security emergency incidents, and this is something that we are going to need to look at.”
She pointed to the need for mandating timely reporting to customers when their data has been breached. This was just one of a “plethora” of things the federal government should be able to do in a situation like the Optus one.
Attorney-General Mark Dreyfus said companies should not store personal information forever, indicating urgent action on privacy. “I may be bringing reforms to the Privacy Act before the end of the year to try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians,” he told the ABC.