Australia's current administration is calling for stronger privacy laws, following last week's cybersecurity breach that compromised personal data of 9.8 million Optus customers. Describing the cyber attack as "not technologically challenging", the government says the breach should never have happened and that Optus should pay to rectify the situation.
When customers give their personal data to companies, they expect the information to be kept safe, Australian Prime Minister Anthony Albanese said in parliament Wednesday. Calling the Optus data breach "a great concern", he said the incident should serve as a wakeup call to businesses in Australia.
The mobile operator last week reported a security breach that it said compromised various customer data, including dates of birth, email addresses, and passport numbers. Information belonging to both current and former customers were impacted, Optus said, which its CEO Kelly Bayer Rosmarin later said was the result of a "sophisticated" attack that infiltrated multiple security layers.
The telco, though, has yet to provide further details on how the breach occurred or what systems were breached. Local reports have pointed to an online API (application programming interface) that apparently did not require authentication or authorisation for customer data to be accessed.
Albanese said the government was working with Optus to obtain the necessary information "to conduct a criminal investigation" led by the Australian Federal Police, in cooperation with the FBI.
"We know that this breach should never have happened," the prime minister said. "Clearly we need better national laws after a decade of inaction to manage the immense amount of data collected by companies about Australians, and clear consequences for when they do not manage it well."
He dismissed calls from the opposition party for the government to pay for the replacement of passports, arguing instead that Optus should be made to cover such costs. Taxpayers should not be made to pay for a problem that was the result of Optus' own failures on cybersecurity and privacy regulation, he said, adding that the Minister for Foreign Affairs had asked Optus to cover the associated costs.
Optus is a wholly-owned subsidiary of Singapore telecommunications group, Singtel.
Albanese added that the government was looking to strengthen local laws under its current review of the Privacy Act.
According to Australia's Minister for Home Affairs Clare O'Neil, the country was about five years behind where it needed to be in cyber protection. "It's simply not good enough," said O'Neil, who is also Minister for Cyber Security.
"What happened at Optus wasn't a sophisticated attack. We should not have a telecommunications provider in this country that effectively left the window open for data of this nature to be stolen," she said.
Describing the breach as unacceptable, she added that the incident was a major error on Optus' part. "They are to blame," the minister said. "The cyber hack undertaken here was not particularly technologically challenging."
She added that a breach of such a scale, involving a company such as Optus, would have resulted in significant financial penalties in other countries. Instead, in Australia, the maximum fine topped at just AU$2.2 million under the Privacy Act, which she said was "totally inappropriate".
O'Neil further noted that while she was able to set minimum cybersecurity standards for companies in several sectors, she was not able to do so for telcos, which had kept themselves out of the country's existing laws on the basis that their standards were high enough and they were regulated sufficiently under other laws.
This clearly was not the case as demonstrated by the recent breach, she said.
Stressing the need to strengthen the country's privacy laws, the minister said devices increasingly were connected to the internet. "It's a really clear message for me, for Australians, and for Australian companies, that we've got to lift the standards here and we've got to do better to protect Australians."
She said the government's current review of the Act would look at a range of issues, including the powers she had to mandate minimum cybersecurity standards that could have prevented the Optus breach from happening.
"This is an important wakeup call," she said. "What this tells us is that companies that have held themselves to be experts in cybersecurity are failing on these types of attacks."
O'Neil also revealed in a statement Tuesday that customers' Medicare numbers were compromised in the Optus breach, which initially were not revealed to be amongst data affected in the attack.
She further expressed concerns over reports that personal information stolen in the breach now was being offered for free and for ransom.