The Australian government said on Monday it was considering tougher cybersecurity rules for telecommunications companies after Optus, the nation’s second-largest wireless carrier, reported personal data of 9.8 million customers had been breached.
Optus said Thursday it had become aware the day before of the cyberattack breaching details of 9.8 million people — within Australia’s population of 26 million.
In the cases of 2.8 million current and former Optus customers, the breach involved “significant amounts of personal data,” Cybersecurity Minister Clare O’Neil told Parliament.
“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil said.
In some countries, such a breach would result in fines “amounting to hundreds of millions of dollars,” O’Neil said.
Australian law doesn’t currently allow for Optus to be fined for the breach.
“A very substantial reform task is going to emerge from a breach of this scale and size,” O’Neil said.
“One significant question is whether the cybersecurity requirements that we place on large telecommunications providers in this country are fit for purpose,” she added.
O’Neil called on Optus to offer compromised customers free credit monitoring to protect them from identity theft, a request that the Sydney-based company complied with later on Monday.
Optus announced it was offering its “most affected” customers 12-month free subscriptions to Equifax Protect, a credit monitoring and identify protection service.
Optus said the information that had been accessed by an unnamed third party included customers’ names, dates of birth, phone numbers and email addresses.
For a minority, the personal data also included identification documents such as driver's license and passport numbers.
Police and other government security agencies had worked through the weekend to protect affected customers, O’Neil said.
Government agencies were also working with the banking sector to protect customers.
“This is complex. It’s legally and technically complex, but we are working on a solution,” O’Neil said.
Prime Minister Anthony Albanese described the breach as a “huge wake-up call for the corporate sector.”
Albany foreshadowed potential changes to privacy provisions so that banks can move quicker to protect their own customers after such a breach.
“We know that in today’s world there are actors — some state actors, but also some criminal organizations — who want to get access to people’s data,” Albanese told Brisbane Radio 4BC.
Optus chief executive Kelly Bayer Rosmarin said in a statement last week: “We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it.”