The federal government has demanded Optus pay for new passports for customers caught up in the telco’s data breach, as the prime minister flagged an overhaul of laws relating to the collection of personal information.
The foreign minister, Penny Wong, has written to Optus raising concerns about criminals exploiting data harvested in the hack, saying there was “no justification” for victims or taxpayers to foot the bill for replacing compromised documents.
The government is working with financial regulators to prevent potential fraud and is considering replacing Medicare details as Optus revealed nearly 15,000 Medicare numbers were involved in the cyber hack. The commonwealth’s response to the release of up to 10 million accounts is spreading across a growing number of departments.
In a statement on Wednesday evening, Optus said it had identified 14,900 valid and unexpired Medicare ID numbers among the compromised customer records, as well as 22,000 expired numbers. Customers with valid Medicare numbers will be contacted within 24 hours, and those with expired numbers in coming days.
“Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia,” Optus said.
Anthony Albanese told parliament on Wednesday the “government expects Optus to do everything within its means to support affected customers”.
“Clearly, we need better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians – and clear consequences for when they do not manage it well.”
Albanese noted the opposition had asked the government to waive fees and expedite applications for customers requiring new passports. He said the government wanted Optus to cover the costs.
“We believe that Optus should pay, not taxpayers,” Albanese said.
Wong wrote to the Optus chief executive, Kelly Bayer Rosmarin, asking for the company to pay for new passports.
Foreign min Penny Wong asks Optus CEO to “cover the passport application fees of any customer affected by this breach”
Warns data breach means customers “subject to exploitation by criminals” pic.twitter.com/KtZdFCJgSR
— Josh Butler (@JoshButler) September 28, 2022
“As you will appreciate, this serious incident creates a risk that the personal information of current and former mutual customers of the Australian passport office and Optus will be subject to exploitation by criminals,” Wong wrote.
“I seek your earliest confirmation that Optus will cover the passport application fees of any customer affected by this breach whose passport information was disclosed and who choose to replace their currently valid passport.”
Optus was contacted for comment. Wong’s office was asked what action Australians seeking a new passport should take and whether their applications would be expedited.
Optus parent company Singtel on Wednesday said “we are deeply sorry to everyone affected by the data theft on our subsidiary Optus”.
“Singtel management and board are treating this incident very seriously and working closely with Optus to address what is a complex issue, holistically,” the company said in a statement.
Some state governments have offered to replace driver’s licences free of charge. They’ve also said Optus should pick up the tab.
The NSW customer service minister, Victor Dominello, on Tuesday “strongly advised” customers notified by Optus that their driver’s licence details had been compromised to apply for a replacement.
But on Wednesday, a department spokesperson said: “Customers will receive notifications from Optus on the necessary remediation activities. Most customers will not need a new licence or card number. Those customers who receive notifications from Optus encouraging them to replace their licence can do so immediately.”
The NSW department added: “Replacing a driver’s licence in NSW will provide customers with a new card number, protecting them from unauthorised DVS checks using the old card’s information.”
Sign up to Guardian Australia’s Morning Mail
Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter
Federal government sources had flagged news from the home affairs minister, Clare O’Neil, regarding the commonwealth’s plan. But so far O’Neil has not made any formal announcement or held a press conference. The Coalition has called on O’Neil to detail exactly what Labor is doing.
In an interview with A Current Affair, the minister claimed Australia was “five years behind where we need to be” on cybersecurity regulation, and “a decade” behind on privacy laws. She said the government may seek stronger powers to enforce cybersecurity provisions on private companies, and again noted the Commonwealth had limited powers to impose fines for such privacy issues.
“Your viewers are entitled to be angry,” O’Neil said.
Albanese on Wednesday flagged further action on data retention and storage –including strengthening privacy laws through a review of the Privacy Act.
“We are committed to protecting Australians’ personal information,” the prime minister said. “We are dealing with this issue, we know that it does need to be dealt with and we know that this has been an absolute priority for Australians.”
The government’s response involves the departments of home affairs, cybersecurity, attorney general, communications, health, foreign affairs and the Treasury.
The federal health minister, Mark Butler, told ABC radio his department was “looking very closely” at whether new Medicare numbers would need to be issued.
The treasurer, Jim Chalmers, said financial authorities were working with Optus to limit potential fraud. The telco was sharing data with banks to allow better monitoring of accounts, he said.
Chalmers met with the Australian Competition and Consumer Commission (ACCC) to discuss the “safe and secure sharing of data between Optus and regulated financial institutions with the appropriate safeguards” to allow enhanced monitoring of transactions.
“Financial institutions can play a really important role here using that data, if we can work out the best way to get it to them, to protect their customers at greatest risk,” he told reporters in Canberra.
Fear that customers’ data could be misused spread to the sharemarket, with the Australian Securities and Investments Commission (Asic) warning stockbrokers to be “extra vigilant in verifying and managing customers’ personal information” such as through onboarding processes or changing customer account details.
Asic urged brokers to use two-factor verification to verify clients and check IP addresses against those on record to reduce the risk of fraud.
The Asic circular was very similar to a warning issued to banks, insurers and super funds on Tuesday in which the Australian Prudential Regulation Authority urged them to immediately “harden controls on high-risk processes and transactions”.
Josh Butler and Ben Butler