IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Systemic ID problems for 10 million Australians’ after Optus breach, warns minister

The telco giant's response to its 22 September breach has brought on harsh criticism, and the company has now handed over its breach investigation to Deloitte

A shot of Australian government services minister Bill Shorten, speaking against a dark background

Australian telecoms giant Optus has been subjected to heavy criticism by the Australian government for its handling of a data breach that saw 10 million accounts affected.

Optus, a subsidiary of Singapore-based telco giant Singtel, is itself Australia’s second-largest telco. On 22 September, the firm reported that the data of 10 million accounts had been affected by a data breach, but that mobile network and broadband services were unaffected. 

Related Resource

CIO Priorities: 2020 vs 2023

Zero Trust, SaaS Security, and its impact on SD-WAN being a priority

Webinar title screenWatch now

It subsequently warned 10,200 customers that their Medicare records were included in a cache that a hacker was attempting to hold to ransom online. On Sunday, however, officials within the Australian government warned that the company was still falling short of its obligations to customers in the wake of the breach.

"We call upon Optus to understand that this breach has introduced systemic problems for 10 million Australians in terms of their personal identification," stated government services minister Bill Shorten at a press conference.

"We know that Optus is trying to do what it can, but having said that, it's not enough," Shorten said. "It's now a matter of protecting Australians' privacy from criminals."

Shorten also stated that the firm had been too slow to provide the government with insight into which customers had their Medicare and social service information stolen. As long as five days after the breach, no such information had been received.

The company has since identified that 2.1 million customers had had ID exposed in the breach, including Medicare card information. The Guardian reported that Optus has now commissioned Deloitte to carry out an independent review of the breach.

In the days following the attack, Australian prime minister Anthony Albanese stated that he would look to change privacy rules in the country, with the aim of better protecting citizens’ financial information in the event of a similar breach in the future.

As is required in the UK and EU, Australian companies have to report a data breach within 72 hours of discovering a breach has occurred, with any delays requiring adequate justification. This is a result of the Notifiable Data Breach (NDB) scheme, an amendment to the Privacy Act 1988, and failure to comply can result in a fine.

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus,” Optus CEO Bayer Rosmarin in a statement, speaking on the ongoing Deloitte review.

“This may also help others in the private and public sector where sensitive data is held and risk of cyber-attack exists. I am committed to rebuilding trust with our customers and this important process will assist those efforts.”

The precise manner through which the attack was carried out, or by whom, is still unknown. Although data had originally been posted online with a ransom demand in the wake of the attack, this was later pulled from the hacker forum on which it had been listed.

Early reports suggested that the attacker's IP address suggested a European origin, but this remains unconfirmed and hackers can hide IP addresses with relative ease.

"We should not be in the position that we're in, but Optus has put us here," stated Home Affairs Minister Clare O'Neil.

"It's really important now that Australians take as many precautions as they can to protect themselves against financial crime."

Data breaches can seriously affect a company’s reputation, leading to decreased trust from its customers going forward, and handling a breach properly can be key to company image as well as avoiding legal trouble. In July, Uber’s former chief security officer was made to face wire fraud charges over his alleged involvement in the attempted coverup of its 2016 hack, which saw the details of 57 million drivers and users exposed.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download


Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022
MSG giant Ajinomoto's chipmaking foray helps break financial records
Business strategy

MSG giant Ajinomoto's chipmaking foray helps break financial records

30 Nov 2022
India to trial digital rupee from December 2022
digital currency

India to trial digital rupee from December 2022

30 Nov 2022
Japan considers creating new cyber defence agency as attacks ramp up in region
cyber attacks

Japan considers creating new cyber defence agency as attacks ramp up in region

24 Nov 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022