Home Affairs minister Clare O’Neil has flagged significant reforms to the cybersecurity requirements imposed on businesses following the Optus data breach that saw the personal data of 9.8 million Australians compromised.
In her first major comments on the data breach, Clare O’Neil told Parliament on Monday afternoon that a suite of reforms would emerge from the cyberattack including potential changes to the penalties imposed on businesses.
“A very substantial reform task is going to emerge from a breach of this scale and size, and there’s a number of policy issues that I think the public will soon become quite aware of,” she said during question time.
“One significant question is whether the cybersecurity requirements that we place on large telecommunications providers in this country are fit for purpose.”
“I also note that in other jurisdictions that a data breach of this size would result in fines of hundreds of millions of dollars.”
The government is also reportedly considering changes to data breach notification rules to see banks and other institutions informed sooner when a data breach occurs so that they can take action to reduce the prospect of fraud.
Businesses have been required to report data breaches to the Office of the Australian Information Commissioner since 2017. As of July this year, critical infrastructure assets are also required to report cyber incidents to the Australian Cyber Security Centre (ACSC) with 72 hours.
O’Neil said the government plans to work collaboratively across the Parliament on the “reform task” ahead and will “speak in the coming days about how we will work through those issues in conjunction with other members of parliament”.
With the last of the Optus customers worst impacted by the data breach now notified, O’Neil said the government was focused on “doing whatever we can to help protect Australians affected by this breach”.
“This is a very large multi-agency effort which has seen many hundreds of public servants work through recent public holidays, through the night and straight through the weekend, and the Albanese government thanks them for their efforts,” she said.
“The Australian government, the [Australian Competition and Consumer Commission] and the [Australian Prudential Regulation Authority] are engaging with the banking sector to see what additional steps can be taken to protect customers. This is complex – its legally and technically complex – but we’re working on a solution.”
The government will be “providing additional protections on government platforms such as myGov”, much like the Australian Taxation Office did for the 93,000 South Australian public servants caught up last year’s ransomware attack on payroll software provider Fronter Software.
O’Neil also called on Optus to “continue to do everything they can to support customers and former customers” including committing to provide “free credit monitoring to impacted customers” today, which Optus agreed to do less than an hour later for those current and former customers “most affected” by the data breach.
Optus last week revealed a cyberattack had resulted in the disclosure of personal data belonging to current and former customers, including driver’s licence and passport numbers for a “subset of customers”.
Ransom demands for data belonging to around 11.2 million Optus customers reportedly appeared on forums over the weekend. The so-called hacker said they won’t sell the data to other parties if Optus pays US$1 million.
Optus is currently working with the Australian Federal Police (AFP) – which is working with overseas law enforcement under ‘Operation Hurricane’ to identity the offenders – and the Australian Signals Directorate (ASD).
At a media briefing on Friday, Optus chief executive Kelly Bayer Rosmarin said the worst case scenario for the number of records accessed is 9.8 million, but that it would likely be significantly less.
But O’Neil on Monday said Optus “have advised that this breach has revealed some personal data of 9.8 million Australians”, of which around 2.8 million have had “significant amounts of personal data has been taken”.
“Responsibility for this security breach rest with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” she added.
“Very substantial support has been provided by the Australian government and I want to credit the work of the ASD, the Australian Cyber Security Centre and AFP in that support.”
Do you know more? Contact James Riley via Email.