Optus faces potential class action and pledges free credit monitoring to data-breach customers

Home affairs minister Clare O’Neil says company to blame and flags new laws with large fines for such breaches

Optus has agreed to provide free credit monitoring to the millions of customers caught up in its massive data breach, as the home affairs minister flags changes to law to potentially fine companies millions for similar breaches.

The company on Monday said it had informed all customers via email or SMS if they had had their passport or driver’s licence numbers compromised in the breach last week.

The breach affected 9.8 million customers, of whom 2.8 million lost “significant amounts of data”, the home affairs minister, Clare O’Neil, told parliament on Monday.

The law firm Slater and Gordon has announced it is investigating launching a possible class action against Optus on behalf of customers. The firm’s class actions senior associate, Ben Zocco, said the breach was “potentially the most serious privacy breach in Australian history”.

The company announced on Monday afternoon that a 12-month subscription to Equifax Protect credit monitoring would be offered to all affected customers, and customers could expect to receive an email about how to start the service in the coming days.

Such services keep track of changes to a person’s credit history and watch for any suspicious activity.

O’Neil told parliament “the breach is of a nature that we should not expect to see in a large telecommunications provider in this country” and that she had asked the chief executive of Optus for credit monitoring services to be provided for affected customers.

O’Neil said the breach raised substantial policy issues, and flagged the potential for new laws with large fines for such breaches.

“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars,” she said.

The minister did not refer to the incident as a cyber-attack. Reports on how the personal information was accessed have thrown into question the company’s claim that it was as a result of a “sophisticated attack”.

A user going by the name “optusdata” has posted on a data-leak site claiming they had obtained the data, and had offered to sell it back to Optus for $1m in cryptocurrency in the next week. The user posted a sample of the data, including 100 records. Multiple reports have suggested that these records are legitimate Optus user data.

The cybersecurity journalist Jeremy Kirk reported that the user claimed they obtained the data not through a sophisticated attack on the company’s systems but through an application programming interface (API) connecting Optus’s customer database.

An API is used to allow systems to transfer data. When left open on the internet without requiring authorisation, it is not difficult for people to gain access to the data.

When contacted by Guardian Australian on the data leak forum, the user claimed this was how they found and extracted the data from Optus. The API is now offline.

The Australian Federal Police announced on Monday officers were working with overseas law enforcement to identify who was behind the attack.

“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” assistant commissioner Justine Gough said.

“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment.”

Samantha Floreani, program lead at Digital Rights Watch, said having an API online without proper authentication checks for those who access it would be akin to Optus publishing the data.

“This breach is a clear example of the dangers of collecting and storing large amounts of personal information and shows why we need reform to the Privacy Act as well as a strong, well-resourced regulator to enforce it, including access to harsher penalties when companies get it wrong.”

Optus’s head of corporate affairs, Sally Oelerich, would not confirm the reports when asked on 2GB radio on Monday.

“Obviously that’s on the internet. But no one’s picked up the phone and called us, so to speak,” she said. “I cannot actually validate whether that’s even legitimate. And part of that is, again, it’s under investigation.”

The data-leak forum user told Guardian Australia on Monday they had not yet had contact with Optus. They claimed they were not interested in the attention the breach had brought, and “just want money, like everyone”.

A long-awaited review of Australia’s privacy law was also expected to be finalised before the end of this year. The attorney general, Mark Dreyfus, said his department was working though “the many submissions and feedback” to produce a final report that will be made public once the government had considered it.

Optus’s chief information security officer left the company in August after four years in the role, ITNews reported. In a LinkedIn post, Dr Siva Sivasubramanian said it was “sad and shocking” what happened to Optus, and “my heart bleeds for them”.

“I have offered my services and support to the current cyber management team in this hour of crisis.”

Optus has been approached for comment.


Josh Taylor

The GuardianTramp

Related Content

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM

Article image
Optus data breach: who is affected, what has been taken and what should you do?
After a malicious cyber-attack, customers of Australia’s second-largest telco are advised they could be at risk of identity theft

Ben Doherty

22, Sep, 2022 @8:31 AM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Optus customers exasperated by chatbots and ‘rubbish’ communication after data breach
Some customers look to switch providers after puzzling responses and ‘less than helpful’ service

Josh Taylor

26, Sep, 2022 @5:30 PM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Optus data security breach: what should I do to protect myself?
Experts say while ‘there’s no need to panic’, there are steps you can take to ensure you’re not exposed to scams or identity theft

Natasha May

26, Sep, 2022 @6:44 AM

Article image
Optus reveals at least 2.1 million ID numbers exposed in massive data breach
Telco says 150,000 passport and 50,000 Medicare numbers have been stolen as it announces independent review

Josh Taylor

03, Oct, 2022 @3:50 AM

Article image
Government flags new cybersecurity laws and increase in fines after Optus breach
Clare O’Neil says penalties for telcos are ‘totally inappropriate’ and data breach was ‘significant error’

Sarah Martin and Paul Karp

26, Sep, 2022 @5:30 PM

Article image
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

Natasha May and Josh Taylor

27, Sep, 2022 @1:32 AM