Optus has commissioned Deloitte to conduct an independent external review of the company’s massive data breach, with a focus on security systems and processes, as it announced at least 150,000 passport and 50,000 Medicare numbers were stolen.
Twelve days since the breach of the personal information of 10 million customers, the Singtel-owned company announced on Monday that the review put forward by CEO, Kelly Bayer Rosmarin, to the Singapore parent company’s board was supported unanimously.
Bayer Rosmarin said Deloitte would undertake a forensic assessment of the breach.
On Monday afternoon, Optus said it had identified that 2.1m customers had one form of ID number exposed in the breach, with 900,000 of those being ID numbers from expired documents. This included about 150,000 from passports and 50,000 from Medicare cards.
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyber-attack exists,” Bayer Rosmarin said.
“I am committed to rebuilding trust with our customers and this important process will assist those efforts.”
The review would be in addition to the work Optus was undertaking with technical professionals within the federal government to understand how the breach occurred. Australian Signals Directorate is also working with other telecommunications providers to ensure they do not have similar vulnerabilities.
In the past day, Optus has sent text messages or emails to customers who had their driver’s licence numbers taken, in every state and territory bar Victoria and Queensland.
Optus said on Sunday that it was working to provide advice to customers in those states as soon as possible.
NSW and ACT residents have been informed that, because their governments use the national document verification service, they only need to replace their licence if the licence number and card number were exposed.
The company has also alerted those customers who had their Medicare card numbers exposed.
On Sunday the government services minister, Bill Shorten, said about 36,900 people had their Medicare card numbers exposed in the breach, but Optus had yet to tell Services Australia which customers were exposed, despite the government requesting the information last week.
“I accept that Optus has got a lot on their plate at the moment [but] I think there should be more initiative displayed by Optus,” he said.
“This shouldn’t be a game of Whac-A-Mole where we work out what the problem is and then we go to the corporation and say, help us stop the problem.”
The home affairs minister, Clare O’Neil, said on Sunday the company had informed 10,200 customers that their records had been posted online as part of a ransom demand from an alleged attacker on a data breach forum. The user later deleted the post, dropped the demands, and apologised for leaking the data.
O’Neil said existing cybersecurity laws passed in the last parliament were “absolutely useless” when the Optus breach occurred, and while the government had been able to rely on powers in the Telecommunications Act to get Optus to provide the government information, she flagged the next breach might not be a telecoms company.
“Looking at the powers that we have in an emergency is something that’s going to have to happen,” she said.
O’Neil said the Australian federal police would provide an update on the status of the investigation into who had obtained the data and posted it online in the coming days.
Guardian Australia has sought comment from Optus.