Enter your email to read this article
Read news on any topic, in one place, from publishers like The Economist, FT, Bloomberg and more.

Optus reveals at least 2.1 million ID numbers exposed in massive data breach

General view of people walking past an Optus store in Sydney
An external review commissioned by Optus may help other areas of the private and public sector where risk of cyber-attack exists, telco chief says. Photograph: Bianca de Marchi/AAP

Optus has commissioned Deloitte to conduct an independent external review of the company’s massive data breach, with a focus on security systems and processes, as it announced at least 150,000 passport and 50,000 Medicare numbers were stolen.

Twelve days since the breach of the personal information of 10 million customers, the Singtel-owned company announced on Monday that the review put forward by CEO, Kelly Bayer Rosmarin, to the Singapore parent company’s board was supported unanimously.

Bayer Rosmarin said Deloitte would undertake a forensic assessment of the breach.

On Monday afternoon, Optus said it had identified that 2.1m customers had one form of ID number exposed in the breach, with 900,000 of those being ID numbers from expired documents. This included about 150,000 from passports and 50,000 from Medicare cards.

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyber-attack exists,” Bayer Rosmarin said.

“I am committed to rebuilding trust with our customers and this important process will assist those efforts.”

The review would be in addition to the work Optus was undertaking with technical professionals within the federal government to understand how the breach occurred. Australian Signals Directorate is also working with other telecommunications providers to ensure they do not have similar vulnerabilities.

In the past day, Optus has sent text messages or emails to customers who had their driver’s licence numbers taken, in every state and territory bar Victoria and Queensland.

Optus said on Sunday that it was working to provide advice to customers in those states as soon as possible.

NSW and ACT residents have been informed that, because their governments use the national document verification service, they only need to replace their licence if the licence number and card number were exposed.

The company has also alerted those customers who had their Medicare card numbers exposed.

On Sunday the government services minister, Bill Shorten, said about 36,900 people had their Medicare card numbers exposed in the breach, but Optus had yet to tell Services Australia which customers were exposed, despite the government requesting the information last week.

“I accept that Optus has got a lot on their plate at the moment [but] I think there should be more initiative displayed by Optus,” he said.

“This shouldn’t be a game of Whac-A-Mole where we work out what the problem is and then we go to the corporation and say, help us stop the problem.”

The home affairs minister, Clare O’Neil, said on Sunday the company had informed 10,200 customers that their records had been posted online as part of a ransom demand from an alleged attacker on a data breach forum. The user later deleted the post, dropped the demands, and apologised for leaking the data.

O’Neil said existing cybersecurity laws passed in the last parliament were “absolutely useless” when the Optus breach occurred, and while the government had been able to rely on powers in the Telecommunications Act to get Optus to provide the government information, she flagged the next breach might not be a telecoms company.

“Looking at the powers that we have in an emergency is something that’s going to have to happen,” she said.

O’Neil said the Australian federal police would provide an update on the status of the investigation into who had obtained the data and posted it online in the coming days.

Guardian Australia has sought comment from Optus.

Related Stories
Optus reveals more than 2 million customers had personal ID numbers compromised in cyber attack
Optus CEO Kelly Bayer Rosmarin provided the fresh figures in a video message posted online and has said "while the numbers have come down" the company remains "deeply, deeply sorry" for the leak of information.
From analysis to the latest developments in health, read the most diverse news in one place.
Optus unveils hack review amid public fury
Optus has unveiled an external review of its hack as the public and ministers vent their fury at the telco.
Plea for Optus to help protect customers
The federal government is calling on Optus to work with it in protecting Australians caught up in a massive data breach.
SingTel Engages Lawyers After Optus Data Theft
Singapore Telecommunications Ltd. is engaging lawyers after a major data breach at its Australian unit Optus, even though the company has yet to receive any legal notice of a class action lawsuit.
Staff at security firm G4S on alert after tax numbers and bank details posted online following hack
Exclusive: Ransomware attack on Port Phillip prison revealed in July led to data being posted in mid-September with staff told details this week
One place to find news on any topic, from hundreds of sites.
‘Guinea pigs’: How Optus exposed millions of customer records
Investigations into the Optus breach are now centring on the question of whether the telco made a basic error by using real customers' data.