Enter your email to read this article
Read news on any topic, in one place, from publishers like The Economist, FT, Bloomberg and more.

Optus faces potential class action and pledges free credit monitoring to data-breach customers

Minister for home affairs Clare O’Neil
Minister for home affairs Clare O’Neil says the Optus data breach raises substantial policy issues. Photograph: Mick Tsikas/AAP

Optus has agreed to provide free credit monitoring to the millions of customers caught up in its massive data breach, as the home affairs minister flags changes to law to potentially fine companies millions for similar breaches.

The company on Monday said it had informed all customers via email or SMS if they had had their passport or driver’s licence numbers compromised in the breach last week.

The breach affected 9.8 million customers, of whom 2.8 million lost “significant amounts of data”, the home affairs minister, Clare O’Neil, told parliament on Monday.

The law firm Slater and Gordon has announced it is investigating launching a possible class action against Optus on behalf of customers. The firm’s class actions senior associate, Ben Zocco, said the breach was “potentially the most serious privacy breach in Australian history”.

The company announced on Monday afternoon that a 12-month subscription to Equifax Protect credit monitoring would be offered to all affected customers, and customers could expect to receive an email about how to start the service in the coming days.

Such services keep track of changes to a person’s credit history and watch for any suspicious activity.

O’Neil told parliament “the breach is of a nature that we should not expect to see in a large telecommunications provider in this country” and that she had asked the chief executive of Optus for credit monitoring services to be provided for affected customers.

O’Neil said the breach raised substantial policy issues, and flagged the potential for new laws with large fines for such breaches.

“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars,” she said.

The minister did not refer to the incident as a cyber-attack. Reports on how the personal information was accessed have thrown into question the company’s claim that it was as a result of a “sophisticated attack”.

A user going by the name “optusdata” has posted on a data-leak site claiming they had obtained the data, and had offered to sell it back to Optus for $1m in cryptocurrency in the next week. The user posted a sample of the data, including 100 records. Multiple reports have suggested that these records are legitimate Optus user data.

The cybersecurity journalist Jeremy Kirk reported that the user claimed they obtained the data not through a sophisticated attack on the company’s systems but through an application programming interface (API) connecting Optus’s customer database.

An API is used to allow systems to transfer data. When left open on the internet without requiring authorisation, it is not difficult for people to gain access to the data.

When contacted by Guardian Australian on the data leak forum, the user claimed this was how they found and extracted the data from Optus. The API is now offline.

The Australian Federal Police announced on Monday officers were working with overseas law enforcement to identify who was behind the attack.

“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” assistant commissioner Justine Gough said.

“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment.”

Samantha Floreani, program lead at Digital Rights Watch, said having an API online without proper authentication checks for those who access it would be akin to Optus publishing the data.

“This breach is a clear example of the dangers of collecting and storing large amounts of personal information and shows why we need reform to the Privacy Act as well as a strong, well-resourced regulator to enforce it, including access to harsher penalties when companies get it wrong.”

Optus’s head of corporate affairs, Sally Oelerich, would not confirm the reports when asked on 2GB radio on Monday.

“Obviously that’s on the internet. But no one’s picked up the phone and called us, so to speak,” she said. “I cannot actually validate whether that’s even legitimate. And part of that is, again, it’s under investigation.”

The data-leak forum user told Guardian Australia on Monday they had not yet had contact with Optus. They claimed they were not interested in the attention the breach had brought, and “just want money, like everyone”.

A long-awaited review of Australia’s privacy law was also expected to be finalised before the end of this year. The attorney general, Mark Dreyfus, said his department was working though “the many submissions and feedback” to produce a final report that will be made public once the government had considered it.

Optus’s chief information security officer left the company in August after four years in the role, ITNews reported. In a LinkedIn post, Dr Siva Sivasubramanian said it was “sad and shocking” what happened to Optus, and “my heart bleeds for them”.

“I have offered my services and support to the current cyber management team in this hour of crisis.”

Optus has been approached for comment.

Related Stories
The Optus customer data breach could lead to a class action lawsuit. What might that look like?
As a law firm says it is investigating whether a data management deficiency led to customer information being leaked, experts say a class action against Optus would be unlike any previous lawsuits.
From analysis to the latest developments in health, read the most diverse news in one place.
It’s too late to undo the Optus hack. How do we stop the next one?
An account claiming to be the hacker told Crikey they wouldn’t release the data if Optus paid them $1 million — but said the telco had not yet been in touch.
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach
Australia mulls tougher cybersecurity laws after data breach
The Australian government says it's considering tougher cybersecurity rules for telecommunications companies after Optus the nation’s second-largest wireless carrier reported personal data of 9.8 million customers had been breached
Government flags new cybersecurity laws and increase in fines after Optus breach
Clare O’Neil says penalties for telcos are ‘totally inappropriate’ and data breach was ‘significant error’
One place to find news on any topic, from hundreds of sites.
Optus data breach: cybersecurity reforms expected to enable companies to rapidly inform financial institutions
Cybersecurity minister Clare O’Neil set to announce reforms in coming week after millions of telco customers’ data stolen