Earlier, in her first significant comments since the Optus hack was revealed, O’Neil told parliament that almost 3 million Optus customers had significant amounts of personal data stolen in last week’s attack and scolded the company for failing to protect customer information.
Shortly after O’Neil demanded the company provide free credit monitoring to affected customers, Optus announced it would offer 12 months of free monitoring from consumer credit reporting agency Equifax to the “most affected” current and former customers. Optus had already been working to set this up, which O’Neil later said was welcome but “inadequate” as a response.
An Optus spokesman said the company would not send any links to customers and that information on how to sign up would be communicated in the coming days.
The Australian Federal Police announced it was working with overseas law enforcement agencies to identify the offenders behind the attack.
“Criminals who use pseudonyms and anonymising technology can’t see us, but I can tell you that we can see them,” Assistant Commissioner Justine Gough said.
Gough said police were aware of reports that Optus user data was being offered for sale online and officers were monitoring the dark web to track down the offenders.
Noting the AFP has specialist cyber investigators in the United Kingdom, United States, Europe and Africa, Gough said: “We will use all our technical capabilities and tools to protect the public from cybercrime, but we also need the public to be extra vigilant.”
The federal government was expected to announce its policy response to the hack before parliamentary question time on Monday, but was delayed by the complexity of the issue.
“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose,” said O’Neil. “I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”
Under the federal government’s mandatory data-retention scheme, telecommunications companies must retain significant amounts of data on customers, with some to be kept for two years even if an account is closed to ensure it can be accessed by law enforcement and national security agencies.
Opposition home affairs spokesperson Karen Andrews accused O’Neil of being “asleep at the wheel” after the hack and failing to adequately inform Australians how the government would respond.
Prime Minister Anthony Albanese described the hack as a “huge wake-up call for the corporate sector” on the need to secure customers’ personal data.
He said the government was looking to change privacy rules so that banks could be quickly notified about data breaches. Already in its first public statement on the hack last Thursday, Optus said it had notified “key financial institutions”, though there are limitations on data sharing.
Law firm Slater and Gordon announced it was investigating a possible class action, which could allege breaches of privacy laws, service contracts, or credit reporting obligations against Optus on behalf of current and former customers.
Loading
Slater and Gordon has previously represented asylum seekers whose data was leaked in 2014, in which some received up to $20,000 in compensation.
“That was a particularly vulnerable cohort, and that’s one category of Optus customers and former customers that we are particularly concerned about,” said Ben Zocco, a class actions senior associate at the firm. “So for example, domestic violence survivors or stalking victims or … people that have sought or [are] seeking asylum in Australia.
“For them, it’s potentially harmful by way of having their information be available to perpetrators who have been violent or otherwise engaged in undesirable conduct toward them in the past.”
Optus’ Sheridan would not comment on the potential class action, saying it would “run its course” and the company would keep helping customers, though he would not commit to paying the costs of changing new drivers’ licenses or passports.
Investigating a class action is not the same as filing a legal claim and is commonly used by class action firms to attract the plaintiffs they need to run a case.
Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.
