Select group of Optus customers should cancel licences and passports immediately, minister says

The 10,200 Optus customers who had their personal records posted online last week in the wake of the telco’s massive data breach should immediately cancel their driver’s licences and passports, the federal government says.

Optus has written to the 10,200 customers exposed last Monday after 10 million Australians had their records stolen from the telco a week earlier.

The home affairs minister, Clare O’Neil, said on Sunday that cybersecurity laws passed by the former Morrison government turned out to be “absolutely useless” for dealing with the Optus breach.

O’Neil said Optus needed to better communicate with those affected to help them replace identity documents.

Optus revealed on 22 September that the personal information of more than 10 million customers was exposed – with 2.8 million having identity documents including passport, Medicare and licence numbers stolen.

An alleged attacker who had sought $1m in ransom money from Optus posted 10,200 records online last Monday before withdrawing the threat on Tuesday and apologising.

“[Optus] have advised me they have advised those 10,200 people who they are and I want to say to those people that I would advise you – and the Australian government advice to you is – if you been told you are the subject of that particular part of the breach, you should proceed immediately to cancel relevant identification cards, to cancel your passport and do whatever else is needed to make sure you are getting fresh identity documents based on the email that was provided to you,” O’Neil said on Sunday.

The minister said notifying affected customers via email was not sufficient “and we will need to go to a process of directly speaking to those people and Optus needs to take up the mantle to ensure that people are aware that they are at risk”.

O’Neil said Optus was working with government technical experts to understand how the breach occurred and other telecommunications companies were working with the Australian Signals Directorate (ASD) to ensure they did not have similar vulnerabilities.

She called on Optus to be more transparent about the overall number of customers who had identity documents exposed, saying Optus had not been forthcoming with that information.

The government services minister, Bill Shorten, said Services Australia needed to know what Medicare information was exposed. “I acknowledge they [Optus] had a full-page newspaper ad in the paper on the weekend, but an ad is not a strategy. That is not a plan,” he said.

O’Neil foreshadowed new cybersecurity legislation. She said critical infrastructure legislation passed in the last parliament had not done what the former Coalition government said it was designed to do.

“I can tell you that those laws were absolutely useless to me when the Optus matter came on foot,” she said. “I simply know that we do not have the right laws in the country to manage cybersecurity emergency incidents and this is something we will need to look at.”

The attorney general, Mark Dreyfus, told ABC’s Insiders program legislation to overhaul privacy law in Australia after the Optus data breach could be introduced to the parliament before the end of this year.

Dreyfus said the government’s response to the long-running review of the Privacy Act would contain changes and “tough penalties” to make companies think harder about storing personal information.

He said he had yet to hear a reason why Optus had kept data as far back as 2017 and he indicated the data should only be collected when opening an account.