Optus has agreed to provide free credit monitoring to millions of customers caught up in its massive data breach, as the Home Secretary signals changes to the law to potentially fine millions of businesses for breaches similar.
The company said on Monday it notified all customers by email or text message if their passport or driver’s license number had been compromised during last week’s breach.
The breach affected 9.8 million customers, 2.8 million of whom lost “significant amounts of data”, Home Secretary Clare O’Neil told parliament on Monday.
Law firm Slater and Gordon has announced that it is investigating the launch of a potential class action lawsuit against Optus on behalf of its clients. The firm’s senior class action partner, Ben Zocco, said the breach was “potentially the most serious breach of privacy in Australian history”.
The company announced Monday afternoon that a 12-month subscription to Equifax Protect credit monitoring would be offered to all affected customers, and customers could expect to receive an email explaining how to start the service within next days.
These services keep track of changes to a person’s credit history and monitor suspicious activity.
O’Neil told parliament “that the breach is of a nature that we should not expect to see from a major telecommunications provider in this country” and that she had asked the chief executive of Optus that services credit monitoring are provided to affected customers.
O’Neil said the violation raised significant political issues and pointed to the potential for new laws with heavy fines for such violations.
“An important question is whether the cybersecurity requirements that we impose on the major telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars,” she said.
The minister did not call the incident a cyberattack. Reports of how personal information was accessed have called into question the company’s claim that it was the result of a “sophisticated attack”.
A user by the name of “optusdata” posted on a data leak site claiming that he had obtained the data and offered to sell it back to Optus for $1 million in cryptocurrency next week. The user posted a sample of the data, including 100 records. Several reports have suggested that these records are legitimate Optus user data.
Cybersecurity journalist Jeremy Kirk reported that the user claimed to have obtained the data not through a sophisticated attack on the company’s systems, but through an application programming interface (API) connecting the customer database of Optus.
An API is used to allow systems to transfer data. When left open on the internet without requiring permission, it is not difficult for people to access the data.
When contacted by Guardian Australian on the data leak forum, the user claimed that this was how he found and extracted data from Optus. The API is now offline.
The Australian Federal Police announced on Monday that officers were working with overseas law enforcement to identify who was behind the attack.
“Criminals, who use pseudonyms and anonymizing technologies, cannot see us, but I can tell you that we can see them,” Assistant Commissioner Justine Gough said.
“It is an offense to sell or buy stolen identification documents, with penalties of up to 10 years in prison.”
Samantha Floreani, program manager at Digital Rights Watch, said having an online API without proper authentication controls for those accessing it would amount to Optus publishing the data.
“This breach is a clear example of the dangers of collecting and storing large amounts of personal information and shows why we need Privacy Act reform and a strong and provided with sufficient resources to enforce it, including access to tougher penalties when companies misunderstand.”
Optus general affairs manager Sally Oelerich did not confirm the reports when asked on 2GB radio on Monday.
“Obviously, it’s on the Internet. But no one picked up the phone and called us, so to speak,” she said. “I can’t actually validate if it’s even legit. And part of that is, again, that she’s being investigated.
The data breach forum user told Guardian Australia on Monday that he had not yet had contact with Optus. They claimed they weren’t interested in the attention the breach had garnered and “just wanted the money, like everyone else.”
A long-awaited review of Australia’s privacy law was also due to be finalized before the end of this year. Attorney General Mark Dreyfus said his department was working through “the many submissions and comments” to produce a final report that will be made public once the government reviews it.
Optus’ chief information security officer left the company in August after four years in the role, ITNews reported. In a LinkedIn post, Dr Siva Sivasubramanian said it was “sad and shocking” what happened to Optus, and “my heart bleeds for them”.
“I offered my services and support to the current cyber management team in this hour of crisis.”
Optus has been approached for comment.