Australian foreign minister Penny Wong has written to Optus and asked the phone company to replace passports for victims of a massive data breach, which the government says was a “basic hack” and blames on the company’s “failures on cybersecurity and privacy”, according to a report by the Australian Broadcasting Corporation.
The move could cost Optus, the country’s second largest telecom operator, hundreds of millions of dollars because a new passport costs $308 and the data of millions of Australians, who provided either passport or driver’s licence details, were believed to have been accessed by the hack.
Optus has described the breach as a “sophisticated” operation and has already agreed to pay for the cost of new driver’s licences for people whose data was accessed, the report said.
Meanwhile, the government plans to toughen privacy rules to force companies to notify banks faster when they experience cyber attacks, Prime Minister Anthony Albanese said on Monday, after hackers targeted the company recently.
Optus, which is owned by Singtel, said last week that home addresses, drivers’ licences and passport numbers of up to , or about 40% of the population, were compromised in one of Australia’s biggest data breaches.
The attacker’s IP address, or unique identifier of a computer, appeared to move between countries in Europe, the company said, but declined to detail how security was breached.
Australian media reported an unidentified party had demanded $1 million in cryptocurrency for the data in an online forum but Optus has not commented on its authenticity.
Albanese called the incident “a huge wake-up call” for the corporate sector, saying there were some state actors and criminal groups who wanted to access people’s data.
“We want to make sure … that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well,” he told radio station 4BC.
Australia Cyber Defences
Cybersecurity Minister Clare O’Neil said Optus was responsible for the breach and noted such lapses in other jurisdictions would be met with fines in the hundreds of millions of dollars, an apparent reference to European laws that penalise companies 4% of global revenue for privacy breaches.
“One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose,” O’Neil told parliament.
Optus said it would offer the most affected customers free credit monitoring and identity protection with credit agency Equifax Inc for a year. It did not say how many customers the offer applied to.
The telco has now alerted all customers whose driving licences or passport numbers were stolen, it said in an emailed statement. Payment details and account passwords were not compromised, it added.
Australia has been looking to beef up cyber defences and pledged in 2020 to spend A$1.66 billion ($1.1 billion) over the decade to strengthen the network infrastructure of firms and homes.
- With Reuters and additional editing by Jim Pollard
Read the full report: ABC.