In light of the federal government’s warning that the effects of the Optus cyberattack will last for a very long time, Australia’s privacy commissioner has fired a warning shot over the heads of organisations holding personal data.
The Office of the Australian Information Commissioner is probing Optus’ compliance with data breach requirements after unknown hackers stole the information of about 10 million people, exposing them to the risk of identity theft and fraud.
“All organisations need to assess the risk a data breach poses to compromising their own customers’ data and ensure additional safeguards are in place,” Commissioner Angelene Falk said on Thursday.
The commissioner also raised concerns companies are holding on to personal data – like driver’s licence, passport and Medicare details – they don’t need to.
“They must take reasonable steps to destroy or de-identify the personal information they hold,” she said.
“Collecting and storing unnecessary information breaches privacy and creates risk.”
The Optus scandal had also highlighted the need to “shift the dial” and make organisations ultimately responsible for protecting their clients.
Learn how you can improve your corporate communication strategies by joining us in:
Federal Financial Services Minister Stephen Jones held talks with the Australian Competition and Consumer Commission, other regulators and banking representatives on how to respond to the breach.
“There’ll be a long-tail impact of this data breach,” Jones told reporters in Sydney.
“There is no lack of goodwill to co-operate, from the Commonwealth, from the banks and even the telecommunications companies.
“People understand the scale of this and we are moving as fast as we can.”
Jones stressed Optus had a responsibility to the almost 40 per cent of Australians affected by the breach.
Optus has revealed the 9.8 million customer records exposed to the hackers included 14,900 valid or active Medicare ID numbers and 22,000 expired numbers.
The government earlier this week expressed its shock that Medicare details were part of the theft, although card holders are being told their health details can’t be accessed with their client number.
The data breach has prompted nearly all states and territories to allow affected residents to apply for new driver’s licence numbers for free, with any costs expected to be ultimately paid for by the telco.
And prime Minister Anthony Albanese has demanded Optus pay the cost of replacement passports, saying the hack was the telco’s fault.
“Companies need to be held to account here, and that is something my government is determined to do,” he said on Thursday.
Foreign Minister Penny Wong wrote to Optus chief executive Kelly Bayer Rosmarin on Wednesday, saying there was “no justification” for taxpayers to foot the passport bill. Optus has yet to respond.
You may also want to read: Optus to cover cost of new licences for breach victims (commsroom.co)
Meanwhile, reforms to Australia’s privacy and data laws will be rushed through in the wake of the crisis.
Legislative changes could be introduced to parliament by the end of the year, Attorney-General Mark Dreyfus said on Thursday.
“It is certainly not just simply about increasing penalties, although that will be part of the reforms we are going to look at,” he said.
“We need to make sure that companies who are keeping Australians’ data pay absolute attention to keeping that data safe.”
Dreyfus said he saw no reason why telcos needed to keep data used to validate identification, such as a driver’s licence or passport, for a decade.
But the federal opposition has criticised the government for not implementing reforms to online privacy recommended in a previous coalition government review.
“It should not have taken the cyber attack on Optus to wake up this government,” opposition communications spokeswoman Sarah Henderson said.
With AAP. (Content has been tweaked for length and style.)