Home Affairs Minister Clare O'Neil says a massive breach of Optus customer data should not have happened, saying it was a "basic" attempt by cyber criminals.
"We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen," Ms O'Neil told ABC's 7.30 program.
"Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country," Ms O'Neil said in parliament earlier.
On Thursday, Optus announced a cyber attack had exposed the data of almost 10 million Australians, with significant amounts of data stolen from 2.8 million people.
Ms O'Neil said it was particularly concerning for those 2.8 million Australians whose stolen data amounted to 100 points of identification, making them particularly vulnerable to identity theft.
She also refuted assertions from Optus that the hack was a sophisticated operation.
It has strenuously denied "human error" was a factor in the hack, after a senior Optus source told the ABC a mistake had inadvertently allowed cyber criminals to steal customer data.
Ms O'Neil said in other jurisdictions, a breach of a similar size to that faced by Optus would result in fines amounting to hundreds of millions of dollars.
She said hundreds of public servants had worked to support Optus, including through the public holiday and weekend, but a "substantial reform effort" would be needed to prevent future breaches of this kind.
"We expect Optus to continue to do everything they can to support their customers and former customers," Ms O'Neil said.
"One way they can do this is providing free credit monitoring to impacted customers.
"This will help protect those customers against identity theft and I call on Optus to make that commitment today."
Following her statement to parliament, Optus announced it would offer free one-year subscriptions to Equifax Protect, a credit monitoring and identity protection service, to the "most affected" current and former customers.
Optus said it would directly communicate with those customers over the coming days, noting that no communications from Optus would include any links, "as we recognise there are criminals who will be using this incident to conduct phishing scams".
Over the weekend, Ms O'Neil said new security measures would be implemented to ensure banks were informed much faster of a breach, and that Optus would be directed to hand over the data of affected Australians to the banks so their security could be upgraded and accounts monitored for fraud.
In parliament, Ms O'Neil challenged whether current cyber security requirements placed on large telecommunications providers were fit for purpose, as she flagged reform.
"The telecommunications sector [previously] said 'don't worry about us, we're really good at cyber security, we'll do it without being regulated', and I would say that this incident really calls that into question," Ms O'Neil said.
Shadow Home Affairs Minister Karen Andrews said criminal penalties for cyber criminals should be toughened.
Ms Andrews has proposed new offences for cyber extortion that would carry a maximum 10 years imprisonment.
"The Labor government needs to step up and do something, not just talk about these issues," Ms Andrews said.
The Australian Federal Police has confirmed it is working with overseas law enforcement to identify the cyber criminals behind the breach.
Law firm Slater and Gordon today said it was investigating a possible class action against Optus on behalf of current and former customers.
"This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed," senior associate Ben Zocco said.