Optus has agreed to provide free credit monitoring to the millions of customers caught up in its massive data breach, as the home affairs minister flags changes to law to potentially fine companies millions for similar breaches.
The company on Monday said it had informed all customers via email or SMS if they had had their passport or driver’s licence numbers compromised in the breach last week.
The breach affected 9.8 million customers, of whom 2.8 million lost “significant amounts of data”, the home affairs minister, Clare O’Neil, told parliament on Monday.
The law firm Slater and Gordon has announced it is investigating launching a possible class action against Optus on behalf of customers. The firm’s class actions senior associate, Ben Zocco, said the breach was “potentially the most serious privacy breach in Australian history”.
The company announced on Monday afternoon that a 12-month subscription to Equifax Protect credit monitoring would be offered to all affected customers, and customers could expect to receive an email about how to start the service in the coming days.
Such services keep track of changes to a person’s credit history and watch for any suspicious activity.
O’Neil told parliament “the breach is of a nature that we should not expect to see in a large telecommunications provider in this country” and that she had asked the chief executive of Optus for credit monitoring services to be provided for affected customers.
O’Neil said the breach raised substantial policy issues, and flagged the potential for new laws with large fines for such breaches.
“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars,” she said.
The minister did not refer to the incident as a cyber-attack. Reports on how the personal information was accessed have thrown into question the company’s claim that it was as a result of a “sophisticated attack”.
A user going by the name “optusdata” has posted on a data-leak site claiming they had obtained the data, and had offered to sell it back to Optus for $1m in cryptocurrency in the next week. The user posted a sample of the data, including 100 records. Multiple reports have suggested that these records are legitimate Optus user data.
The cybersecurity journalist Jeremy Kirk reported that the user claimed they obtained the data not through a sophisticated attack on the company’s systems but through an application programming interface (API) connecting Optus’s customer database.
An API is used to allow systems to transfer data. When left open on the internet without requiring authorisation, it is not difficult for people to gain access to the data.
When contacted by Guardian Australian on the data leak forum, the user claimed this was how they found and extracted the data from Optus. The API is now offline.
The Australian Federal Police announced on Monday officers were working with overseas law enforcement to identify who was behind the attack.
“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” assistant commissioner Justine Gough said.
“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment.”
Samantha Floreani, program lead at Digital Rights Watch, said having an API online without proper authentication checks for those who access it would be akin to Optus publishing the data.
“This breach is a clear example of the dangers of collecting and storing large amounts of personal information and shows why we need reform to the Privacy Act as well as a strong, well-resourced regulator to enforce it, including access to harsher penalties when companies get it wrong.”
Optus’s head of corporate affairs, Sally Oelerich, would not confirm the reports when asked on 2GB radio on Monday.
“Obviously that’s on the internet. But no one’s picked up the phone and called us, so to speak,” she said. “I cannot actually validate whether that’s even legitimate. And part of that is, again, it’s under investigation.”
The data-leak forum user told Guardian Australia on Monday they had not yet had contact with Optus. They claimed they were not interested in the attention the breach had brought, and “just want money, like everyone”.
A long-awaited review of Australia’s privacy law was also expected to be finalised before the end of this year. The attorney general, Mark Dreyfus, said his department was working though “the many submissions and feedback” to produce a final report that will be made public once the government had considered it.
Optus’s chief information security officer left the company in August after four years in the role, ITNews reported. In a LinkedIn post, Dr Siva Sivasubramanian said it was “sad and shocking” what happened to Optus, and “my heart bleeds for them”.
“I have offered my services and support to the current cyber management team in this hour of crisis.”
Optus has been approached for comment.