Optus has unveiled an external review of its recent hack in a bid to quell white hot anger from the public and a chorus of government ministers.
In a statement on Monday, the telco said Deloitte would prepare a report into how the personal data of 9.8 million people was stolen last month, amid accusations Optus “left the window open” for hackers to get in.
The “forensic review” will probe the hack itself and the circumstances surrounding it, the company announced.
“While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong,” Optus chief executive Kelly Bayer Rosmarin said in a statement on Monday.
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”
The probe comes as Optus enters a third week of damage control after what’s being described as the biggest data hack in Australian history.
Personal information including names, emails, addresses, birthdays and identity data like licenses, passports and medicare details were stolen by criminals – prompting fears about identity theft and personal scams.
The telco is facing widespread public anger in the wake of the hack, with federal government ministers also accusing Optus of failing to properly cooperate with authorities to protect millions of affected users.
Federal minister Tanya Plibersek said on Monday that while people had received their bills on time, the telco had failed to tell customers if their personal details had been stolen.
“One of the real problems is the lack of communication by Optus, both with its customers and the government,” she told the Seven Network.
“I don’t think the company is doing a particularly good job with its customers or providing the government with the information we need to keep people safe.
“It’s extraordinary we don’t have any Medicare numbers or Centrelink numbers that may have been compromised.”
Optus sent further texts to customers on Monday informing some of the millions hit by the data breach.
“Cyberattack update: Confirming only the licence number on your driver licence was exposed, not the card number. Your state or territory government will provide advice on any action that you may need to take via their website,” Sunday’s message from the embattled telco read.
Tweet from @DrStrangeLoveDX
But even that sparked more anger among affected Optus customers.
“That’s what Optus thinks is proper communication?” wrote one Twitter user.
“We need/deserve to know what info has been compromised. Obviously names, mobile number, (perhaps my driving licence!?!) but what else?
And don’t tell me to contact my state, when you’ve been the one taking my $ for years.”
Others said they were yet to hear anything from the company.
“A full week with zero coms from Optus since the initial ‘breach’ email. Still no idea which ID document was exposed,” tweeted another customer.
“So apparently it was ‘just’ my driver’s licence number that was hacked. Optus kindly sent me this text that tells me to sort it out myself. Thanks Optus, very helpful,” wrote a third.
Tweet from @dirksdt
Optus was also slammed on Sunday by Albanese government ministers for not responding to requests for information to help protect almost 10 million Australians from fraud.
Services Australia wrote to Optus last Tuesday, seeking the full details of all customers who had Medicare cards or Centrelink concession cards compromised to boost security measures.
The government said Optus was yet to respond to the request.
At least 10,000 parcels of ID data taken in the breach were put on the internet for sale by the hacker, before they took it down.
Cyber Security Minister Clare O’Neil said Optus needed to be up-front about what specific data had been taken for individuals, while admitting the government didn’t know how many passport numbers had been stolen.
“Optus advised me this morning that they have contacted the 10,200 people. I gave very clear feedback to Optus that an email was not going to cut it here,” she said.
Ms O’Neil said the government was particularly concerned for those people whose sensitive data had already been published in the “ether”.
Government Services Minister Bill Shorten said about 36,900 Medicare numbers had been leaked.
He said Services Australia was ready to act and begin flagging individuals and their accounts. But the government needed Optus to reveal who had been caught up.
Optus chief executive Kelly Bayer Rosmarin has apologised to customers, but is resisting calls to step down following the disaster.
Ms O’Neil criticised the former Morrison government, describing laws designed to protect Australia’s critical infrastructure from cyber attacks as “absolutely useless”.
“This company (Optus) has just overseen what is without question, the largest consumer data breach in Australian history,” she said.
Opposition cyber security spokesman James Paterson said the Coalition would be open to bigger fines for breaches of the Privacy Act.
In a statement, an Optus spokesperson said the company was working with government agencies to determine which customers it needed to take action on.
“We continue to seek further advice on the status of customers whose details have since expired. Once we receive that information, we can notify those customers,” the spokesperson said on Sunday.
“We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”
Optus did not say on Monday whether the details of Deloitte’s review into the hack will be made public, amid allegations the telco fell victim to a “basic hack” of an unauthenticated access interface in its systems.
-AAP