CANBERRA – Australia’s federal and state governments on Wednesday called for Optus to pay for replacing identification documents including passports and driver’s licenses to avoid identity fraud after 9.8 million of the telecommunications company’s customers had personal data stolen by computer hackers.
The Australian government has blamed lax cybersecurity at Optus for last week's unprecedented breach of current and former customers' personal information.
Most at risk of identity theft are the 2.8 million customers who had driver’s license and passport numbers stolen.
Prime Minister Anthony Albanese rejected opposition lawmakers’ calls for the government to waive the costs of replacing compromised Optus customers’ passports.
“We believe that Optus should pay, not taxpayers,” Albanese told Parliament.
Foreign Minister Penny Wong wrote to Optus CEO Kelly Bayer Rosmarin on Wednesday requesting her “earliest confirmation” that the Sydney-based company would pay for vulnerable customers’ passports.
“There is no justification for these Australians — or for taxpayers more broadly on their behalf — to bear the cost of obtaining a new passport,” Wong wrote.
Optus did not immediately reply to a request for comment.
Different states have had varying responses to requests for driver’s license replacements — Queensland and South Australia have announced free replacements for affected customers while New South Wales will charge Optus customers for replacement licenses. But the state government has said it expects Optus will offer reimbursements within days. Victoria state has also asked Optus to pay for new licenses, but continues to charge the company's customers.
Optus this week offered its “most affected” customers free credit monitoring for a year.
The federal government only became aware that health care client identification numbers were among the stolen data on Tuesday morning, when 10,000 customers’ records were dumped on the dark web as part of an extortion attempt by the hacker who demanded Optus pay a $1 million ransom. The so-called Medicare numbers are accepted as proof of identity, like passports and driver’s licenses.
Health Minister Mark Butler said his government had not yet decided Wednesday whether Optus customers required new Medicare cards.
“We’re very concerned … about the loss of this data and working very hard to deal with the consequences of that,” Butler told Australian Broadcasting Corp.
“But we’re particularly concerned that we were not notified earlier and consumers were not notified earlier about the breach of the Medicare data as well,” he added. Optus discovered the breach Sept. 21.
The hacker, who uses the online name Optusdata, withdrew a ransom demand Tuesday in an online post that claimed the stolen data had been destroyed.
Optusdata suggested the extortion attempt had attracted too much attention, said no ransom had been paid and apologized to Optus as well as its customers.
Former Special Adviser to the Prime Minister on Cybersecurity, Alastair MacGibbon, described that scenario as “too good to be true.”
MacGibbon, who is now a cybersecurity consultant, suspected the ransom had been paid or the data had been sold.
Another likely scenario was that the hacker was lying low for the moment while planning a different way to monetize the data, MacGibbon said.
“I’ve spent about 30 years dealing with criminals. I don’t trust them,” MacGibbon said.
“So I’d like to think that this criminal has suddenly found goodness and light and decided the heat was too much and I’m deleting all of the 10 million details. I’m a bit more suspicious than that,” MacGibbon added.