The Australian government on Sunday levelled its harshest criticism yet against Optus, the second-biggest telecoms company, for a cybersecurity breach that affected the equivalent of 40% of the country’s population.
The government blamed Optus, owned by Singapore Telecommunications (STEL.SI), for the breach, which affected 10 million accounts, urging the company to speed up its notification to 10,200 customers whose personal information was released in one of the country’s biggest cybersecurity breaches.
“We should not be in the position that we’re in, but Optus has put us here,” Home Affairs Minister Clare O’Neil told a televised news conference from Melbourne. “It’s really important now that Australians take as many precautions as they can to protect themselves against financial crime.”
Optus had no immediate comment on the government’s remarks.
The company ran a full-page apology in major Australian newspapers on Saturday for the “devastating” breach that it first reported on Sept. 22. An unidentified person later posted online that they had released personal details of 10,000 Optus customers and would keep doing so daily until they received $1 million.
Australian police’s operation to find the person or people behind the breach at Optus is “progressing well”, O’Neil said, adding that police would provide an update this week.
However she said Optus needed to step up its efforts to call, not just email, people whose identification data was released online to let them know they are at risk.
Saying now was “a time for real vigilance for Australians”, O’Neil urged those who had been notified to cancel their passports or other identification cards and get fresh identification documents as soon as possible.
Five days after being requested, Optus had not handed over information to the government about customers who had provided their Medicare health care cards or other social services information for identification purposes for Optus accounts, said Government Services Minister Bill Shorten.
“We call upon Optus to understand that this breach has introduced systemic problems for 10 million Australians in terms of their personal identification,” he told reporters at the joint media conference.
“We know that Optus is trying to do what it can, but having said that, it’s not enough,” Shorten said. “It’s now a matter of protecting Australians’ privacy from criminals.”
O’Neil said Australia needs to reform its cybersecurity laws to give the government stronger powers to respond to cyber security emergency incidents.