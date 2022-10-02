Government ministers lined up on Sunday morning to lay into Optus over its massive hacking scandal blasting the company for not doing enough and saying “sorry” isn’t good enough.

General counsel Mark Dreyfus said he had yet to get an explanation as to why Optus kept sensitive personal information about people even after they left the telco.

The data stolen by the hacker came from 10 million current or former Optus customers and dates back to 2017.

General counsel Mark Dreyfus said Optus had not answered the question of why it kept customer data for so long

“I believe that companies should not store information forever, as seems to be the case with Optus, who keep the very personal data of customers who stopped being customers years ago,” Mr Dreyfus said to ABC’s Insiders.

‘I have yet to hear a reason why this happened. This is particularly a concern because Optus failed to keep that information secure.’

Sir. Dreyfus said companies needed a new way of thinking when it comes to personal data.

“One of the settings in the Privacy Act is that information belonging to Australians is only used for the purpose for which it was collected,” he said.

‘If the purpose here was to identify someone who opened an account or got a phone from Optus, then that’s over.’

“I’ve been saying this week that companies outside of Australia should stop viewing all this personal data about Australians as an asset to them, they should actually view it as a liability.”

Sir. Dreyfus has indicated that the rules are being tightened around how long companies can store private data

Sir. Dreyfus highlighted tightening of the rules around data storage.

“This is a wake-up call for corporate Australia and we will be looking very closely at the settings in the Privacy Act,” he said.

“I may bring reforms to the Privacy Act before the end of the year to try to both toughen the penalties and make companies think more about why they store Australians’ personal data.”

Optus took out a full-page ad in newspapers on Saturday to say it was ‘deeply sorry for the data breach’, but on Sunday morning two government ministers said it was nowhere near enough.

Optus released a full-page ad apologizing to its millions of customers whose personal information was stolen in the country’s biggest-ever data breach

Cybersecurity and Home Affairs Minister Clare O’Neil said Optus had not done enough to warn the most vulnerable, the 10,200 people who had their information leaked online by the hacker.

“Optus has stated that it has told these people – an email is simply not sufficient in these circumstances,” Ms O’Neil told a media conference.

‘We will have to go through a process of speaking directly to the 10,200 people.

“Optus needs to pick up the mantle here to directly make sure people are aware when they are directly at risk, as these people are.”

She said Optus had failed to provide the government with information about who and how many were at risk.

“We want Optus to be transparent about the number of people who have had specific identity documents compromised and that information has not yet been released.”

The criticism was echoed by Services Minister Bill Shorten, who said his department had written to Optus on September 27 asking for details of all those whose Medicare numbers or other Centrelink details were stolen, but had yet to receive a response.

“It’s been 11 days since the breakup,” he said.

‘It is very strange that we still cannot identify who has had their Medicare information number to be able to get their information.

“We need this not tomorrow or the next day, we really needed it a few days ago.”

Bill Shorten criticized Optus for taking almost two weeks to notify the government of what exact information had been stolen from their systems

Mr. Shorten acknowledged the Optus ad, apologizing to customers, but said “business as usual” and “running in fourth gear” was not enough.

“An ad is not a strategy, an ad is not a plan,” he said.

‘We are asking Optus to upgrade their transparency.

‘The systemic risk has been injected into the Australian bloodstream about the privacy of (their) information, we know Optus is trying to do what it can, but having said that, it’s not enough.’

Ms O’Neil said two federal police task forces had been set up to investigate the incident, one to catch the hacker and the other to help the 10,000 whose data had been leaked.

She offered some advice as well as delivering another stinging rebuke to Optus.

“Anyone who believes they are caught up in the hack or becomes aware of risky behavior should go to cyber.gov.au and find advice there and make a report,” she said.

“If you see dodgy emails coming through, don’t click on any links, if you get text messages that look strange, don’t answer, even if you get phone calls from numbers that look dodgy, don’t pick up the phone .

“This is a time of real vigilance for Australians, we shouldn’t be in the position we’re in but Optus has put us here.”

In Saturday’s announcement, Optus said it was working ‘closely with the authorities, something Ms O’Neil acknowledged, before highlighting what the telco has not done.

Home Affairs Minister Clare O’Neil said Optus had not done enough to warn the most vulnerable after the hack

‘We are deeply sorry’, read the apology.

‘We are deeply saddened that there has been a cyber attack on our watch.

‘We know this is devastating and we will have to work hard to regain your trust. The attack was quickly shut down and we are working closely with authorities to understand how this attack on your privacy occurred.’

The apology comes as it has revealed that fewer NSW customers will need to change their license numbers because of tougher document verification standards.

Ms O’Neil said the investigation into catching the hacker was ‘progressing well’ and the AFP would be talking about it in the coming week.

After threatening to release all data if Optus didn’t pay a £1m ransom. USD ($1.5m) in seven days, the hacker suddenly backtracked mid-week saying there were ‘too many eyes’ on them and even apologized for what they did.

Before doing so, however, they released the data of 10,200 people to show that the threat was real.