How is the government responding?

In the immediate aftermath of the Optus data breach, the government found itself in a difficult position.

Optus was opaque about the number of its customers that had their data breached and the nature of the data taken and only reported the breach to the government after they managed to “close the window” through which hackers gained access.

This meant that the government was a step behind in their response if the attack was state-based and greater data was at risk of being exposed.

Prime minister Anthony Albanese was clear about what he expected Optus to do for its customers saying, “the government expects Optus to do everything within its means to support affected customers” during question time nearly a week later.

The Prime Minister was also quick to point out the failure of the previous government to legislate in the event a breach of this nature took place saying, “those opposite want taxpayers to pay for a problem caused by Optus and their own failures on cybersecurity and privacy regulation”.

Ministers Attack

Cybersecurity minister Clare O’Neil was far more scathing in her criticism of Optus saying “responsibility for this breach rests with Optus” and that a breach of this kind was something we “should not expect to see in a large telecommunications provider in this country,” during question time a few days earlier.

O'Neil was also quick to voice her criticism of the previous government's laws surrounding cybersecurity and how they have impacted her ability to act in the immediate aftermath of the breach, “I can tell you those laws were absolutely useless to me when the Optus matter came on foot.”

By the Friday of the week the breach took place, Optus announced publicly that the personal information of 9.8 million Australians had been compromised in the breach, making it one of the largest incidents of its kind in Australia’s history.

The very next day high ranking ministers in the government were taking care of their respective departments, making sure that the information from the leak was not misused further. Treasurer Jim Chalmers activated regulators of the financial system to protect the bank accounts of those who had their details breached.

Policy Changes

Last week, Chalmers joined Communications Minister Michelle Rowland, to announce the government would change the regulations around the sharing of data by telecommunications companies, marking the single largest piece of policy reform to arise in the aftermath of the breach.

With the changes, Optus and other telcos will now be able to share limited customer information with financial institutions and government agencies. This would mean telcos will be able to share driver's licenses, medicare and passport numbers with APRA (Australian Prudential Regulation Authority) regulated institutions only to assist in enhanced monitoring for the protection of those affected by the breach.

They will also be able to share this information with state and federal government agencies to assist in fraud detection. Ms Rowland made clear that all the changes were done with the intention of reducing the “impact of this data breach on Optus customers” so financial institutions can “implement enhanced safeguards and monitoring”.

Rowland also made it clear that this would not be the only policy change in response to the breach, saying “these regulations will be the latest in a raft of rapid ut very measured initiatives under this government in response to this breach.”

Both ministers also made clear points about how long this information can be kept by the financial institutions and how long these new regulations would be in place. Institutions will have to review the data they have collected every 12 months and if the data is no longer required then “it needs to be destroyed”.

The regulations themselves would only last for 12 months after which the government will review the need “for them to continue in their current or future form.”