Australia Says Optus Must Pay For Replacement ID Documents

Australia flag parliament government © Neale Cousland Shutterstock

Singapore owner of hacked Australian telecoms operator must pay cost of replacing passports and drivers licences, Australian minister says

The Australian government continues to make clear its anger over the massive Optus hack incident, that has seen the data of 40 percent of the country’s population compromised.

Last week the Australian operator, owned by Singapore Telecommunications Ltd, confirmed a cyberattack had compromised the data belonging to millions of its customers.

As many as 9.8 million accounts may be compromised, equivalent to 40 percent of Australia’s population. Stolen data includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.

Singapore to pay?

Earlier this week Australia’s cybersecurity minister Clare O’Neil made clear her displeasure at Optus and its owner Singapore Telecommunications.

She confirmed that extensive (and sensitive) personal data such as license numbers and passport numbers for 2.8 million people has also been leaked into the public realm.

And this data “effectively amounts to 100 points of ID check,” making the “scope for identity theft and fraud quite significant in particular for those 2.8 million Australians.”

Clare O’Neil also lambasted Optus claim that it was a sophisticated attack, bluntly saying it wasn’t. She also warned that Optus offer of one year’s credit monitoring for victims was “not an adequate response,” and warned the operator this was “not the end of the story.”

Now Reuters has reported Australia’s Assistant Treasurer Stephen Jones has said that Optus must pay the cost of replacing the passports and drivers licences of millions of customers whose personal information was stolen.

Jones said that the theft of data attached to 10 million customer accounts, equivalent to 40 percent of Australia’s population, was the result of an error by Optus so it was up to the Singapore Telecommunications-owned company to pay for the consequences.

“Optus is absolutely responsible for paying for the costs and the implications of this for customers, whether it’s the replacement of a licence, whether it’s the replacement of a passport, or other necessary pieces of ID,” Jones was quoted by Reuters as telling reporters in Sydney.

He did not give a dollar figure for the costs.

An Optus representative was not immediately available to respond to Jones’s comments.

Optus has apologised for the breach and said it would pay for the most affected customers to receive credit monitoring for a year.

Hacker apology

The latest Australian government comments highlights the growing pressure it is placing on Australia’s second largest telecom operator.

Meanwhile it has been reported that the alleged Optus hacker has had a change of heart and has apologised for the data breach and dropped the ransom threat.

An online account had sought a ransom after it published records of 10,000 Optus customers, and threatened to release more, before change of heart and retracting the threat and deleting all demands.

The hacker had on Monday night allegedly uploaded a text file of 10,000 records to a data breach website and promised to leak 10,000 more records each day for the next four days unless Optus paid $1m in cryptocurrency.

The text leak contained names, dates of birth, email addresses, driver’s licence numbers, passport numbers, Medicare numbers, phone numbers and address information, the Guardian noted. It also included more than a dozen state and federal government email addresses, including four from the defence department and one from the Department of Prime Minister and Cabinet.

But by late Tuesday morning, the alleged attacker had apparently had a change of heart, deleting their posts and claiming they had also deleted the only copy of the Optus data.

Meanwhile this incident has prompted other ISPs in Australia to re-examine their cybersecurity systems and carry out checks to reduce the risk of a similar breach.

“In light of the recent Optus breach, we have been working closely with our cybersecurity partners and the relevant government agencies to increase our checks,” said a spokesperson for number three ISP TPG Telecom Ltdwas quoted as saying by Reuters.

A spokesperson for Telstra, Australia’s largest internet provider, said in an email: “We will continue to consider what other steps we may need to put in place as we learn more about the Optus incident.”