Australia updates law to protect data after Optus hack
The Australian government announced changes Thursday to its telecommunications law to protect vulnerable customers after personal details were stolen in a major cyberattack on the nation’s second-largest wireless carrier.
The changes to Telecommunications Regulations allow Optus and other providers to better coordinate with financial institutions and governments to detect and mitigate the risk of cybersecurity incidents, fraud, scams and other malicious cyber activities, Treasurer Jim Chalmers and Communications Miner Michelle Rowland said in a joint statement.
“What this is all about is to try and reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring,” Rowland told reporters. More than one in three Australians had personal data stolen when Optus lost the records of 9.8 million current and former customers including passport, driver’s license and national health care identification numbers in a hack discovered on Sept. 21.
The hacker dumped the records of 10,000 of those customers on the dark web last week as part of an attempt to extort $1 million from Optus, a subsidiary of Singapore Telecommunications Ltd., also known as Singtel.
Optus ran full-page ads in Australian newspapers on Saturday under the headline: “We’re deeply sorry.” The ad included a link to an Optus website that details actions customers can take to avoid identity theft and fraud. The government can change regulations without reference to the Parliament.
But the government hopes to pass changes to the Privacy Act through the Parliament during its final four sitting weeks of 2022 in response to the Optus breach.
The changes would include increased penalties for companies with lax cybersecurity protections and curbs on the quantities and types of customer data that businesses can amass, as well as the duration for which personal information can be kept.