“Medicare numbers were never advised to form part of compromised information from the breach,” O’Neil said in a statement. She said Optus should tell consumers exactly what personal information had been stolen from their accounts as a priority.
Optus customers were informed following the attack that ID document numbers had been compromised but driver’s licences and passports were given as examples, not Medicare.
Bayer Rosmarin said there was “misinformation” about her company’s cybersecurity but did not deny that personal customer information was accessed through an application program interface — a common way for computers to exchange information.
“Our data was encrypted and we have multiple layers of protection,” Bayer Rosmarin said on Tuesday morning. “So it’s not the case of having some completely exposed API sitting out there.”
O’Neil said on Monday night that Optus had “effectively left the window open for data of this nature to be stolen”, flagging bigger fines for data breaches, tougher laws on telecommunications companies and reforms to consumer information rules.
Loading
James Paterson, the opposition spokesman for cybersecurity, said he agreed with O’Neil that it was not a sophisticated cyberattack. Responding to enquiries from Paterson, Foreign Minister Penny Wong told the Senate the government would consider whether to waive fees for new passport applications for Optus customers affected by the hack.
Attorney-General Mark Dreyfus revealed the FBI, America’s principal law enforcement agency, was assisting the AFP in Operation Hurricane, its investigation into who was behind the attack.
Bayer Rosmarin argued Optus should not be seen as the wrongdoer and was doing everything it could to help customers. “We are not the villains,” she said. But she pushed back against the introduction of major new fines for companies that allow data to be breached while also saying Optus would take "full responsibility" if investigations found it had made an error.
“I’m not sure what penalties benefit anybody," Bayer Rosmarin said.
Asked whether she would take responsibility for the hack occurring on her watch and resign, Bayer Rosmarin said: “All we’re focussed on is protecting our customers. So, someone has to be accountable for doing that and that’s exactly what I’m focussed on.”
Optus’ customers have been left fuming by the company’s response, with many complaining of contradictory information from the company and difficulties replacing driver’s licenses.
In a post overnight by someone claiming to be the hacker behind the breach, the extortionist warned that 10,000 more records would be released each day over four days unless Optus paid a $1.55 million cryptocurrency ransom. That demand does not rank among the largest threatened by cyber criminals but is not among the lowest either.
Loading
On Tuesday morning, the purported hacker abruptly reversed course, saying: “Too many eyes. We will not sale [sic] data to anyone. We can’t even if we want to: personally deleted data from drive (only copy).”
An Optus spokesman said “we didn’t pay” after speculation the company may have transferred a ransom.
The veracity of the posts from the purported hacker has not been confirmed.
Optus has stressed that investigations are ongoing, as have the AFP, limiting what it can say. The recent hack has affected up to 9.8 million Australians, with 2.8 million having extensive data taken, including personal document identification numbers.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.