O’Neil and Government Services Minister Bill Shorten criticised Optus over the weekend for not providing data on who had their Medicare and Centrelink numbers accessed.
Bayer Rosmarin said that Optus had provided data to the Office of the Australian Information Commissioner, the independent agency that deals with privacy and data issues, and planned to give requested information to Shorten’s department.
“We received a request from Services Australia to provide them some information by October 4, and we intend to fully comply with that,” Bayer Rosmarin said.
The government is hopeful that Services Australia will receive the data within 24 hours.
“It shouldn’t take a rocket from the government to ignite some action from Optus,” Shorten told The Sydney Morning Herald and The Age on Monday. “It’s day 12 and we’re still waiting on all the information we need to help people.”
Loading
“Services Australia had more contact from Optus today than any other day, so actions speak louder than words.”
After almost two weeks of investigation, Optus has confirmed a series of numbers about the hack. Of the 9.8 million whose data was accessed, Optus believes 7.7 million do not need to replace documents. That could be because their identity document data was not collected, was not recorded properly, or is out of date and cannot be used to verify their identity.
Bayer Rosmarin said just after the hack was disclosed that the 9.8 million figure was an “absolute worst-case scenario” and Optus believed the true number to be lower. Optus has also previously said only about 37,000 Medicare numbers were affected.
There are another 2.1 million customers with identification numbers that potentially require replacement. Some 900,000 of those are expired, Optus believes, but may need replacement because of the practices in some states.
Loading
All up, 150,000 passport numbers were affected along with 50,000 Medicare numbers, Optus confirmed. A major portion of these are expired.
Optus has apologised for the hack in interviews and national newspaper ads. Asked whether it would also apologise for the communications after the hack, which the government and customers have viewed as poor, Bayer Rosmarin said: “We’re very, very apologetic for any aspect of this and how it’s created concerns for our customers. We have done our best to provide as much information as we can as quickly as possible.”
She said the company was listening to customers and making sure its website was the source of up-to-date information. “Unfortunately, this is a more complex issue than we would like with so many different requirements and implications from different licensing authorities.”
Optus will not release the Deloitte review in full and did not provide a deadline for when it will be completed. However, the telco has said it is working with the government and plans to share “key learnings” from its report.
“I’m sure that you can understand that when it comes to cybersecurity defences, a forensic review into that and its controls would be impossible to make public for every hacker out there to look at,” Bayer Rosmarin said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.