The Albanese government is under pressure to outline exactly how it is going to help customers exposed by the Optus data breach – including whether it will provide replacement passports free of charge – after it was revealed the FBI had been called in to help.
Australia’s financial regulator, the Australian Prudential Regulation Authority (Apra), has separately urged banks to beef up their fraud protections immediately after someone claiming to be behind the cyber-attack posted online they had released 10,000 customer records.
Sources said the federal government is considering a range of options including a parliamentary review or inquiry into the Optus breach. Potential civil penalties under legislation including the Telecommunications Act are also being explored.
The government would not comment on its plans but the office of the home affairs minister, Clare O’Neil, is believed to be preparing an announcement.
Federal police and cybersecurity agencies are working with the US FBI.
“I want to reassure Australians the full weight of cybersecurity capabilities across government, including the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian federal police are working round the clock to respond to this breach,” O’Neil said on Tuesday.
The purported hacker claimed to have released 10,000 records before another post on a forum apologised and claimed all the stolen data had been deleted.
O’Neil took a swipe at Optus given the released records appeared to include Medicare numbers.
“Medicare numbers were never advised to form part of compromised information from the breach,” O’Neil said in a statement. “Consumers have a right to know exactly what individual personal information has been compromised in Optus’s communications to them. Reports today make this a priority.”
The minister and the Optus chief executive, Kelly Bayer Rosmarin, earlier traded barbs in separate media interviews.
O’Neil said on Monday that Optus had “effectively left the window open for data of this nature to be stolen” claiming it was a “basic” hack. Asked about those comments on Tuesday morning, Rosmarin called it “misinformation” and claimed O’Neil commented before receiving a briefing from Optus.
Rosmarin said the breach was “not what it’s made out to be” because the data was encrypted and there were “multiple levels” of protection.
O’Neil was not in parliament on Tuesday due to a personal matter but sources said her view remains unchanged.
Apra said on Tuesday the entities it regulates “should harden controls on high-risk processes and transactions where possible, eg. digital customer onboarding [and] setting up first time payees”.
“This could include control examples such as additional two-factor authentication requirements and call-backs,” Apra said.
The regulator said companies should also direct customers to “reputable sources” such as the Australian Cyber Security Centre, the corporate regulator’s Moneysmart service and the information commissioner “which outline additional steps customers can take to limit the risk of fraud”.
On Tuesday morning, the chair of parliament’s joint committee on intelligence and security (PJCIS), Labor MP Peter Khalil, said he believed the breach was “pretty simple – at least not a very complex hack”.
Khalil pointed partial blame for the hack at the former coalition government, accusing it of exempting telecommunications companies from critical infrastructure laws.
“They made that decision,” Khalil told Sky News. “It enabled this attack. Now Optus is responsible, but of course, you know that we live in a very dangerous neighbourhood … they’ve left the back door open and they’ve left the windows open.”
But the shadow minister for cybersecurity, Senator James Paterson, rejected that critique. He said companies were covered either by critical infrastructure laws or other telecommunications legislation.
Paterson called on O’Neil to detail exactly what the government’s response would be.
“There are no gaps in the legislation,” Paterson said. “There is no instance where the telecommunications sector is not regulated.
“It’s not clear whether the minister has applied all the powers available to her under the act and it’s up to her to say if she has. The public needs to be reassured that the government is using the powers that it has within its remit to address these issues.”
Coalition shadow minister Simon Birmingham and Paterson called on the federal government to waive fees and expedite the processing of new passports for Optus customers – after several state governments said they would do the same thing for driver’s licences.
“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information and obtain a new passport,” they said in a statement.
Comment was sought from the assistant foreign minister, Tim Watts, who has carriage over passports.
The acting prime minister, Richard Marles, told parliament on Tuesday that the Optus breach had been “a wake-up call for corporate Australia”. He said protecting affected customers “will be the entire focus of this government”.