Prime Minister Anthony Albanese has voiced a strong stance on Optus' landmark data breach, citing the hack as a 'wake up' call for corporate Australia and declaring an upcoming increase in fines following the unprecedented compromise to nearly 10 million Australians' personal details.
"It's very clear that this shouldn't have occurred," Albanese told FiveAA radio.
"Upping the fines is certainly one area where there needs to be a penalty for a failure of this magnitude, and it's simply not in place at the moment."
In addition to a major increase in fines which could speculatively run into hundreds of millions of dollars, Albanese also stated a need to look at privacy law, indicating a government effort to ensure companies are held accountable for data breaches.
Over the past seven days, multiple public figures have come out to express inadequacy not only in Optus' handling of the breach but in Australian privacy laws as well – forecasting a range of substantial changes in coming months.
"We are looking at what urgent reforms can be made to the Privacy Act," said Attorney-General Mark Dreyfus.
The Privacy Act is Australia's principal piece of legislation when it comes to protecting the handling of personal information about individuals, and it currently caps relevant penalties at $2.2 million.
Home Affairs Minister Clare O'Neil said she will be looking at new cyber security laws in the wake of Optus' breach, stating the current level of penalties was "totally inappropriate”.
O'Neil told parliament that under other jurisdictions, a data breach of similar size would "result in fines amounting to hundreds of millions of dollars."
The Albanese government will pursue "very substantial" reforms, and comments from the likes of the Attorney-General indicate these reforms may also impact the way companies are permitted to store and handle data.
"It is certainly not just simply about increasing penalties, although that will be part of the reforms we are going to look at,” Dreyfus said in Canberra on Thursday.
"Australians need to be assured that when their data is asked for and taken from them by a private company or by government that it will only be used for the purpose for which it has been collected, and we need to get in place something that encourages companies to dispose of data safely, to not keep data when they no longer have a purpose for it," said Dreyfus.
The Optus data breach, which has affected approximately 10 million customers, is remarkable not only in the number of records stolen, but also for the quality of information leaked.
Licence, Medicare, and passport details were exposed by the breach, and cyber security experts have been quick to point out that for those impacted, the attack could substantiate 100 points of identification, which is the metric used to prove identity with many institutions, such as banks.
"They don't seem to me to have a valid reason, to say they need to keep that for the next decade," said Dreyfus.
While the full extent of upcoming reforms is still unknown, companies could see major changes to the data they are allowed to keep, the amount of time they can retain personal information, and a potential mandate for purging already retained records.
Where's the data?
The government has said it asked Optus on 27 September for the details of customers whose Medicare and Centrelink details were exposed during the breach.
The Government Agency, Services Australia, intends to use the requested information to "place additional security measures on affected customer records, as required," and "to prevent future fraud."
On Sunday, Bill Shorten, Minister for Government Services and NDIS, said, "Services Australia has been working around the clock to help protect customers, but we need Optus to help us help Australians”.
O'Neil added, "Optus needs to communicate clearly to the Australian Government, and to their customers, about exactly what information has been taken regarding specific individuals.”
"This will enable us to make sure that those 10 million Australians who have had some of their personal information stolen are not at risk of some type of financial crime or online fraud,” she said.
“We urge Optus do everything it can to provide our agencies with the information they need to help us do that.”
The reputational harm to Optus is undeniable, with the company publicly acknowledging they'd need to 'work hard' to regain customer trust.
Optus customer, Charmaine Proudlock, who has suffered two separate incidents of her personal information being stolen from the telecommunications provider, said, "they've got the audacity to play like they're the victim? No, they're not the victim. They're the soft target."
"No humans actually rung me and apologised," she added.
O'Neil commented on Optus' communication following the incident, stating, "Optus must be transparent about the number of people who have stolen specific identity documents and directly speak with the 10,200 individuals impacted.”
"An email is not enough."