Optus has confirmed that a total of 2.1 million Australians had identification numbers for documents like driver licences and passports compromised in its recent breach.

This is the crucial “small subset”, as Optus originally worded it, of customers who may be at the highest risk of identity theft because ID documents numbers, like those exposed, are used during identification checks.

In a statement on Monday evening, Optus said it had also worked out how many of the ID numbers are still valid (around 1.2 million) and which were expired (around 900,000).

“We have been working collaboratively with other organisations, government departments, and more than 20 licencing authorities to obtain the right information so we could inform and update our customers,” Optus CEO Kelly Bayer Rosmarin said in video statement.

“We also had to meticulously reconstruct from logs exactly what information the hackers were able to access.”

Restoring confidence

Although not officially confirmed, the Optus breach is believed to have been the result of an unauthenticated API that was inexplicably attached to both a customer database and the internet.

The company’s Monday update, and Rosmarin’s reading of a pre-written statement, were both trying to instil confidence that Optus was somehow in control of the situation after the personal information of 9.8 million Optus customers were compromised.

Optus initially struggled to identify how big the breach was – originally calling 9.8 million customers the “worst case” scenario – and failing to realise that Medicare numbers had also been compromised.

Last week, the telco was under pressure to foot the bill for Optus customers who needed to replace their ID documents.

Now, after identifying the customers most at risk from its security failures, Optus has sent out text messages and emails telling everybody who had what stolen.

While it's simple to see how Optus could query its “meticulously” reconstructed log of the breach to find email addresses and messages of people who had an ID number exposed, there's no way Optus could determine the current validity or expiration date of those licences or passports on its own.

Optus said it arrived at the conclusion that 900,000 of the 2.1 million exposed ID numbers were expired thanks to “extensive ongoing engagement” with government agencies around the country.

How exactly it distinguished between valid and expired ID documents, and what if any arrangements were made to share its customer data with state and commonwealth authorities, are unclear.

Data is a liability

Charles Darwin University Associate Professor Mamoun Alazab said the Optus case shows how the responsibility for reducing the harm caused in data breaches, such as by replacing ID documents, tends to fall on the individuals, not companies, when these incidents occur.

“The laws need to be strengthened to make businesses more responsible and accountable,” he said.

“It was only a matter of time before we experienced an attack of this size, and it exposed the problems with responsibility and accountability in the cyber security space.

“Only victims of a data breach are responsible for dealing with the consequences.”

On the weekend, Attorney General Mark Dreyfus stopped short of promising to table Privacy Act reform legislation before the final parliamentary sitting day this year.

“This is a wakeup call for corporate Australia,” he said. “We are going to look very hard at the settings in the Privacy Act.

“I may be bringing reforms to the Privacy Act before the end of the year to try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians.”

Dreyfus echoed the words of Electronic Frontiers Australia Chair Justin Warren who likened data to asbestos in the wake of the Optus breach, saying corporate Australia ought to “stop regarding all of this personal data of Australians as an asset for them”.

“They actually should think of it as a liability,” he said.