The Australian Government has demanded payment from Optus for the replacement costs of ID documents such as passports and driver’s licences compromised during the cyber attack at the telecommunications company last week.
Amongst the 9.8 million Australians affected during the attack, the most at risk are a subset of 2.8 million customers who had their driver's licences and passport numbers stolen.
The replacement of these documents is critical and time-sensitive as they could potentially be used to commit identity theft by cybercriminals.
Addressing the parliament, Prime Minister Anthony Albanese rejected the opposition’s demands to waive the costs of replacing compromised Optus customers’ passports.
“We believe that Optus should pay, not taxpayers,” he said
This afternoon @albomp gave the parliament an important update on the Optus security breach.Not only are we demanding Optus pay for replacement passports for those affected by the breach, but we're also committed to strengthening our privacy laws through the Privacy Act review. pic.twitter.com/JyoRJxyM3p
— Clare O'Neil MP (@ClareONeilMP) September 28, 2022
“Earliest confirmation” from Optus requested
In a letter to Optus CEO Kelly Bayer (ETR:BAYGN) Rosmarin, Australian Foreign Minister Penny Wong wrote: “Passport customers affected by this breach and concerned about identity fraud may choose to replace their passports.
“There is no justification for these Australians – or the taxpayers more broadly on their behalf – to bear the cost of obtaining a new passport.
“I, therefore, seek your earliest confirmation that Optus will cover the passport application fees of any customers affected by this breach whose passport information was disclosed and who choose to replace their currently valid passport.”
What happened?
A week ago, Optus revealed that the breach in its systems exposed an unspecified number of customer names, dates of birth, phone numbers and email addresses.
Alarmingly for a subset of customers, addresses and identity document numbers, such as driver’s licences or passport numbers, were also taken in the breach.
However, payment details and account passwords were not compromised in the attack.
Darkweb screenshots surfaced quickly after the attack, with an underground BreachForums user going by the moniker of ‘optusdata’ offering two tranches of data.
The hacker claimed to have records for about 11.2 million Optus customers, including their names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses and ID document numbers such as driver’s licence or passport numbers.
Earlier this week, optusdata released 10,000 records to twist Optus’s hand in the negotiations.
Subsequently, in a quick turn of events, the hacker withdrew the ransom demand, apologises to Optus and the Australian people and claimed that the data had been destroyed.
Global cyber security experts agree - what happened at Optus was not a sophisticated attack.#9ACA pic.twitter.com/YfgzwJYgsk
— Clare O'Neil MP (@ClareONeilMP) September 28, 2022