Monday, 26 September 2022

Interview with ABC 7:30

​LAURA TINGLE, PRESENTER: Clare O'Neil, first of all, how much clarity have you got from Optus about what sort of personal data has been stolen and what period does it cover? Is it only existing Optus customers who need to be worried?

CLARE O'NEIL, MINISTER FOR CYBER SECURITY: Thanks, Laura. We've got quite detailed information from Optus about what the security breach has put into the public realm.

We know that for 9.8 million Australians, some basic personal information has been stolen from Optus but for 2.8 million Australians, quite extensive personal data - which includes things like licence numbers and passport numbers - have been taken.

The reason this is so concerning to us is because what this effectively amounts to is 100 points of ID check and so the scope for identity theft and fraud is quite significant, in particular for those 2.8 million Australians.

LAURA TINGLE: How could that happen? How could telecommunications company even have that much personal ID? It seems extraordinary.

CLARE O'NEIL: Absolutely, how could this happen? I think that the Albanese Government is asking Optus that question at the moment and I point to not just the scope and amount of data that was held, Laura, because telecommunications companies, by their nature, will hold a lot of data about Australians.

What is of concern for us is how what is quite a basic hack was undertaken on Optus. We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.

And the thing that's very exercising for me as Cyber Security Minister is why did this happen and how can we make sure it never happens again?

LAURA TINGLE: Well, you certainly don't seem to be buying the line from Optus that it was a sophisticated attack.

CLARE O'NEIL: Well, it wasn't. So, no.

LAURA TINGLE: Right. So the fact that Optus is trying to make amends by offering its most affected victims year-long free subscriptions to credit-monitoring services and identity-protection services to help stop that risk of ID theft - is that an adequate response from them in the first instance?

CLARE O'NEIL: It's certainly not an adequate response, but I'm pleased that Optus have made this commitment today.

So I called on Optus in Question Time, to provide credit monitoring for those most affected customers and later this afternoon, they agreed to do that, and I thank Optus for assisting with that.

This is not the end of the story here. We are still going to be talking about the Optus hack in the weeks to come.

Optus need to communicate clearly to their customers about exactly what information has been taken from specific individuals, and then needs to assist and support customers to manage the impacts of what is an unprecedented theft of consumer information in Australian history.

LAURA TINGLE: That 2.8 million group, the smaller group that's lost a lot more details, what identified them as being particularly vulnerable or why did they lose more of their personal information?

CLARE O'NEIL: It was just the way that the data was organised within Optus and how it was taken during the breach that it occurred.

LAURA TINGLE: It wasn't a particular type of client for services or anything like that?

CLARE O'NEIL: I'm not sure about that information, Laura, and one of the themes that's emerged for me today is the need for Optus to clarify to their customers about who has had that additional amount of information taken and why and I'll talk to Optus about that this evening.

LAURA TINGLE: What powers have you got to find out from Optus what's happened and what's the role of the government more broadly here?

CLARE O'NEIL: This is a really important question, Laura and I am making sure that I note through this experience some of the policy levers that are not available to me that I believe should be.

So if I can just step back a little bit, I don't want to blame this on the former government, but I just want to note that we are probably a decade behind in privacy protections where we ought to be. I would say we're about five years behind in cyber protections than where we should be given how fast things are moving.

When it comes to cyber protections, the previous government put in place a very significant piece of legislation that I think was a very good start, but it didn't bring telecommunications companies into that legislation.

And so what it's meant is that I am more limited with telecommunications companies in terms of the powers that I have. Now the reason that it did that is because, at the time, the telecommunications sector said, "Don't worry about us - we're really good at cybersecurity. We'll do it without being regulated."

And I would say that this incident really calls that assertion into question.

LAURA TINGLE: This whole issue of governments sort of stepping into that cybersecurity space more broadly has been a contentious one for some time.

What government agencies are now involved in trying to track down who did this and how confident are you that you'll be able to try to ameliorate the damage?

CLARE O'NEIL: Yeah, okay, if I could just make a general comment - I think we have gone on a journey globally about cybersecurity of perceiving this as between an individual customer and a private company.

You see with Optus that when this happens at a broad scale, it becomes a much bigger issue, and we've got half of Australian adults here who have had some data breach here, and it's clearly not just between Optus and the customer. The government has to be involved when the stakes are this high.

We have had extensive support provided to Optus through the Australian Government on the technical and operational side. So I'm talking there about the Australian Signals Directorate, the Australian Federal Police, and the Australian Cyber Security Centre, that have worked very closely with them on the technical and operational side.

But I don't want to make too much comment about that - as you'll understand, this is on foot at the moment.

LAURA TINGLE: So, looking at what you do now to stop it in future, are you looking at both changes to the laws about what companies can hold and/or more draconian fines, potentially, to make sure that they look after data more carefully?

CLARE O'NEIL: So Laura, it's on my mind, the key focus for us though, at the moment is almost 10 million Australians who have had some of their personal information taken and so the focus for us is trying to assist Australians to make sure that they're not at risk of some type of financial crime.

So that is my focus at the moment but there will certainly need to be a good thorough look at the end-to-end management of this from the Optus perspective.

And I think we need to be looking at a variety of issues, including the powers that I have as Cyber Security Minister, to mandate minimum cybersecurity standards which could have prevented this from occurring.

But I do also want to note that in other countries around the world a breach of this scale would result in hundreds of millions of dollars’ worth of fines against a company like Optus. We have a maximum of just over $2 million is the maximum fine under breaches of the Privacy Act. Totally inappropriate - so I think there are a few things that we're going to need to look at.

But at the moment, we have got 10 million Australians who are anxious about their data being stolen and our focus is trying to give them some sense that we can support them in any way we can.

LAURA TINGLE: Clare O'Neil, thanks for your time tonight.

CLARE O'NEIL: Thanks, Laura.