Gov flags new rules after Optus hack

The government is preparing new data breach notification rules in the wake of the Optus hack.

A policy drafting process is understood to be underway. If adopted, it would mean companies involved in a breach of customer data have to pass on the details of affected individuals to banks as soon as possible.

Cyber security minister Clare O'Neil's office could not confirm when the proposals would be made public. iTnews understands a formal statement will be made in the next day or two.

The rules are being drafted as a whole-of-government response to the breach, which means the detail involves agreement from multiple ministers.

Banks are keeping a close watch on the unfolding situation in a bid to prevent the stolen data being used for fraud.

"Individual banks are closely monitoring developments while Optus continues its investigations and works with authorities and agencies”, the Australian Banking Association said in a statement.

“Banks encourage customers to also remain vigilant in all aspects of their digital lives, with an increased focus on the use of PayID, and applying measures such as two-factor identification. Banks also encourage customers to immediately report any suspicious activity to their bank."

Identity reissue

The development came as Optus announced it had finished notifying the most at-risk group of customers - those who had identification documents such as passports or driver's licenses exposed in the breach.

Customers that have received notifications were critical of Optus’ response.

One customer - who iTnews has chosen not to identify - said they had received the notification and contacted Optus via its web chat.

They said the web chat operators were able to assist with processes to secure their Optus accounts (such as implementing two-factor authentication), and provide links to other sites (such as cyber.gov.au), but did not identify what other services a breached customer might need.

Specifically, that customer said credit protection services such as those offered by Equifax weren’t mentioned, nor was the Department of Home Affairs' victim certificates.

The victim certificate is designed to help those whose identity documents have been compromised have those documents re-issued – if they are willing to initiate court action.

Optus media releases refer identity-related inquiries to the Australian Cyber Security Centre, which refers to the certificates in its advisory about the Optus breach.

Optus' response

An Optus spokesperson said the telco is working with the Australian Federal Police on its investigation of the attack, and that the AFP has requested that Optus not disclose further details of the attack, “as it might compromise their ability to find the bad actor.”

As a result, the telco declined to confirm technical details of the attack to iTnews. 

It's been reported that an unsecured public-facing API allowed the attacker to conduct a user enumeration attack.

While unable to discuss specifics of Optus’ current response, iTnews understands the carrier is exploring ways to provide extra support to victims.

In response to complaints aired in the Sydney Morning Herald that Optus is declining to pick up the tab for the $15 per month cost of having Equifax monitor an individual’s credit activity, an Optus’ spokesperson said: “To date, Optus’ focus has been its response to the attack.

“Further support is possible … nothing is ruled out at the moment.”

Update, 3pm: 

Optus said it would offer "most affected current and former customers whose information was compromised ... the option to take up a 12-month subscription to Equifax Protect, a credit monitoring and identity protection service."

"The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost," a spokesperson said.