New data protection laws could come into force in Australia this year in an urgent response to a cyber attack that stole the personal data of 9.8 million customers from a telecommunications company, the attorney-general said on Thursday.
Attorney-General Mark Dreyfuss said the government would make “urgent reforms” to privacy laws after last week’s unprecedented hack at Optus, Australia’s second-largest wireless carrier.
Dreyfus said it was “I think” possible that the law would be changed in the four weeks that parliament sits this year.
“I’m going to be looking very hard over the next four weeks to see if we can get privacy law reform through parliament before the end of the year,” Dreyfus told reporters. The next sitting of Parliament is on October 25.
Dreyfus said penalties for failing to protect personal data would have to be increased so that corporate boards could not reject fines as the “cost of doing business”.
Dreyfus said the “absolutely enormous amount” of customer data companies have kept over the years would have to be justified under the revised law.
“Companies need to look at data storage not as an asset, but as a liability or potential liability,” said Dreyfuss. “For too long we’ve had companies looking at data only as an asset that they can use commercially.”
A subsidiary of Singapore Telecommunications, also known as Singtel, the government blames Optus’ cybersecurity for the theft of personal information of current and former customers.
Singtel apologized in a statement issued by its management on Wednesday, saying, “We sincerely apologize to everyone affected by the data theft.”
“Since the incident, our focus has been on supporting Optus’ efforts to help affected customers and strengthen their security controls,” the statement said.
“Information security is of the utmost importance to the Singtel Group and a top priority across all its business units, and we invest significant resources to continually strengthen our defenses against emerging threats,” the statement said.
The data included passports, driver’s licenses and National Health Service identification numbers that could be used to commit identity theft and fraud.
Officials criticize Optus’ initial failure to disclose that Medicare numbers were among the stolen data. It was revealed on Tuesday when a hacker dumped 10,000 customer records on the dark web – six days after Optus discovered the cyber attack.
The urgent legislative response is separate from the broader review of privacy laws that began three years ago. The law was passed in 1988 and critics say it needs to adapt to the digital age.
Optus could potentially be fined AUD 2 million (roughly Rs 10 crore) for breaching privacy laws, the government said.
Similar security breaches under EU law can carry fines of millions of dollars, the government said.
Submissions to the review of the Privacy Act suggested fines for breaches equal to 10% of revenue from Australian operations.
Optus CEO Kelly Bayer Rosmarin has argued against increased fines, telling the Australian Broadcasting Corporation. On Tuesday: “Honestly, I’m not sure which penalty benefits who.”
Optus said it was the target of a sophisticated cyber attack that penetrated multiple layers of security.
After an emergency meeting with banking and consumer regulators, Financial Services Minister Stephen Jones said “fraudsters” and “fraudsters” were already using stolen data, including phone numbers and email addresses.
With the personal information of 38 percent of Australia’s population of 26 million stolen in the hack, “you can’t overestimate the impact of this breach on consumer issues,” Jones said.
They warned compromised Optus customers against activating URLs received via text or email as they could be from criminals trying to steal more information.
“We’re all doing the best we can and trying to get through the long tail of problems that this massive data breach has caused,” Jones said.