Australia could have tough new data protection laws this year as an urgent response to a cyberattack that stole the personal data of 9.8 million customers from a telecommunications company, the attorney general said Thursday.
Attorney General Mark Dreyfus said the government would make “urgent reforms” to the privacy law after the… unprecedented hack last week on OptusAustralia’s second largest wireless provider.
Dreyfus said: “I think it is possible” that the law will be changed in the four remaining weeks that Parliament is due to sit this year.
“I’m going to be looking very hard over the next four weeks to see if we can get privacy law reforms in Parliament before the end of the year,” Dreyfus told reporters. Parliament then meets on 25 October.
Dreyfus said fines for failing to protect personal data needed to be increased so corporate executives couldn’t dismiss the fines as a “cost of doing business.”
The “absolutely huge amounts” of customer data companies kept for years should be justified under the amended law, Dreyfus said.
“Businesses should see data storage not as an asset, but as an obligation or a potential obligation,” Dreyfus said. “We’ve had too long of companies seeing data only as an asset they can use commercially.”
The government blames lax cybersecurity at Optus, a subsidiary of Singapore Telecommunications Ltd., also known as Singtel, for the theft of personal information from current and former customers.
Singtel apologized in a statement issued by management on Wednesday, saying, “We are deeply sorry to everyone affected by the data theft.”
“Since the incident, our focus has been on supporting Optus’ efforts to help affected customers and strengthen their security controls,” the statement said.
“Information security is of paramount importance to the Singtel Group and a top priority for all of its business units and we are investing significant resources to continuously strengthen our defenses against emerging threats,” the statement added.
The data included passport, driver’s license and national health care identification numbers that can be used for identity theft and fraud.
Authorities are critical of Optus’ initial failure to disclose that Medicare numbers were among the stolen records. That became clear on Tuesday when the hacker dumped the data of 10,000 customers on the dark web – six days after Optus discovered the cyber attack.
The urgent legislative response is separate from a broader privacy law review that began three years ago. The law was passed in 1988 and critics argue that it urgently needs to be adapted to the digital age.
Optus could face a fine of up to 2 million Australian dollars ($1.3 million) for violating the privacy law, the government said.
It could be fined hundreds of millions of dollars for a similar security breach under European Union law, the government said.
Submissions to the Privacy Act review have suggested penalties for breaches equal to 10% of revenues from Australian operations.
Kelly Bayer Rosmarin, Optus CEO, has argued against higher fines, telling the Australian Broadcasting Corp. on Tuesday: “Frankly, I’m not sure what penalties benefit anyone.”
Optus claims it was the target of a sophisticated cyber attack that breached several layers of security.
After an emergency meeting with banking and consumer regulators, Financial Services Secretary Stephen Jones said “fraudsters” and “scammers” had already started using the stolen data, including phone numbers and email addresses.
With personal information stolen from 38% of Australia’s 26 million population in the hack, “you can’t overstate the impact of this breach on consumer issues,” Jones said.
He warned compromised Optus customers against activating URLs they receive by text or email, as they may come from criminals trying to steal more information.
“We’re all working as best we can to work our way through the long tail of problems that will result from this massive data breach,” Jones said.