Following one of the worst data breaches in Australian history, the Australian government intends to tighten disclosure rules for cyber assaults.
On Monday, Prime Minister Anthony Albanese told Australian radio station 4BC that the government planned to change privacy rules so that any firm experiencing a data breach would be compelled to share information with banks about possibly impacted consumers in order to reduce fraud. Companies are prohibited from disclosing such information on their customers to other parties under existing Australian privacy laws.
The policy statement came in the aftermath of a massive data hack last week that damaged Optus, Australia’s second-largest telecom carrier. Hackers gained access to potentially sensitive information on up to 9.8 million Optus users – over 40% of the Australian population. Name, date of birth, address, contact information, and, in certain instances, driver’s license or passport ID numbers were among the information leaked.
According to reports, the breach may have been caused by an insufficiently protected API established by Optus to comply with requirements requiring customers to utilize multifactor authentication.
In chats with security writer Jeremy Kirk, a person claiming to be the Optus hacker seems to have validated this narrative of the data loss. The data was downloaded, according to the parameters provided to Kirk by the alleged hacker, by accessing the API sequentially for each value of a unique identification field designated “contactid” and capturing each user’s information one by one until the dataset of millions of entries was compiled.
