Cyber criminals could have access to enough information to steal the identities of millions of Optus customers, the consumer watchdog has warned.
The telco confirmed on Thursday users’ names, dates of birth, phone numbers, email addresses, driver’s licence numbers, passport numbers or addresses could all have been accessed in a major breach.
Australian Consumer and Competition Commission deputy chair Delia Rickard said the cyber attack was extremely worrying due to the large amount of personal information fraudsters might be able to access.
“These are all the things that you need for identity theft and also all the things you need to personalise a scam and make it much more convincing,” she told Nine’s Today program on Friday.
Optus said users’ payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.
Australian Federal Police, the Office of the Australian Information Regulator and other key regulators have also been notified.
Ms Rickard said any Optus customers who suspected they were victims of fraud should request a ban on their credit records and be highly skeptical of unexpected calls from people purporting to represent banks or government agencies.
The government has initiated a review into data security on social media platforms, however opposition communications spokeswoman Sarah Henderson said the action was “too little, too late”.
“Rather than kick the can down the road, Labor must urgently consider all regulatory options and act immediately to improve the privacy and safety of Australians online,” she said.
Optus chief executive Kelly Bayer Rosmarin said the telco took action to block the attack as soon as it learned of the breach.
“While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” she said.
“We are very sorry and understand customers will be concerned. Please be assured that we are working hard … to help safeguard our customers as much as possible.”
Scamwatch has advised Optus customers to secure their personal information by changing online account passwords and enabling multi-factor authentication for banking.
Affected customers should also place limits on bank accounts as well as monitoring for any unusual activity.
Senator Henderson said the opposition had been calling on the government for months to deliver tougher online privacy and data protection laws.
In July, it called on Labor to adopt the coalition’s Online Privacy Bill and earlier this month, she and other opposition MPs had criticised the government for failing to strengthen laws.
The Office of the Australian Information Commissioner said it would engage with Optus to ensure compliance with the requirements of the Notifiable Data Breaches scheme.
Under the framework, organisations covered by the Privacy Act must notify affected individuals as quickly as possible if they experience a data breach likely to result in serious harm.