Australia tells Optus to pay cost of replacing hacked IDs

Australian telecom giant Optus must pay the cost of replacing the passports and driver’s licences of millions of customers whose personal information was stolen in one of the country’s biggest data breaches, the government has said.

The theft of data attached to 10 million customer accounts — equivalent to 40 percent of Australia’s population — was the result of an error by Optus so it was up to the Singapore Telecommunications-owned company to pay for the consequences, Assistant Treasurer Stephen Jones said on Thursday.

“Optus is absolutely responsible for paying for the costs and the implications of this for customers, whether it’s the replacement of a licence, whether it’s the replacement of a passport, or other necessary pieces of ID,” Jones told reporters in Sydney, Australia. He did not give a dollar figure for the costs.

An Optus representative was not immediately available to respond to Jones’s comments. Optus has apologised for the breach and said it would pay for the most-affected customers to receive credit monitoring for a year.

The comments underscore the growing tension between Australia’s government and its second-largest telco as internet companies, banks and government authorities scramble to minimise the risk of being similarly hacked.

The operator of an anonymous account had, in an online chatroom, demanded $1m to refrain from selling the Optus customer data, only to later withdraw the demand and apologise, citing heightened publicity. Optus and law enforcement authorities have not verified the demand, although cybersecurity experts say it was most likely authentic.

The stolen data included passport numbers, driver’s licence numbers, government health insurance numbers, phone numbers and home addresses, prompting commentators and legislators to demand replacement documents.

Other large internet firms meanwhile said they were running extra cybersecurity checks to reduce the risk of a similar breach.

“In light of the recent Optus breach, we have been working closely with our cybersecurity partners and the relevant government agencies to increase our checks,” said a spokesperson for the third-biggest internet provider TPG Telecom, which has about 6 million customers.

A spokesperson for Telstra Corp, Australia’s largest internet provider, said in an email: “We will continue to consider what other steps we may need to put in place as we learn more about the Optus incident.”