Optus is yet to provide government agencies with information about affected customers following a massive data breach, with more than 36,000 Medicare cards compromised.
The Albanese government on Sunday called on the telco to help it protect those affected from fraud.
Services Australia wrote to Optus on Tuesday asking for the full details of all customers who had their Medicare cards or Centrelink Concession Cards taken in the hack so it could bolster security measures.
Cyber Security Minister Clare O’Neil said Optus needed to be up-front about what data had been taken for individuals, admitting the government didn’t know how many passport numbers had been stolen.
She said she was particularly concerned for the more than 10,000 people whose sensitive data had already been published in the “ether”.
“Optus advised me this morning that they have contacted the 10,200 people,” she said.
“I gave very clear feedback to Optus that an email was not going to cut it here.”
Government Services Minister Bill Shorten said about 36,900 Medicare numbers had been leaked.
He said Services Australia was ready to act, but the government needed Optus to reveal who had been caught up in the breach.
It remains unclear how many of the almost 10 million Optus customers impacted by the hack had their identity details stolen, however it has since been confirmed at least 10,000 parcels of ID data were put on the dark web.
The private information exposed included names, birth dates, phone numbers and addresses, as well as passport, Medicare and driver’s licence numbers.
In a statement, an Optus spokesperson said the company was working with government agencies to determine which customers it needed to take action on.
“We continue to seek further advice on the status of customers whose details have since expired. Once we receive that information, we can notify those customers,” the spokesperson said late Sunday.
“We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”
Earlier, Attorney-General Mark Dreyfus said he would review Australia’s privacy laws and could bring in boosted protections by the end of the year.
“Companies throughout Australia should stop regarding all of this personal data as an asset for them, they should actually think of it as a liability,” Mr Dreyfus told ABC’s Insiders.
Mr Dreyfus said he had not heard a sufficient reason as to why companies were retaining the amount of personal data they currently were and that Optus had failed to keep user information safe.
The federal government has blasted Optus’s handling of the breach, saying it was a basic hack that had exposed millions of Australians to possible identity theft.
Optus boss Kelly Bayer Rosmarin has apologised to customers but is resisting calls to go.
Opposition cyber security spokesman James Paterson said the coalition would be open to bigger fines for breaches of the Privacy Act.
“We do want to make sure that major companies in Australia are taking this very seriously,” he told Sky News.
Ms O’Neil has been heavily critical of Optus and turned her sights to the former government, describing laws designed to protect Australia’s critical infrastructure from cyber attack as “absolutely useless”.
“What we do need is a federal government which has got the law at its fingertips to make sure that we can do things, for example, mandating reporting to customers when their data has been breached within a certain time period,” she said.
Mr Paterson flagged support for any changes that may be necessary if there was evidence to support them.