Services Australia is unaware of the extent to which Medicare numbers or other credentials have been exposed in the Optus breach, because the telco hasn’t responded to the agency’s queries.
The government said that Services Australia had written to Optus on September 27 “asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards.”
It wanted the information to “place additional security measures on affected customer records” as an anti-fraud measure.
But minister for government services Bill Shorten said that “to date, there have been no impacted customer details provided by Optus in relation to this request.”
“We need Optus to help us help Australians,” Shorten said in a statement.
“Services Australia stands ready to protect the privacy of customers who have had their private information compromised.”
Medicare numbers are a recent addition to the types of personal information compromised in the Optus data breach.
Optus had claimed in a statement dated September 28 - one day after Services Australia wrote to them - that it was "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take."
However, the government and Optus had different indications of how many Medicare numbers were caught up.
The telco said it had "identified 14,900 valid Medicare ID numbers" that had been exposed, and said it would contact the customers directly over several days.
But Shorten told a press conference on Sunday that the government had been told "about 36,900".
"It’s one thing to say how many people use Medicare numbers, but we actually need to get the data of who, so we’re in a position to - if there’s an attempt to use that number - to gain further information," Shorten said.
"This data - I’m sure Optus will eventually give it to us - but we don’t know in what form, how usable the information or the way they keep their data will be for us to assess.
"The sooner we can get the data, the sooner we can get to putting in some protection plans for anyone who’s been the victim of this crime."
Shorten acknowledged Optus "has a lot on their plate" but indicated he did not think government agencies should have to go cap-in-hand to the telco for information.
"I don’t think that we should necessarily have to write to Optus to say, 'Please, we want to protect government data that people have given'. I think there should be more initiative displayed by Optus to provide it to us," he said.
"This shouldn't be a game of whack-a-mole where we work out what the problem is, and then we go to the corporation and say ‘Help us stop the problem’.
"To be honest, I don’t know why they’re not on the phone every couple of hours telling us how they’re going getting the data ready in a form that we can use."
Shorten pushed for urgency on Optus' part: "We need this not tomorrow or the next day, we really needed it days ago.
"The drawbridge needs to come down. There’s got to be full cooperation here, in all aspects."
‘Row in the same direction’
Shorten, together with the minister responsible for home affairs and cyber security Clare O’Neil, demanded increased cooperation from Optus with respect to requests from federal agencies for information.
O'Neil said that Optus had cooperated with the government on some aspects - such as the technical and criminal investigations - but not others.
“Optus needs to communicate clearly to the Australian government, and to their customers, about exactly what information has been taken regarding specific individuals,” O’Neil said.
O’Neil said it was “really important … that we row in the same direction” - we being Optus and the government - “and do everything we can to stop financial crime against Australians.”
“We urge Optus to do everything it can to provide our agencies with the information they need to help us do that,” O’Neil said.
The comments came hours after a report in the Sydney Morning Herald, quoting O’Neil, revealed fundamental flaws in security of critical infrastructure (SOCI) laws, which are meant to give the government powers to intervene into cyber incidents.
According to the report, the SOCI laws are of little utility in compelling cooperation from a private entity, because they can only be used while an attack is still in-progress.
As the government was alerted to the Optus breach after the attack had ceased, it had limited ability to participate in the mop-up or to compel Optus to cooperate with its requests for information.
"The laws ... provided absolutely no use when we actually needed them," O'Neil said.
"Under the previous government there were a set of laws passed that were meant to be the be-all and end-all of cyber security reform in this country.
"The instructions on the label told me that these laws were going to provide me with all of the powers that I would need in a cyber security emergency incident to make sure that we can repair the damage.
"And I can tell you that those laws were absolutely useless to me when the Optus matter came on foot."
