Deloitte is set to perform a “forensic assessment” of the Optus data breach as part of a commissioned external review into the incident and ensuing response.
The consultancy review came on the recommendation of Optus CEO Kelly Bayer Rosmarin and was supported by the Singtel board, the telco said.
The board had “been closely monitoring the situation with management since the incident came to light,” it said.
Bayer Rosmarin said the forensic review “would play a crucial role in the response to the incident for Optus, as it works to support customers.”
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” she said.
“It will help inform the response to the incident for Optus.
“This may also help others in the private and public sector where sensitive data is held and risk of cyber attack exists.”
1.2 million customers most at risk
Optus also published a video update from Bayer Rosmarin late on Monday that clarified the number of customers that had current identity numbers caught up in the breach.
It has been reported since the outset that around 2.8 million customers had identity document numbers exposed.
However, Bayer Rosmarin said that Optus now believed the number is closer to 2.1 million, of which 1.2 million numbers were active, and 900,000 were expired.
She indicated that Optus is awaiting guidance on what action people whose expired numbers were on file should take.
“For the 1.2 million customers where action should be taken, and is advised, all of those customers have been reached out to and already should know that they are in the position to take action,” Bayer Rosmarin said.
She added: “While the [breach] numbers have come down, we are disappointed that even one customer’s information could be accessed and we are deeply, deeply sorry that this could occur.”
Optus said separately that the 1.2 million customers "have had at least one number from a current and valid form of identification, and personal information, compromised."
The telco was criticised over the weekend for not knowing exactly what kinds of personal data were exposed in the breach, after it came out that Medicare numbers were included.
Services Australia, in particular, has been seeking information since last week, when it became apparent that Medicare numbers were accessed by the attacker.
Bayer Rosmarin said Optus “had to meticulously reconstruct from logs exactly what information the hackers were able to access so that any information we provided to customers was accurate and complete.”
“This was an exercise that we wish we could have done instantly, but it did take us some time to do so, and we also had to work with licencing authorities, all of whom have different rules, all of whom have different information that's required in order to validate checks on those types of IDs,” she said.
Bayer Rosmarin said that part of the purpose of calling in Deloitte is to work out how the attack could occur.
“We invest millions of dollars and have teams of people whose job it is to prevent something like this from happening,” she said.
“That is why we have launched an independent review into what has occured, so we can understand what happened and make sure it doesn't happen again and that we do better.”
Singtel monitors financial impact
Separately, Singtel said in an SGX filing [pdf] that it is “continuing to evaluate the potential financial implications arising from” the data breach.
“Any material development will be disclosed to the market on a timely basis,” it said.
Optus’ parent company said news reporting of potential fines or costs to date was “speculative” and “should not be relied upon”.
Singtel added that it would defend any class action lawsuit, if one was to be filed with the courts.
