.svg)
Australia’s government is planning to propose changes to the country’s telecom laws to enable better information sharing with banks after a massive data breach at the telco firm exposed data of nearly 10m Australians.
The government is proposing changes to the Telecommunications Regulations 2021 that will enable Optus and other telcos to better coordinate with financial institutions and government agencies to mitigate the risks of cybersecurity incidents, frauds, scams and other cyber attacks.
The move follows a data breach at the telecoms company on September 22 that exposed a wide range of customers’ personal data, including names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport.
Payment details and account passwords were not compromised but Optus confirmed it had informed key financial institutions about the breach.
In fear of widespread fraud resulting from the incident, Michelle Rowland, communications minister, is now proposing legislative changes to enable telecommunications companies to temporarily share approved government identifier information with regulated financial services entities.
Such information sharing would allow the parties to implement enhanced monitoring and safeguards for customers affected by the data breach, the ministry said. The information shared would include data such as driver's licence, medicare and passport numbers of affected customers.
In addition, Optus will be able to share identifiers to assist Commonwealth, state and territory agencies to detect and assist in preventing fraud.
The announcement stresses that the proposed regulations “have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes”.
The government would restrict the use of the information shared to the “sole purposes of preventing or responding to cybersecurity incidents, fraud, scam activity or identify theft”, and the information received must be destroyed once it is no longer required.
In addition, information could be shared only with financial institutions regulated by the Australian Prudential Regulation Authority (APRA).
"The Albanese government takes seriously the protection of personal information,” commented Rowland. “The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for designated purposes.”
Optus said in a statement that it welcomes the proposed changes, which will enable it to apply enhanced monitoring and safeguards to affected accounts.
The proposal also seeks to direct the Council of Financial Regulators’ cybersecurity working group to examine and report on options to further improve the ability of financial institutions to identify affected customers and credentials. This can be done using an existing secure and privacy-protecting data-sharing platform.
According to the release, the proposal follows “extensive consultation” across Commonwealth agencies, financial system regulators, Optus, the banking sector, major telecommunications providers and the Australian Information Commissioner.
These recommendations will now be submitted to the Governor-General.
