Monday 26 September 2022 05:32 PM Optus hack: Telco's must keep customer data for at least two years after ... trends now

Millions more people could be exposed in Australia's biggest ever data breach even if they're not customers of Optus - as legal experts say victims could pursue legal action against the telecommunications giant.

As many as 11million Aussies have potentially had their personal addresses, dates of birth, phone numbers, passport details and drivers licences stolen in the Optus cyber attack.

The telco giant only has about 5.8 million active users, indicating the remainder are customer no longer with the service provider.

Under the Telecommunications Act 1979, companies like Optus must keep some customer data for at least two years after closing an account.

Simon Haddadim, an app developer, said he had been warned his data was part of the leak despite leaving Optus 12 months ago.

'This is why the whole concept of a decentralised system is coming in,' he told the Daily Telegraph on Monday. 

'(Optus) shut down the system as soon as they discovered the cyber attack. Why aren't they saying how long it took them to discover that?'

The legislation is in place to help assist police investigations - but experts believe the practice is outdated. 

Cybersecurity leader Susan McLean said the current data climate had drastically changed and storing information may no longer be safe. 

'The data that is held should be the bare minimum. So once you have proven this is Billy Smith, do you really need to keep the passport number and driver's license number?' she said.

'If the police need to find out who owns the number they have a name and address and it is not hard to find out their driver's license and passport number.'

The concerns come as a federal police investigation has been launched into the data breach.

Operation Hurricane has been established by the AFP to identify the people behind the hack, as well as prevent identity fraud of those affected.

Assistant Commissioner of Cyber Command Justine Gough admitted the investigation into the source of the data breach would be complex.

'We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,' she said.

'Criminals, who use pseudonyms and anonymising technology, can't see us but I can tell you that we can see them.'

The task force will work with the Australian Signals Directorate, overseas police as well as Optus.

Ms Gough said customers should be more vigilant in monitoring unsolicited texts, emails and phone calls in the wake of the Optus breach.

'The AFP will be working hard to explain to the community and businesses how to harden their online security because ultimately it is our job to help protect Australians and our way of life,' she said.

Home Affairs Minister Clare O'Neil launched a scathing attack on Optus in parliament.

Ms O'Neil said responsibility laid squarely at the feet of the telco giant and that the government was looking at ways to mitigate the fallout.

'The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,' Ms O'Neil said on Monday.

'We expect Optus to continue to do everything they can to support their customers and former customers.'

The minister called on the telco to provide free credit monitoring to former and present customers who had their data stolen in the breach.

Prime Minister Anthony Albanese said the Optus data breach was a 'huge wake-up call'.