The government has committed “hundreds” of public servants from several agencies to the aftermath of the Optus hack and data breach, with the law enforcement effort codenamed ‘Operation Hurricane’.
Home Affairs minister Clare O’Neil revealed the resourcing commitments in parliament on Monday afternoon.
“Very substantial support has been provided by the Australian government and I want to credit the work of the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police in that support,” O’Neil said.
“For the Australian government more broadly, our focus now is doing whatever we can to help protect Australians who are affected by this breach.
“This is a very large multi-agency effort which has seen hundreds of public servants work through recent public holidays, through the night and straight through the weekend, and the Albanese government thanks them for their efforts.”
The Australian Federal Police said separately that it had called upon “overseas law enforcement” as well as the resources of the AFP-led JPC3, which includes private sector participants, in its investigative efforts so far.
It has now codenamed the hack ‘Operation Hurricane’ and confirmed it has “diverted significant resources to the investigation.”
Assistant commissioner for the cyber command Justine Gough said the investigation “was going to be extremely complex and very lengthy”, but that “the AFP specialised in investigations of this type.”
“A key focus, which we have had success in the past, is to identify those criminals,” Gough said.
O’Neil said that work is underway with financial regulators and banking industry representatives to help them protect customers’ accounts by understanding which of their customers had been caught up in the Optus incident.
She also said that the government will “be providing additional protections on platforms such as myGov.”
Law changes
O'Neil flagged potential changes to cyber security rules that impact large telcos, and raised the possibility of fines.
“A very substantial reform task is going to emerge from a breach of this scale and size, and there’s a number of policy issues that I think the public will soon become quite aware of,” O’Neil said.
“One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose.
“I also note that in other jurisdictions, a data breach of this size would result in fines amounting to hundreds of millions of dollars.
“I really hope that this reform task is something that we can work on collaboratively across the parliament.”
She later said on ABC's 7.30 program that Optus could be fined a maximum of "just over $2 million" under the Privacy Act, which she said was "totally inappropriate".
"I think there are a few things that we're going to need to look at," she said.
O'Neil added that Australia is "probably a decade behind in privacy protections where we ought to be" and "about five years behind in cyber protections."
"When it comes to cyber protections, the previous government put in place a very significant piece of legislation that I think was a very good start, but it didn't bring telecommunications companies into that legislation," O'Neil said.
"What it's meant is that I am more limited with telecommunications companies in terms of the powers that I have.
"Now the reason that it did that is because, at the time, the telecommunications sector said, 'Don't worry about us - we're really good at cybersecurity. We'll do it without being regulated.'
"And I would say that this incident really calls that assertion into question."