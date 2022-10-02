Services Australia is unaware of the extent to which Medicare numbers or other credentials have been exposed in the Optus breach, because the telco hasn’t responded to the agency’s queries.

The government said that Services Australia had written to Optus on September 27 “asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards.”

It wanted the information to “place additional security measures on affected customer records” as an anti-fraud measure.

But minister for government services Bill Shorten said that “to date, there have been no impacted customer details provided by Optus in relation to this request.”

“We need Optus to help us help Australians,” Shorten said in a statement.

“Services Australia stands ready to protect the privacy of customers who have had their private information compromised.”

Medicare numbers are a recent addition to the types of personal information compromised in the Optus data breach.

Optus had claimed in a statement dated September 28 - one day after Services Australia wrote to them - that it was "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take."

The telco said it had "identified 14,900 valid Medicare ID numbers" that had been exposed, and said it would contact the customers directly over several days.

‘Row in the same direction’

Shorten, together with the minister responsible for home affairs and cyber security Clare O’Neil, called a snap press conference on Sunday morning to demand increased cooperation from Optus with respect to requests from federal agencies.

“Optus needs to communicate clearly to the Australian government, and to their customers, about exactly what information has been taken regarding specific individuals,” O’Neil said.

O’Neil said it was “really important … that we row in the same direction” - we being Optus and the government - “and do everything we can to stop financial crime against Australians.”

“We urge Optus to do everything it can to provide our agencies with the information they need to help us do that,” O’Neil said.

The comments came hours after a report in the Sydney Morning Herald, quoting O’Neil, revealed fundamental flaws in security of critical infrastructure (SOCI) laws, which are meant to give the government powers to intervene into cyber incidents.

According to the report, the SOCI laws are of little utility in compelling cooperation from a private entity, because they can only be used while an attack is still in-progress.

As the government was alerted to the Optus breach after the attack had ceased, it had limited ability to participate in the mop-up or to compel Optus to cooperate with its requests for information.

"The laws provided absolutely no use when we needed them," O'Neil said.