TRANSCRIPT - MINISTER SHORTEN AND MINISTER O'NEIL - DOORSTOP INTERVIEW - MELBOURNE CPO - 3 OCTOBER 2022

03 October 2022

E&OE

MINISTER FOR HOME AFFAIRS AND CYBER SECURITY, CLARE O'NEIL: Good morning, everyone. I'm here with Minister Bill Shorten and we'll be providing some information to update Australians about the Optus breach. I spoke this morning with the heads of the Australian Signals Directorate and the Australian Cyber Security Centre. These are the government agencies which contain cyber security expertise within the Australian Government. They have advised me that they have completed the technical work that they have been doing with Optus.

I want to thank Optus for the engagement on the technical front that they have worked with the Australian Government on. I have advised previously that the Australian Signals Directorate is working with other Australian telecommunications providers. This is really important because what we'll often see around the world is cybersecurity breaches come in sets and we are doing a lot of work with telecommunications providers to ensure that their networks are free of vulnerabilities and that work is progressing very well.

The Australian Federal Police has stood up two investigations which are supporting the Federal Government's work on Optus. The first is Operation Hurricane. That operation is focused on finding the person or people who undertook this breach and bringing them to justice. I spoke with Commissioner Reece Kershaw this morning, that investigation is progressing well and I'm going to let the Australian Federal Police provide details about that during the week. The second AFP operation is Operation Guardian.

Operation Guardian is specifically focused on the 10,200 people whose data has already been made available online during the initial attempts of the hacker to sell this data for some profits for themselves. I want to make sure that Australians understand that 10,200 people have already had their data in some way shared on the internet. Optus have advised me that they have advised those 10,200 people who they are. And I want to say to those people that I would advise you and the Australian Government's advice to you is that if you have been told you are the subject of that particular part of the breach, you should proceed immediately to cancel relevant ID cards, to cancel your passport and do whatever else is needed to make sure that you are getting fresh identity documents based on the email that was provided to you. I can speak a little bit more about that in a moment.

The Australian Government, of course, is acting quickly to ensure that any documents or numbers that have been compromised that relate to the Federal Government's work are being better protected. And I'll get Minister Shorten to talk a little bit about what's happening on the Services Australia end. I spoke to the Optus CEO again this morning, there are ways in which Optus is collaborating with the Federal Government and I thank them for that.

I am grateful that Optus has agreed at our request to provide credit monitoring to the Australians who are most affected by this breach. I am pleased that Optus are continuing to engage with the technical professionals within Government to assist us in understanding the technical elements of what has occurred here. Optus have also agreed to fully participate with the Australian Federal Police's work and that has involved bringing people from within Optus to co-locate with Operation Hurricane to ensure that we have direct access and links into the organisation. These are important things that we believe Optus is obliged to do and they are doing them and I thank them for it.

What I would like to say today to Optus is that transparency and accountability are paramount here. It is crucial that everyone who has been affected by this breach is properly notified of that. We would like Optus to be transparent about the numbers of people who have had specific identity documents compromised and that information has not yet been provided. I would like Optus in particular to make sure that the 10,200 people whose data has already been made available briefly online know that that has occurred. Optus have advised that they have told those people by email, but that is simply not sufficient under these circumstances and we are going to need to go through a process of directly speaking with those 10,200 individuals.

And Optus needs to take up the mantle here to ensure that people are aware when they are directly at risk as those people are. I would like to suggest to anyone who believes that they've been caught up in this incident or who wants to report anything that may look like any type of dodgy conduct to go to cyber.gov.au there is advice there about how to handle this matter. And you can also make a report of any concerning conduct that you see.

I would just finally say to people, again, you need to protect yourself in this context. If you see dodgy emails coming through to you, don't click on any links. If you're getting text messages that look odd, don't answer. Even if you're getting phone calls from numbers that look dodgy, just don't pick up the phone. This is a time for real vigilance for Australians. We should not be in the position that we're in. But Optus, Optus has put us here and it's really important now that Australians take as many precautions as they can to protect themselves against financial crime. Minister Shorten will speak a little bit about the work that Services Australia is doing.

MINISTER FOR GOVERNMENT SERVICES, BILL SHORTEN: Thank you, Minister for Home Affairs and good afternoon. As the Minister for Services Australia, which includes Medicare records and Centrelink records, we reiterate our call to Optus.

To accelerate full and transparent cooperation with the Australian Government on behalf of Australian citizens, specifically on the 27th of September Services Australia, the agency wrote to Optus and said we need to identify full and completely who might have used Medicare information or other Centrelink information to get their 100 points of data so that they could get an Optus plan. We still haven't received that information.

I understand that Optus is trying to do its best now to fix up some of the problems that have been created. But we call upon Optus to understand that, this breach has introduced systemic, systemic problems for 10 million Australians in terms of their personal identification. Business as usual motoring along and third or fourth gear is not enough. We're asking Optus to upgrade their transparency. I acknowledge that they had a full page newspaper ads in the paper on the weekend, but an ad is not a strategy. An ad is not a plan.

Systemic risk has been injected into the Australian bloodstream about the privacy of their information. We know that Optus is trying to do what it can, but having said that, it's not enough. It's been 11 days since the breach. It is peculiar that we still can't identify who, for example, has had their Medicare, who use their Medicare information, their number to be able to get ID. We need this, not tomorrow or the next day, we really needed it days ago. We want to protect Australians information that's held by the government. We want to prevent further fraud and we seek Optus to step up its communication and transparency with government. Now is not a time to listen to the lawyers and the damage control merchants. Now is the time to take the high road, embrace, work with us in all areas as they've been doing in some further extend that cooperation. It's now a matter of protecting Australians privacy from criminals.

O'NEIL: Thanks, Minister Shorten. So we'll move to questions now.

JOURNALIST: Given what you've had to say about Optus handling of this over the last 11 days, do you have confidence in their leadership and is their CEO still tenable?

O'NEIL: I don't think it's helpful right now for the Australian Government to be expressing a view about who should be running some of Australia's biggest companies. Our focus at the moment is squarely on one thing and that is protecting 10 million people in our country who are now subject to some type of attempt at financial fraud. Now the Australian Government is doing everything it can to prevent Optus' mistake and their breach from turning into widespread financial crime against Australians. And this involves a very large number of people of Australian Government agency and of federal ministers. We are doing everything we can to make sure that people aren't damaged by what's happened here and that is my sole focus.

JOURNALIST: Can you confirm reports that you're looking at potential law reforms to force companies to alert their customers to those affected?

O'NEIL: Yeah. Thank you. So under the previous government, there was a set of laws passed that were meant to be the be all and end all of cyber security reform in this country. And the instructions on the label told me that these laws were going to provide me with all of the powers that I would need in a cyber security emergency incident to make sure that we can repair the damage. And I can tell you that those laws were absolutely useless to me when the Optus matter came on foot. So I'm not flagging any specific directions for reform, but I would simply note that we do not have the right laws in this country to manage cyber security, emergency incidents, and this is something that we are going to need to look at. We can't foreshadow exactly what the repercussions of any future cyber security incident could be. But what we do need is a federal government which has got the laws at its fingertips to make sure that we can do things, for example, mandating reporting to customers when their data has been breached within a certain time period. That is one of a whole plethora of things that I believe the federal government should be able to do in a situation like this. The laws that you're referring to were meant to help us with this, and I can tell you they provided absolutely no use when we actually needed them.

JOURNALIST: When you talk about mandating reporting to customers, is the manner in which that reporting happens is going to be looked at. Because you talked about an email not being enough, for example.

O'NEIL: Yep, so we need to consider the obligations that companies face when a cyber security breach of this nature occurs. We simply do not want to go through this again, where we've got 10 million people whose valuable data has been stored by a private company for periods that are far too long. And after the fact, we don't have the proper powers that we need to require them to provide information in specific ways. It's just not good enough. Now, under the Telecommunications Act, we do have some specific powers which have been useful here, but I can say that the next time it may not be a telecommunications company. We live in a digital age. Cyber security issues are part of our lives now, and this incident is a huge wake up call to corporate Australia. It's a wake up call to government too, and it's a wake up call to everyday Australians. We simply have to make a step change in our cyber security in this country. Now, I said earlier, I said last week that we are five years behind in cyber security laws or in the digital age. Years are like dog years. We are way off the mark at the moment. Looking at the powers that we have in an emergency is something that's going to have to happen. Mark Dreyfus has talked extensively about the issues regarding data and that needs to be looked at too. But on the whole, we need to undertake here a whole of nation effort of improving the security around data protection, around cyber security, so that we are better equipped in the 21st century for what will be unfortunately, a recurring part of our lives.

JOURNALIST: Are company directors and businesses taking this seriously enough?

O'NEIL: So we see a wide variety of stances taken about cyber security. And I will say that there are companies in this country that are best in the world. We have incredibly skilled cyber professionals in this country, although I would say there are not enough of them. But it's clear that some companies are not taking this seriously enough. And I just indicate what's happened in the last 11 days is pretty good evidence of that. We've had here a telecommunications company that has at various points in time argued that it should not be subjected to stringent laws by the federal government on the basis that they are doing a really good job at this stuff. And yet this company has just overseen what is, without question, the largest consumer data breach in Australian history. So I think everyone looking at this situation has got to accept that we've got a problem here as a country and it is the intention of our government to step up and lay out a clear path for us to try to fix it.

JOURNALIST: Just on the 10,200 people, you said Optus were just sitting on them. Just wondering if you can tell me when that was, if that's the extent of the communication and what the government's planning to do, because I think you said that they were going.

O'NEIL: Thank you. Yeah. So there are 10,200 people today who I am most concerned about, and those people are those whose data has already been made public in an initial attempt by the hacker to sell the information that has been stolen from Optus. I'm concerned about those people because for the rest of the 10 million, as far as we know, their data has not been made public. But for this 10,200, it actually has popped up on the Internet and we do not know who has access to that data at this stage. So Optus have advised me this morning that they have contacted the 10,200 people. I gave very clear feedback to Optus that an an email was not going to cut it here. This is 10,200 people whose data is somewhere in the ether and we don't know where and we don't know who has it. So it's pretty obvious the concerns that I would have for those people. I've talked to the Australian Federal Police Commissioner a number of times this morning and I've asked the two organisations to liaise to agree on what additional communication efforts need to be taken with regard to those specific people. And I have no doubt that Optus will be keenly ensuring that further communications are undertaken.

JOURNALIST: So are you essentially going to be requiring them to give you evidence that those people, those people have responded that they actually are aware of this, that they have received the email or a follow up phone call.

O'NEIL: I have this morning spoken with the Australian Federal Police and I've asked them to liaise with Optus about the specific requirements that they would they would indicate are appropriate for this this level of risk that exists for those 10,200 people.

JOURNALIST: Do you know when that email went out?

O'NEIL: I don't and I suggest you ask Optus about that.

JOURNALIST: Where are things up to, in terms of actually working out who this hacker is and how much information they gained access to?

O'NEIL: Yeah, I spoke this morning with the Australian Federal Police Commissioner Reece Kershaw, and there is a significant operation underway, Operation Hurricane, which is targeting the perpetrator of this breach. I was advised that the operation is progressing well and I will let the Australian Federal Police Commissioner and Attorney-General Mark Dreyfus, who has responsibility directly for the Australian Federal Police, to provide more transparency about this in the coming days.

JOURNALIST: Do we know whether it was someone operating in Australia or an overseas act?

O'NEIL: I'm not going to make any more comment on the investigation.

JOURNALIST: You talk about the Australian Signals Directorate looking at other providers. Is there any evidence yet of potential risks there that people should be worried about?

O'NEIL: Yeah, So I talked to the Australian Signals Directorate this morning. The Australian Signals Directorate is the absolute premier cybersecurity organisation in this country and we have within the Australian Government the very best cyber security experts in the country working for us and I'm very grateful for all of their efforts and the long hours that they have pulled since this incident occurred.

The Australian Signals Directorate have been working more broadly across the telecommunications sector because what we do sometimes see with cybersecurity attacks is that a sector as a whole will be targeted. There isn't any evidence of that at this stage and the Australian Signals Directorate have been undertaking very constructive work and I'm not reporting on any additional vulnerabilities or breaches that they've found in that work. I'm pleased with how it's progressing.

JOURNALIST: Do you know how many passport numbers and Medicare numbers will need to be replaced?

O'NEIL: Oh, sorry. Passports? No. Medicare numbers. Do you want to speak to that Bill?

SHORTEN: At this stage, we've been informed that there's about 36,900. But we are asking Optus, it's one thing to say how many people use Medicare numbers, but we actually need to get the data. So we're in a position to, if there's an attempt to use that number to gain further information, if we know who the affected people are, the Optus customers, then we can at least red flag if there's an attempt. I should also just repeat that we have multi-factor identification with Medicare. Just because someone has a Medicare number won't be enough to be able to hack into your Medicare records. This data, we don't know what form. I'm sure Optus will eventually give it to us, but we don't know what form, how usable the information that they keep in there are. The way they keep their data will be for us to assess. So just the sooner we can get the data, the sooner we can get to putting in some protection plans for anyone who's been the victim of this crime.

JOURNALIST: What's your understanding as to why you don't have that data that you've asked for from Optus?

SHORTEN: It's not clear to me. I accept that Optus has got a lot on their plate at the moment, but it's been 11 days now. I don't think we should have to necessarily write to Optus to say please, we want to protect government data which people have given. I think there should be more initiative displayed by Optus to provide us. This shouldn't be a game of Whac-A-Mole where we work out what the problem is and then we go to the corporation and say, help us stop the problem. Now I get they are working with us in a range of areas, but people who've used their ID for Centrelink, Centrelink ID or Medicare ID to able to access a service by Optus, I still don't understand why Optus keeps this information after they've issued the particular phone plan or whatever, and that's created a vulnerability. We just need to work together.

I get that Optus is may be in a world of pain through its legal liabilities and issues, but that can't be the first thought here for the Australian people. The people who are really in pain are not the senior Optus executives. The people in pain are the 10 million people who've had their privacy breached. Sure I get if they've got to have a legal strategy, that's that's what corporations do. But the first priority has to be surely to protect Australians. That's why we just want to be honest. I don't know why they're not on the phone every couple of hours telling us how they're going, getting the data ready in a form which we can use. There should be a full, you know, the drawbridge needs to come down. It's going to be full cooperation here in all aspects.

JOURNALIST: Just on another on the Integrity Commission. You've got sensitive information in your department. Are you comfortable with the Integrity Commission raiding your department with or without a warrant?

O'NEIL: We've got to make a change in Australia about improving integrity in government, and we don't need another survey telling us that our constituents don't believe that we're serving their interests every day to tell us that we've got to make some big changes to how politics in this country operates. And I have to say, you know, the Albanese Government came in having committed to legislate for a strong National Integrity Commission, and that is exactly what we have done. I'm really pleased that the Attorney General has put a bill into the Parliament which is tough, which makes the National Integrity Commission independent and that will make sure that where there is corruption in the Australian Federal Government that it's rooted out and exposed. Every politician in this country should be clamouring to indicate their support for this bill because it must change. We don't want to live in a country where a large share, a large percentage of the population says that they're not sure whether democracy is the best system of government. That is a real problem for us, and I think the National Integrity Commission is something that will see us assist in fixing that problem.

JOURNALIST: It's just so when you talk about we'd be talking about security in data, particularly the Home Affairs Department does have sensitive information. So is there a risk that that Integrity Commission could become a bit of a honeypot for spies?

O'NEIL: Look, I think the way the National Integrity Commission is set up is going to be very mindful of the very important data that it may have access to. But I've got confidence that the government can do this properly and do it appropriately. And I have to say that my constituents are very agitated that we didn't have this already. Labor's been calling for this for a long time and I'm absolutely delighted that the Australian Federal Government's been elected and just months later we've been able to put a thoughtful piece of legislation into this Parliament which is going to see Australians get what they want, which is better transparency in government.

JOURNALIST: Minister, just a question on the phone, if I may. Taylor Ryan here from Network Ten. If I could just ask quickly, if you could speak on behalf of the government on the significance of the new sanctions against Russia today and why it's important to take these sanctions now?

SHORTEN: Taylor it's Bill here. I'll answer that. Foreign Minister Penny Wong and Attorney-General Mark Dreyfus have announced today that we will be joining Ukraine in its action in the United Nations against Russia. Specifically, this action goes towards Ukraine seeking to invoke the convention about genocide, whereas accusing Putin and Russia of committing acts of genocide in Ukraine. Australia will intervene on the side of Ukraine. Put simply, Ukrainians are fighting for the values which Australians uphold and love. We cannot and should not be silent. We cannot and should not do nothing. This is not a small country on the other side of the world whose arguments are irrelevant or distinct from Australian interests. What is happening is nothing less than an assault on liberal democratic values that Australians uphold. So along with supporting the International Convention action by Ukraine against Russia for genocide. We've also placed further financial and travel sanctions on 28 identified Ukrainian Russian separatists or Russian leaders so that they realise that they are not immune to the views and values of the civilised world. Thanks, Taylor.

O'NEIL: Okay. We'll take one more question and then.

JOURNALIST: In terms of are you aware of any serious fraud that have been committed against those 10,000 at this point?

O'NEIL: No. Not at this stage. So let me just let me just close this up by just providing a general comment. It's really important here that Australians don't become unnecessarily terrified about what's occurred. There are 10 million people for whom some of their data has been stolen from Optus. We do not have any evidence that that data has fallen into nefarious hands at this moment. What I am worried about is the 10,200 Australians who we know have had their data shared online for a period of time and we do not know where that data has gone and who has access to it.

So what I have said very clearly to Optus today is they need to go beyond an email. They need to contact every single one of those people and ensure that they understand that they are in this data set and that they are taking the necessary steps to protect themselves against financial crime. So that is the big focus at the moment. And if I can just say one more comment in closing about Optus. Optus are collaborating with the Federal Government in some really important ways and I want to thank them for that. I do want to indicate that the magnitude of what has happened here is enormous. This data has gone now. It will be out there forever and this has introduced a permanent vulnerability for us as Australians. Millions of people have had their records released somewhere into the ether and they may come up to us in five years, in ten years’ time. So don't think that this is going away.

We are going to be tackling this matter tomorrow and next week and in a year's time and in five years’ time. And this is what Optus has got to understand. This is a grave and significant breach which has national implications and we ask them to work with us in every way possible to make sure that Australians are protected from their error and we'll close up there.

Thanks everyone.