Optus data to be shared with banks

The Optus breach saw almost 10 million customers have their personal details (including names, dates of birth, addresses, phone numbers and licence numbers) stolen on 22 September.

While banking details and passwords were not obtained, according to Optus, the federal government has prepared amendments, for the Governor-General, to the Telecommunications Regulations 2021 to “better protect Australians".

The amendments will enable telecommunications companies to temporarily share approved government identifier information (such as driver’s licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach.

The proposed regulations cover financial institutions that are regulated by APRA, excluding branches of foreign banks.

Announced by Treasurer Jim Chalmers and Communications Minister Michelle Rowland, the rules state that financial institutions must destroy any information received once it is no longer required.

In addition, information can only be used for the “sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identity theft”.

“Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach,” Mr Chalmers said.

"Our Government has been working in lockstep with banks and financial regulators to facilitate the safe and secure sharing of data between Optus and regulated financial institutions, with appropriate safeguards, to improve consumer protection.

“These new measures will assist in protecting customers from scams, and in systemwide fraud detection.”

Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998.

In addition, the Council of Financial Regulators’ cyber security working group will examine and report on options to further improve the ability of financial institutions to identify at-risk customers and credentials by utilising an existing secure and privacy-protecting data-sharing platform.

This will further enable financial institutions to enhance their protections for consumers from financial crime.

APRA said it will work closely with the Federal Government, peer regulators and other relevant bodies to “facilitate closer coordination and a controlled process of data sharing”.

[Related: Businesses must learn from landmark RI advice court decision]