The fallout from a massive data breach at Optus has exposed critical flaws and questionable stances within the company. 

An online account claiming to have the data of potentially millions of Optus accounts says it has released 10,000 records and will publish more unless a ransom is paid.

The account says it has been selling the stolen records, which includes email addresses, dates of birth, first and last names, phone numbers, drivers licence and passport numbers.

Optus chief Kelly Bayer Rosmarin says the company is doing “everything possible to be transparent, to be on the front foot”.

An Optus insider allegedly told reporters that “this breach, like most, appears to come down to human error”. 

“[They] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog, the Australian Communications and Media Authority (ACMA),” according to reports. 

This allegedly included opening up the Optus customer identity database to other systems in an Application Programming Interface, assuming it would only be used by authorised company systems. 

“Eventually one of the networks it was exposed to was a test network which happened to have internet access,” the person said. 

Home Affairs Minister Clare O'Neil has slammed the company, saying the successful breach came from a “basic” attempt by cyber criminals. 

“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” Ms O'Neil said this week. 

“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Ms O'Neil said in parliament.

She said the Albanese government would pursue “very substantial” reforms in the wake of the massive Optus breach, including increasing penalties under the Privacy Act that are currently capped at $2.2 million.

Optus responded by announcing it will offer free one-year subscriptions to Equifax Protect, a credit monitoring and identity protection service, to the “most affected” customers. 

The Australian Federal Police is working with overseas law enforcement to identify the people behind the breach, while law firm Slater and Gordon today says it is investigating a possible class action against Optus on behalf of current and former customers.

The data breach has also been used as a reminder that Optus argued against giving people the right to have their personal information erased, and to to take direct legal action against companies over breaches in a review of the federal Privacy Act in 2020.

Additionally, it has exposed many affected users to Australia’s patchwork of rules for changing drivers licence numbers. Many are frustrated that some states do not allow them to change their licence number until it has been used for fraudulent activity, meaning they have to wait to be victimised before anything can be done.