O’Neil said responsibility for the breach laid squarely at the feet of the telco giant and that the government was looking at ways to mitigate the fallout from the breach.
Optus revealed on Thursday it had been the target of a cyber attack that exposed the personal information of up to 9.8 million Australians, including details such as driver’s licence and passport numbers.
“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” the minister told parliament on Monday.
“We expect Optus to continue to do everything they can to support their customers and former customers.”
The minister called on the telco to provide free credit monitoring to former and present customers who had their data stolen in the breach.
O’Neil said the government was looking to work with financial regulators and the banking sector to see what steps could be taken to protect affected customers.
“One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,” she said.
“In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”
Prime Minister Anthony Albanese said the Optus data breach was a “huge wake-up call”.
As the government prepares to introduce new cybersecurity measures, Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.
“We know in today’s world there are actors – some state actors but also some criminal organisations – who want to get access to people’s data,” he told Brisbane radio station 4BC on Monday.
Optus said it had sent emails or text messages to all customers who had identification documents compromised in the cyber attack.
“We continue to reach out to customers who have had other details, such as their email addresses, illegally accessed,” it said.
Payment details and account passwords have not been compromised.
It comes as opposition home affairs spokeswoman Karen Andrews introduced a bill to parliament to crack down on cyber criminals.
The bill includes a new stand-alone offence for cyber extortion and introduces tougher penalties for those preying on vulnerable Australians online.
Cybercriminals who use ransomware would face 10 years in prison while those targeting the country’s critical infrastructure would face a maximum 25 years.
“It’s designed to disrupt and deter cybercriminals who engage in ransomware and cyber extortion activities targeting Australians and Australian businesses,” Andrews told parliament on Monday.
“It hits the cybercriminals where it hurts the most and that’s in their hip pocket. These are all sensible measures that will create a greater deterrence and therefore reduce the incidence of ransomware attacks.”
The opposition has accused the government of dropping the ball on cybersecurity.