Companies could be forced to report loss of data to customers after cyberattacks
O’Neil said the critical infrastructure laws were “not just about data” and could include compelling companies to resume their services.
“One example from the states has been the need to compel utilities to continue to provide services within a specific date,” she said.
O’Neil also accused former Liberal communications minister Paul Fletcher of doing a “sweetheart deal with the telecommunications companies that kept them out” of the critical infrastructure laws.
Fletcher last week defended his actions, saying the laws now applied to the telco sector which included “tough powers that the minister for home affairs can exercise”.
The government has also flagged a major overhaul of privacy laws within months, with Attorney-General Mark Dreyfus questioning why Optus kept customers’ personal document identification numbers for years, even after they had left the telecommunications giant.
The reforms could include forcing companies to cut back the vast amounts of sensitive data they retain about their customers.
Retired major general Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said there were a number of measures in the previous government’s original proposal for critical infrastructure laws that could also be revisited.
He said this included “measures that put more positive obligations on companies to take this seriously”.
Thompson, now a strategic adviser with cybersecurity firm Paraflare, said areas of reform could also include broadening out the critical infrastructure laws to more sectors.
“[The Security of Critical Infrastructure Act] is just about those 11 industry sectors. We’ve got a good chunk of our economy outside those 11 industry sectors,” he said.
“So what happens if next time it’s a big company that is not defined by one of those 11 industry sectors?”
In the wake of the Optus attack, hackers are taking advantage of the publicity to sell old data on the dark web.
In a recent post on a dark website, a hacker claimed they had hundreds of thousands of NAB and Telstra accounts including email addresses, names and account numbers.
However, the hack was actually of a third-party firm called Pegasus which the two companies had used some years ago for their employee rewards programs. The hackers appear to have only dated information about staff and do not have any information about NAB or Telstra customers.