Former Telstra boss David Thodey urges companies to wipe non-essential customer data

David Thodey, former chief executive of Telstra, has called on Australian businesses to erase personal data not essential in the wake the Optus cyberattack.

Mr Thodey told a company directors’ forum in Perth that companies should be questioning why they are still storing certain customer details given the increasing risk of cyber breaches, and “if we don’t need to hold it, let it go”.

His comments were made as the Federal Government revealed new regulations that will allow Optus and other Telcos to share government identification data, including passport numbers, Medicare data, and bank information to prevent fraud.

This initiative is part a larger government response to the cyberattack that exposed the details of almost 10 million Optus customers.

On Thursday, Mr Thodey, who was Telstra's chief executive for six years until mid-2015, said at a forum of Australian Institute of Company Directors that the Optus breach should be a wakeup call for complacent boards.

“I don’t think any of us need a reminder of how important it is,” he said. “It’s been a real challenge for Optus.”

Cyber security has become a priority for directors in recent years. However, there are still questions about how serious companies treat the threat and what actions they are taking to reduce the likelihood of an attack.

A recent survey of 850 directors by the AICD and the Australian Information Security Association found that while 72 per cent of respondents identified cyber security as a “high priority” issue for their boards, just 23 per cent of their companies had recruited directors with cyber skills.

Mr Thodey said a failure to protect a customer identities was a major risk to a company’s reputation.

He stated that companies should review what customer information they have and how it is protected in the wake the Optus cyberattack.

“All of our organisations hold data,” he said. “I’d encourage you to ask the management team, ‘what data do you hold on people and why, and is it encrypted’?”

Mr Thodey said companies also needed a policy to address whether they delete personal data at the customer’s request.

The Optus breach exposed information also stored about past customers who are angry that their information was still in the telco’s systems years after they left the group.

Not-for-profit director Fiona Payne recounted to the forum her recent experience of a major cyberattack where the organisation concerned wasn’t even aware that it was still storing certain information.

“One of the challenges we had then was going back to the people whose data had been compromised was actually knowing who those people were,” Ms Payne said.

“And it turned out that some of them were people who had applied for jobs years and years ago. It’s just not employees and suppliers (who are at risk of a cyberattack), but there’s a whole lot of people we didn’t even know we had data about.”