Be interesting to see how the Office of the Australian Information Commissioner handle this one.
Whilst not a data leak, credentials were still stored in an inproper (plain text) way, which has allowed them to be siphoned out via a cyber attack. How that attack occurred is a completely different story altogether.
But (what the OAIC class as) "personal and private information", should ALWAYS be encrypted in some fashion, or scrubbed after it is used.
I'd imagine theres going to be a rather large fine coming Optus's way for inproper handling of customer information. Data like that should be WAY back in Optus's systems, and not accessible by way of a systems breach on the edge of their network.
I'd find it hard to imagine that someones hacked all the way to a several DMZ / firewalled deep server housing customer information, and likewise I highly doubt it's been a hack that's happened from a store.
For examples sake with Centrelinks systems (EssWeb), they actually cannot be accessed except if connected to via a totally secure network. So you can't use free or shared Wifi to connect to it.