September 28, 2022
OPTUS customers are right to be “furious” at the lack of security around their personal information as the hacker purportedly behind the massive breach claims to have deleted the stolen data.
The telco giant has been slammed for initially failing to disclose customers’ Medicare numbers were a part of the data hack, which only came to light on Tuesday when an online account claiming to be behind the breach published 10,200 customer records online.
In a post to the website Breach Forums, the anonymous user initially threatened to post further batches of data from more than 2.8 million compromised customers unless a ransom of $US1m was paid by Optus.
But hours later the same account claimed to have deleted its only copy of customers’ information and said they no longer cared about a ransom.
Home Affairs Minister Clare O’Neil(inset) said Optus “never advised” the federal government that Medicare numbers were compromised in the breach.
“Consumers have aright to know exactly what individual personal information has been compromised in Optus’ communications to them,” she said.
Ms O’Neil said she wanted to reassure people that government agencies, including the Australian Signals Directorate and the Australian Federal Police (AFP), were “working round the clock” to respond to the attack.
It can also be revealed there are concerns other types of identification, including Defence Force IDs, may have been compromised in the hack as they can be used to verify people similar to a driver’s licence or passport.
Senior federal ministers have been meeting regularly to discuss the breach, and the government is preparing a response – including tightening regulations and potentially introducing penalties – to try and protect against similar attacks in the future.
Opposition cyber security spokesman James Paterson said the apparent lack of security at Optus was “frankly not good enough”.
“They hold incredibly sensitive personal information on all of their users, and they should be very well equipped to prevent exports of datalike this,” he said. “Optus customers are absolutely entitled to be furious.”
Sydney communications worker Georgina Smith, 31, said she felt anxious after Optus told her via text message that her personal information had been accessed.
“At the moment I’m not sure what to do, whether I should be looking at changing my email address and phone number,” she said. “I’m anxious and stressed, I feel like there’s not enough guidance.”
The NSW government has announced it will re-issue the driver’s licence of every Optus customer in the next 10 days, with the telco to reimburse the state for the cost.
On Tuesday the online account that claimed to be behind the data breach said it had deleted its only copy of customers’ information.
“Ransom not payed (sic) but we don’t care any more,” the user said.
“Was mistake to scrape publish data in first place.”
Claiming there were now “too many eyes” on the data, the alleged hacker said they would not sell the information “to anyone”.
“We can’t if we even want to: personally deleted data from drive (Only copy),” the user said, apologising to Australians who had been impacted. AFP have launched an investigation, which Assistant Commissioner Cyber Command Justine Gough said was going to be complex and lengthy.
“We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,” she said. “Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them.”
Optus chief executive Kelly Bayer Rosmarin told ABC on Tuesday the company was doing “everything possible to be transparent, to be on the front foot” and was not “the villains” of the story.
In response to questions regarding European privacy laws, which expose telcos to millions of dollars in fines for similar breaches, Ms Bayer Rosmarin said: “I’m not sure how penalties would benefit anybody”.
