September 28, 2022
The Albanese government has escalated its attacks on Optus over the company’s massive data breach, demanding to know why customers were not informed their Medicare numbers may have been accessed as part of the cyber attack that hit almost 10 million accounts.
The confrontation between the government and the telco followed an incident in which someone claiming to be the hacker released unverified details of 10,000 customers online but then withdrew demands that Optus pay $1.55 million to prevent the release of more customer data.
The purported hacker claimed they were attracting too much attention and had deleted the data as authorities including the Federal Bureau of Investigations (FBI) in the United States joined the Australian Federal Police’s probe into the hack’s origins.
‘‘Deepest apology to Optus for this,’’ the anonymous poster said in a claim that prompted Optus to confirm it had not paid a ransom.
Pressure is growing on embattled Optus boss Kelly Bayer Rosmarin, with opposition cybersecurity spokesman James Paterson calling on her to resign if the company’s defence of its security practices turns out to be misleading.
‘‘The federal government and Optus must publicly clarify the facts about this hack, because if the Optus CEO has misled the public ... as the minister has implied in her comments, then Ms Bayer Rosmarin position’s is clearly untenable,’’ Paterson said. Bayer Rosmarin vowed to stay on in her job despite the attack, insisting the company was not a ‘‘villain’’ and rejecting the government’s accusations the company left itself open to a ‘‘quite basic’’ hack.
Clare O’Neil, the minister responsible for cybersecurity, doubled down on her criticisms of Optus, saying she was very concerned about reports that Medicare numbers were included in the hack.
‘‘Medicare numbers were never advised to form part of compromised information from the breach,’’ O’Neil said in a statement.
She said Optus should tell consumers exactly what personal information had been stolen from their accounts as a priority. Optus customers were informed following the attack that ID document numbers had been compromised but driver’s licences and passports were given as examples, not Medicare.
Bayer Rosmarin said there was ‘‘misinformation’’ about her company’s cybersecurity but did not deny that personal customer information was accessed through an application program interface— a common way for computers to exchange information.
‘‘Our data was encrypted and we have multiple layers of protection,’’ Bayer Rosmarin said yesterday. ‘‘So it’s not the case of having some completely exposed API sitting out there.’’ O’Neil said on Monday night that Optus had ‘‘effectively left the window open for data of this nature to be stolen’’, flagging bigger fines for data breaches, tougher laws on telecommunications companies and reforms to consumer information rules.
Paterson said he agreed with O’Neil that it was not a sophisticated cyberattack. Responding to enquiries from Paterson, Foreign Minister Penny Wong told the Senate the government would consider whether to waive fees for new passport applications for Optus customers affected by the hack.
Attorney-General Mark Dreyfus revealed the FBI, America’s principal law enforcement agency, was assisting the AFP in Operation Hurricane, its investigation into who was behind the attack.
Bayer Rosmarin argued Optus should not be seen as the wrongdoer and was doing everything it could to help customers. ‘‘We are not the villains,’’ she said.
Someone claiming to be the hacker warned that 10,000 more records would be released each day over four days unless Optus paid a $1.55 million ransom.
The purported hacker yesterday reversed course, saying: ‘‘Too many eyes. We will not sale [sic]data to anyone. We can’t even if we want to: personally deleted data from drive (only copy).’’
