September 29, 2022
Thousands of Australians caught up in the Optus data breach remain at risk even if the hacker followed through with a promise to delete their details.
The claim was made after details were revealed of a further 10,000 people, on top of a sample of 200 that was released in an initial post over the weekend on a public-facing breach forum.
Cybersecurity experts believe the released data could be genuine, but there are no guarantees. And if it was real, there is no way to guarantee the promise of deleting the data has been carried through.
“I don’t think we trust the word of [the hacker] in relation to the data being deleted,” McGrathNicol cyber partner Shane Bell said.
“Let’s say the best-case scenario the data has been deleted, then we know that a sample of 10,000 was available and can assume it was downloaded on a number of occasions by various people. So the people contained in that data set would absolutely remain at risk.”
The alleged hacker recanted as the Australian Federal Police and the US Federal Bureau of Investigation started looking into the matter.
“We underestimate that or forget about that,” Mr Bell said. “Law enforcement agencies and the others there, they are allowed to exercise offensive cybersecurity capabilities from a law enforcement perspective, whereas the rest of us are not – we’re entitled to do active or passive defensive mechanisms – but these agencies are allowed to do that offensive part of cybersecurity.
“I think that part of it probably makes a lot of threat actors nervous because the skills of people like the FBI and the [Australian] Signals Directorate are pretty good.”
The federal government and Optus disagree about the sophistication of the alleged hacker – the telco insists it was a complex attack, whereas the government maintains it was more simple.
But Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said he suspected “this was a case of a low-level hacker, possibly a kid or young adult, getting cold feet when he or she realised how much attention the incident was attracting from law enforcement”.
“It’s also possible that the owner of the forum may have pressured the hacker. Coming under such intense scrutiny probably isn’t good for business – which is precisely why some cybercrime forums attempted to distance themselves from ransomware.”
Mr Callow said there was no way to know whether the hacker deleted the data.
“So nothing has really changed for the people who’ve been impacted by the breach. They have to assume that they’re still at the same level of risk of identity fraud as they were previously,” he said.
Even if the hacker is telling the truth, the details of the 10,200 people have already proliferated, leaving them open to the risk of identity fraud.
The NSW, Victorian, Queensland and South Australian governments began allowing those who can prove they are victims of the hack to receive drivers’ licence replacements immediately.
NSW will charge a $29 replacement fee, which the state government said would be reimbursed by Optus.
Coalition senators James Paterson and Simon Birmingham want the government to waive fees and fast-track new passports for affected Optus customers.
“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport,” the senators said in a statement.
“While Optus must take responsibility for what may be the largest data breach in Australian history, the Albanese government has a responsibility to help Australians take steps to protect their personal information and security.”
Prime Minister Anthony Albanese said in question time on Wednesday afternoon that Foreign Minister Penny Wong had written to Optus asking it to cover the costs of customers who would need to apply for a new passport.
