Significant customer data exposed in attack on Australian telco
Subscribers have questions – like 'When were you going to tell us?'
Updated Australian telecommunications company Optus has fallen victim to a significant cyberattack and data breach.
Coming clean on Thursday, Optus said the attack exposed information including customers' names, dates of birth, phone numbers, email addresses, and - for some - physical addresses, ID document numbers such as driving license or passport numbers. Payment details and account passwords were not compromised.
In other words, enough information to open a bank account.
Optus CEO Kelly Bayer Rosmarin said the company was "devastated."
"As soon as we knew, we took action to block the attack and began an immediate investigation," added Rosmarin. "While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance."
Rosmarin reportedly said the company caught on after noticing "unusual activity" and was trying to discern "who has been accessing the data and for what purpose."
The company said it will undertake proactive personal notifications and offer expert third-party monitoring services for those who believe they are at heightened risk.
- Privacy watchdog steps up fight against Europol's hoarding of personal data
- Check out this Android spyware, says Microsoft, the home of a gazillion Windows flaws
- Cambodian authorities crack down on cyber slavery amid international pressure
- Fake sites fool Zoom users into downloading deadly code
Multiple entities such as the Australian Cyber Security Centre, the Australian Federal Police, and the Office of the Australian Information Commissioner have been notified or are working with Optus to lock down its systems, prevent future breaches, and find the culprits. Those culprits are thought to be either a criminal or state-sponsored organization.
The Office of the Australian Information Commissioner (OAIC) said it was engaging with Optus to ensure it was compliant with the requirements of the Notifiable Data Breaches scheme.
Under the scheme, an organization obligated to Australian privacy law must inform victims when a data breach is likely to cause serious harm, including identity theft. And although Optus publicly disclosed the incident, many are upset they were not notified individually.
The general response from Optus customers has been along the lines of "that's all well and good they notified OAIC, wish they notified me," and some are seeking further clarifications of what appropriate "vigilance" includes.
One Optus user tweeted:
not one email or sms from @Optus even out of courtesy. it’s not like they don’t have our contact details.— Jock (@CharacterEyes) September 22, 2022
Another thought Optus had some customer relations repair work to do:
pretty bold of optus to send me a bill this month. I think this one is on you guys, actually— lavender baj (@lavosaurus) September 23, 2022
Optus said it would be contacting impacted customers "soon."
A lot of information about the attack still remains unknown, including what malware was used and how long the attacker had access to the information. Optus asserts that services remain safe to use and operate.
The company, which has over 9 million subscribers, had its CISO leave last month. The man formerly in the role, Dr Siva Sivasubramanian, said his heart was bleeding for Optus and that he had offered support and services to the "current cyber management team." ®
Updated to add
Someone on an underground cybercrime forum is claiming they stole the account data of 11.2 million people from Optus, and they're demanding $1 million in cryptocurrency not to sell the information:
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus #auspol #infosec #OptusHack pic.twitter.com/1eCINue2oZ— Jeremy Kirk (@Jeremy_Kirk) September 23, 2022