Australian Federal Police arrest man suspected of exploiting Optus cyberattack
Customers were allegedly sent texts demanding $1,300 or face having ID used in financial crime
Aussie police have cuffed a 19-year-old Sydney resident accused of trying to extort money from victims of the recent cyberattack and digital burglary at national telecommunications provider Optus.
The Australian Federal Police (AFP) said today it was alerted to the blackmail attempt when some Optus customers were told to transfer AU$2,000 ($1,300) to a bank account or have their personal data used for financial crimes.
The unnamed individual is alleged to have used 10,200 of the records on customers that were uploaded to the web following the attack in September, including names, dates of birth, phone numbers, email addresses, home addresses, driving licenses, and passports.
A bank account held in the name of a juvenile was claimed to be used by the man and when AFP raided his home in Rockdale, southern Sydney, they found a phone allegedly linked to the text messages. He is understood to have sent texts to 93 Optus customers whose personal information was leaked after the attack.
This week, Optus, which has hired Deloitte to undertake an external review of the cyberattack, confirmed [PDF] that of its 9.8 million customers, 1.2 million had a current and valid form of ID and personal information compromised, and 900,000 have had records relating to expired ID/personal information exposed.
So far it looks as if not one Optus customer targeted by the alleged Sydney blackmailer gave into his demands and paid up.
The defendant is due to appear in a Sydney court on October 27 charged with two offences:
a. Using a telecommunication network with the intent to commit a serious offence, contrary to section 474.14 (2) of the Criminal Code Act 1995 (Cth), where the serious offence is blackmail, contrary to section 249K of the Crimes Act 1900 (NSW). This offence is punishable, upon conviction, by a penalty not exceeding that of the serious offence, being a maximum penalty of imprisonment for 10 years; and
b. Dealing with identification information, contrary to section 192K of the Crime Act 1900 (NSW). This offence is punishable by a maximum penalty of imprisonment for 7 years.
- DoJ 'very disappointed' with probation sentence for Capital One hacker Paige Thompson
- NetWalker ransomware scumbag jailed for 20 years
- Online romance scamlord who netted $9.5m jailed for 25 years
- Morgan Stanley fined $35m after hard drives sold with customer info still on them
The man was not suspected of being behind the Optus attack but tried to exploit the incident for financial gain, said Assistant Commissioner Cyber Command Justine Gough.
"Last week, the AFP and our state and territory partners launched Operation Guardian to protect the most vulnerable customers affected by the Optus breach and we were absolutely clear that there would be no tolerance for the criminal use of this stolen data.
"The AFP-led JPC3 has diverted significant resources to protect those customers at risk from identify fraud. We understand how worried some members of the community are, and I want to give the community reassurance that the AFP and our partners are working around the clock to help protect your personal information.
"Secondly, the warning is clear. Do not test the capability or dedication of law enforcement. The AFP, our state partners and industry are relentlessly scouring forums and other online sites for criminal activity linked to this breach. Just because there has been one arrest does not mean there won't be more."
Operation Hurricane, the AFP investigation to unearth the person or persons behind the Optus attack, continues. AFP has asked the FBI to help with its probe. ®