Australian telecommunication company Optus suffered a devastating data breach on September 22 that has led to the details of 11 million customers being accessed.
The information accessed includes customers’ names, dates of birth, phone numbers, email addresses, home addresses, driver’s license and/or passport numbers and Medicare ID numbers. Payment detail and account passwords were not compromised in the breach.
Optus confirmed that it has now contacted all customers to notify them of the cyber-attack’s impact, beginning with those who had been affected by the breach and finishing with those who had not had their data accessed.
How did the breach happen?
It is unclear how the breach happened, as Optus has only confirmed that it involved someone gaining unauthorized access to its servers. In a statement, the company said that the breach was shut down “as soon as it was discovered” but that it cannot provide any further details as the attack is currently under investigation by the Australian Federal Police.
Someone claiming to be the hacker told Australian journalist Jeremy Kirk that they had “accessed an unauthenticated API endpoint” meaning that they did not have to log in to access the data and that it was “all open to internet for any one[sic] to use”.
Following the breach, there was a rise in phishing attacks and fraud attempts against those who had been directly affected by the cyber-attack. This increase in phishing attacks led to Optus warning customers that no communication from them would include hyperlinks, and that if they received a communication from someone claiming to be Optus with a link in it, it was illegitimate.
Optus also offered a 12-month subscription to credit monitoring and identity protection service Equifax Protect to reduce the risk of identity theft for those who had their data accessed in the breach.
Supposed hacker attempts to extort Optus
A person claiming to be the hacker responsible for the data breach posted a small sample of the customer data stolen to the hacking forum Breached on September 23.
Using the alias optusdata, the hacker demanded that Optus pay them US$1 million ransom, or they would leak the data of all 11 million customers affected by the breach. Due to the ongoing federal investigation, Optus was unable to verify the validity of the data posted.
When Optus did not respond to the ransom demand, optusdata then posted a text file of 10,000 customer data records on September 26, allowing other malicious actors to use the data in their own phishing campaigns.
Victims of the breach reported on September 27 that they had been contacted with demands that they pay AU$2,000 (US$1,300) or their data will be sold to other hackers.
However, on the same day, the supposed hacker posted a new message on Breached, rescinding their demand and apologizing to Optus.
The hacker said there were “too many eyes” so they will not be selling the data to anyone and claimed that they had deleted all the data from their personal drive, and that they had not made any copies. They offered an apology also to the 10,200 people who had their data exposed via their posts on Breached, and to Optus itself, saying “hope all goes well with this”.
They finished by saying they “would have reported [the] exploit if [Optus] had [a] method to contact” and that while the ransom was not paid, they “dont[sic] care anymore” as it was a “mistake to scrape publish data in the first place”.
It has still not been confirmed by Optus or the Australian Federal Police if those behind the optusdata account are actually responsible for the hack.
The impact of the breach on Australian law
In Australian parliament on September 26, Home Affairs Minister Clare O’Neil blamed Optus for the attack, saying that the “breach is of a nature that we should not expect to see in a large telecommunications provider in this country”, and so “responsibility for the security breach rests with Optus”. Prime Minister Anthony Albanese said the breach should be “a huge wake-up call for the corporate sector”.
Following this, the government announced that they will be introducing “very substantial” reforms including increasing the fines under the Privacy Act, which are currently capped at AUS$2.2 million, which O’Neil described on ABC’s 7.30 program as “totally inappropriate”.
On September 29, O’Neil said in a tweet that Australia is “probably five years behind where we need to be” and that she “think[s] the Australian Government needs to lift its standards too”.
Optus faces a class action lawsuit
Optus could now be facing a class action lawsuit as a result of the breach, with two legal companies announcing that they will be investigating them.
On September 26, legal firm Slater & Gordon announced that they would be “investigating a possible class action against Optus on behalf of current and former customers who have been affected by the unauthorised access to customer data”.
Days later, on September 28, legal firm Maurice Blackburn also announced that it would be “investigating a fresh legal claim against Optus”.
This is the second time that Optus has faced a class action claim from Maurice Blackburn, the first in April 2020 when Optus mistakenly provided the personal information for 50,000 customers to marketing company Sensis.
A full timeline of events
- September 22 – the data breach of 11 million customer’s data is discovered by Optus
- September 23 – optusdata posts ransom on Breached
- September 26 – optusdata posts 10,000 customer records on breached
- September 26 – Home Affairs Minister Clare O’Neil blames Optus for the attack
- September 26 – Slater & Gordon announce its class action investigation
- September 27 – those affected by the breach report being extorted for their data
- September 27 – optusdata deletes their earlier posts and issues an apology to victims of the breach and Optus
- September 28 – Maurice Blackburn announce its class action investigation