Australia’s second-largest telco Optus said it suffered a cyber attack that compromised the personal data of millions of customers.
Optus said hackers accessed the personal information of an undisclosed number of customers, including names, dates of birth, phone numbers, email addresses, driver’s licence, and passport numbers. However, the breach did not compromise customers’ bank account information, payment details, and account passwords.
Optus began notifying impacted customers by SMS and email and reported the alleged hack to the Australian Federal Police. Additionally, the company coordinated with the Australian Cyber Security Centre to mitigate anticipated security risks. Optus also reported the incident to the Office of the Australian Information Commissioner and other regulators and notified financial institutions.
Based in Macquarie Park north of Sydney, Australia, the subsidiary of Singaporean telecommunications giant Singtel has a customer base of about 10 million.
Optus cyber attack potentially exposed personal data of up to 40% of Australians
Optus did not disclose the total number of customers impacted by the recent cyber attack.
However, the company’s CEO Kelly Bayer Rosmarin suggested a worst-case scenario where 9.8 million of 10 million Optus customer accounts, equivalent to 40% of the Australian population, were likely compromised.
According to Minister for Cyber Security Clare O’Neill, basic personal information of 9.8 million people was accessed, while extensive personal data for another 2.8 million was exposed.
Even worse, the Optus cyber attack impacted former customers because the company is obligated to store verification records for six years.
Optus has offered affected customers 12 months of free credit monitoring services with Equifax to protect them from identity fraud. Additionally, Optus customers should take additional measures to protect themselves from fraud by monitoring their bank account and credit card statements for suspicious activity. Data breach victims should also remain vigilant for phishing attacks attempting to steal personal data by impersonating Optus support staff.
Optus forewarned its customers that the breach notification messages would not include any links to prevent hackers from further taking advantage of the situation.
Threat actor demanded $1 million in ransom from the Optus data breach
The telco giant did not disclose the identity of the hackers responsible for the alleged sophisticated cyber attack. Instead, Optus attributed the intrusion to an unnamed foreign threat actor whose IP address hopped across unspecified European countries.
Similarly, the company did not disclose when the Optus cyber attack occurred but suggested that the data breach is resolved.
Meanwhile, a threat actor identified as “Optusdata” claimed responsibility for the attack and published 100 records of the stolen data on the popular hacking platform BreachForums.
They demanded a $1 million ransom in Monero cryptocurrency, threatening to publish all 11.2 million records in batches. Subsequently, the threat actor released the first batch of 10,000 records, promising to release more until Optus complied.
However, the attacker unexpectedly changed their mind citing “too many eyes” and promising not to sell or publish more data. Additionally, they apologized to the 10,200 customers for exposing their personal data and Optus for scraping the database, claiming they had no way of reporting the data breach.
“The overreaching consequences of this attack are still to be uncovered,” Curtis Simpson, CISO at Armis. “With sensitive data of millions of customers leaked, it has become one of the largest attacks Australia has ever experienced.”
Experts suspect a human error in the Optus “cyber attack”
A senior figure in Optus told ABC on the condition of anonymity that an unsecured API caused the data breach, a claim Optus vehemently denied.
The source claims that Optus wanted to ease the system integration process to allow seamless integration of two-factor authentication in compliance with the Australian Communications and Media Authority (ACMA). However, the process exposed a test system that could access personal data and had internet access.
Optus CEO Rosamarin ruled out human error in response, adding that her company had “strong cyber defenses” and the incident was still under investigation.
The threat actor had previously disclosed that no authentication was required and blamed Optus for lacking a bug bounty program, security email, or contact method to report the flaw.
The Minister of Cyber Security also suggested that Optus was negligent, threatening to respond decisively.
“What is of concern to us is how such a basic attack against Optus was done,” O’Neill said. “We should not have a telecommunications provider in this country, which has effectively left the window open for data of this nature to be stolen.”
O’Neill categorically denied Optus’ claim that the personal data breach was a sophisticated cyber attack.
Still, Optus’s CEO insists that the company was a frequent target of government and independent threat actors and that the “cyber attack” was nothing like they have seen before.
Meanwhile, Phillip Ivancic, APAC Head of Solutions Strategy at Synopsys, had nothing but good words to say about Optus’s response.
“From the little we know so far, it looks like the hardworking Optus IT Security teams should be commended for their swift actions,” Ivancic said. “The fact their CEO, Kelly Bayer Rosmarin, was able to provide initial details and a public statement seemingly within hours on a national public holiday means that Optus must have a well-established, and well-practiced, Incident Response Plan.”