Australian police probing unprecedented Optus breach
September 27, 2022
Australian police are investigating a data breach of telecom giant Optus after the purported hacker claimed to have released thousands of customers' personal data.
Optus, which Australia's second-biggest mobile operator, said last week that the personal information of up to 10 million customers including home addresses, drivers' licenses and passport numbers had been compromised. This makes it one of the country's biggest-ever data breaches.
An account called 'optusdata' in an online forum threatened to publish the data of 10,000 Optus customers per day unless they received $1 million (€1.04 million) in cryptocurrency. Some experts believe this user to be to be the hacker responsible for the data breach.
On Tuesday, the same account posted an update claiming they had deleted the data due to "too many eyes" viewing it — thereby making it less valuable to sell or ransom.
The user withdrew the $1 million ransom demand and said they were "very sorry" sorry for having already leaked data of 10,200 Australians. They also claimed to have deleted their only copy of the stolen data.
FBI to assist Australian police
The Australian Federal Police have been working with the American FBI and other organizations to investigate the data breach. They did not confirm wither the forum user 'optusdata' was in fact responsible for the hack.
"They're looking into every possibility and they're using the time available to see if they can track down that particular criminal and verify if they are bona fide," said Optus CEO Kelly Bayer Rosmarin.
Optus claims that its customers' data was encrypted with "multiple layers of protection." But the theory that Optus had a major vulnerability in its systems had been widely reported, according to The Australian Financial Review newspaper.
On Monday, Australia's Cybersecurity Minister Claire O'Neil said the breach was "quite a basic hack" and said Optus "effectively left the window open for data of this nature to be stolen."
Apology from hacker not enough
Amid the competing claims regarding the data breach, little information has actually been confirmed.
Jeremy Kirk, a cybersecurity expert who claims to have made contact with the hacker, said the purported hacker's claim on Tuesday that they had deleted the data was not an end to the matter.
"The Optus data has been stolen, and we can't trust this person," he wrote on Twitter. "No guard should be let down."
O'Neil said a potential $1.3 million (€876,000) fine under Australia's existing privacy laws was inadequate.
zc/dj (Reuters, AFP, AP)