Customers’ personal data stolen as Optus suffers massive cyber-attack

Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Optus has suffered a massive cyber-attack, with the personal information of customers stolen, including names, dates of birth, addresses, and contact details.

The telco suffered the data breach when hackers, believed to be working for a criminal or state-sponsored organisation, accessed the sensitive information by breaking through the company’s firewall.

The Australian Cyber Security Centre is working with Optus to lock down its systems, secure any data against further breaches, and trace the attackers. The Australian federal police and the Office of the Australian Information Commissioner have also been notified.

Optus has 9.7 million subscribers, according to publicly available data, but the company said it was still assessing the size of the data breach.

The company confirmed information which may have been exposed included Optus customers’ names, dates of birth, phone numbers, email addresses and, for a cohort of customers, physical addresses and identification document numbers such as driving licence or passport numbers.

Optus said payment details and account passwords have not been compromised, and that services, including mobile phones and home internet, were not affected.

The company insisted voice calls had not been compromised, and that Optus services remained safe to use and operate.

“We are devastated to discover that we have been subject to a cyber-attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” Optus chief executive Kelly Bayer Rosmarin said.

“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.

“We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.

“Optus has also notified key financial institutions about this matter,” Bayer Rosmarin said.

“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”

Home affairs minister Clare O’Neil said the Australian Cyber Security Centre was providing cyber security advice and technical assistance to Optus, and that Australian companies and organisations were being consistently targeted for cyber-attacks by cybercriminals and hostile nations.

“The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) has seen broad targeting of Australians and Australian organisations, through rapid exploitation of technical vulnerabilities by state actors and cybercriminals seeking to exploit weaknesses and steal sensitive data.”

The Office of the Australian Information Commissioner issued a statement late on Thursday saying it was working with Optus “to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme”.

“Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” the OAIC said.

“The NDB scheme ensures individuals are informed and can take steps to protect themselves from any further risk. Following a breach, individuals need to be alert to any suspicious or unexpected activity on their personal accounts or devices.”


Ben Doherty

The GuardianTramp

Related Content

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM

Article image
Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data
In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Federal government under pressure to reveal Optus data breach plan as FBI called in to help
Sources say Labor is considering options including a parliamentary review or inquiry into massive cyber-attack

Josh Butler and Ben Butler

27, Sep, 2022 @8:53 AM

Article image
Staff at security firm G4S on alert after tax numbers and bank details posted online following hack
Exclusive: Ransomware attack on Port Phillip prison revealed in July led to data being posted in mid-September with staff told details this week

Josh Taylor

04, Oct, 2022 @4:30 PM

Article image
Optus data breach: everything we know so far about what happened
Who is the attacker? How was the data accessed? What was taken? Digital security experts explain

Josh Taylor

28, Sep, 2022 @5:30 PM

Article image
AFP investigates $1m ransom demand posted online for allegedly hacked Optus data
Attorney general Mark Dreyfus has been briefed by the privacy commissioner about hack and is seeking ‘urgent’ meeting with telco

Royce Kurmelovs

24, Sep, 2022 @7:20 AM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM