Optus cyber-attack could involve customers dating back to 2017

CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Optus customers dating as far back as 2017 could be caught up in the massive hack of the telecommunications company’s database, CEO Kelly Bayer Rosmarin has revealed.

Bayer Rosmarin told reporters on Friday that the company is still not sure exactly how many customers had their personal information compromised in the attack, but that 9.8 million was the “worst case scenario”.

“We have reason to believe that the number is actually smaller than that. But we are working through reconstructing exactly what the attackers have received,” she said.

The personal information compromised in the attack included names, dates of birth, addresses, phone numbers and in some cases passport or driver’s licence numbers.

The intrusion is believed to have occurred through an exploitation of a vulnerability in an application programming interface (API), but Bayer Rosmarin would not confirm this, saying it was “the subject of criminal proceedings” and under the investigation of the Australian federal police and the Australian Cyber Security Centre.

Optus first became aware of the intrusion into its network on Wednesday, and alerted the media less than 24 hours after first shutting down the unauthorised access and ensuring there weren’t any other vulnerabilities, Bayer Rosmarin said.

“We have been working with Australian government cyber experts, privacy officials and regulators, and proactively reached out to the major financial institutions, our competitors and other businesses so that we could protect not only our own customers as much as possible, but all Australians,” she said.

Optus has relied on informing customers through the media, and has not yet informed individual customers directly because the company is yet to determine how many customers were affected.

Telecommunications companies are required under Australian law to verify the identities of their customers to prevent people registering burner phones, or from number porting – a growing method of attack to bypass two-factor authentications that use SMS codes. The data goes back to 2017 because Optus is required to keep identity verification records for six years.

Bayer Rosmarin said once Optus determines which customers are affected, all customers, even those not directly affected, will hear from the company.

There have been no ransom demands made, and Optus has not yet determined whether it was a criminal or state-actor attack on the company.

Bayer Rosmarin wouldn’t go into detail about how the attack occurred, citing the criminal investigation.

The IP addresses of the attacker “came out of various countries in Europe”, she said.

Brett Callow, a threat analyst, posted on Twitter that names and email addresses for 1.1 million Optus customers had been for sale online since 17 September. Bayer Rosmarin could not say whether that was true.

“One of the challenges when you go public with this sort of information is you can have lots of people claiming lots of things. So there is nothing that’s been validated and for sale that we’re aware of, but the teams are looking into every possibility.”

The CEO of the Singapore-owned telecommunications company said the whole country needed to respond to the attack together.

“We don’t yet know who these attackers are and what they want to do with this information, which is why we really need a team Australia response,” Bayer Rosmarin said.

She fought back tears when asked what it meant for this attack to happen on her watch.

“I’m angry that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it, and disappointed it undermines all the great work we’ve been doing to be a pioneer in this industry.

“And I’m very sorry and apologetic.”

Contributor

Josh Taylor

The GuardianTramp

Related Content

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM

Article image
Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data
In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

Natasha May and Josh Taylor

27, Sep, 2022 @1:32 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM

Article image
Staff at security firm G4S on alert after tax numbers and bank details posted online following hack
Exclusive: Ransomware attack on Port Phillip prison revealed in July led to data being posted in mid-September with staff told details this week

Josh Taylor

04, Oct, 2022 @4:30 PM

Article image
Optus data breach: Australians will be able to change their driver’s licence with telco to pay
Federal opposition wants commonwealth to allow people to get new passports for free too – and quickly

Natasha May

27, Sep, 2022 @10:27 AM

Article image
Optus faces potential class action and pledges free credit monitoring to data-breach customers
Home affairs minister Clare O’Neil says company to blame and flags new laws with large fines for such breaches

Josh Taylor

26, Sep, 2022 @6:27 AM

Article image
Home affairs cyber survey exposed personal data of participating firms
Shadow minister says leak of ‘sensitive’ information after research into the Optus and Medibank hacks was ‘deeply ironic’

Josh Taylor

24, Jul, 2023 @3:00 PM