Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office

Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

The chief executive of Optus, Kelly Bayer Rosmarin, says federal police are “all over” a post on an online forum which purported to have released 10,000 customer records from the recent data breach and threatened to release more until a $1m ransom is paid.

The post was later deleted, along with a claim the writer had deleted the data and would not sell it to anyone.

Rosmarin also told ABC radio the company’s massive security breach was “not as being portrayed”, after the minister for home affairs accused the company of leaving the “window open” for the data to be stolen.

On Monday night, the purported attacker released a text file of 10,000 records, promising to leak 10,000 each day for the next four days unless Optus pays them $1m.

The released records include email addresses from the Department of Defence and the Office of the Prime Minister and Cabinet.

On Tuesday morning, the purported attacker deleted the original post with the links to the data and apologised for attempting to sell the data. They claimed to have deleted their copy of the data.

“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” they said.

“Sorry too [sic] 10,200 Australian whos[sic] data was leaked.

“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.”

They apologised to Optus and said they would have reported the exploit if Optus had made it possible to report. They said no ransom had been paid.

Optus declined to comment, citing the AFP investigation.

The Optus attack has affected up to 10 million customers, including 2.8 million people who had their driving licence or passport number leaked.

The purported attacker said they had obtained the data through an opening Optus had left accessible in its network, and the company had not yet contacted them.

The Australian federal police has launched Operation Hurricane to work with overseas law enforcement authorities to determine who had obtained the data and was attempting to sell it.

Guardian Australia has verified the file contains records with people’s names, dates of birth, email addresses, phone numbers, postal addresses, and in some cases, licence numbers, passport numbers and Medicare card numbers.

The home affairs minister, Clare O’Neil, said on Tuesday she was “incredibly concerned” about Medicare numbers being included in the data.

“Medicare numbers were never advised to form part of compromised information from the breach,” she said.

“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.”

There are approximately 20 state and federal government emails listed in the dump, including four from the Department of Defence, and one from the Department of the Prime Minister and Cabinet.

Asked about the claim, Rosmarin said the company had “seen that there is a post like that on the dark web and the Australian federal police is all over that”.

“They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal and verify [the claim].”

O’Neil told ABC’s 7.30 program on Monday evening: “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

O’Neil described the hack as “basic”, contradicting Rosmarin’s description earlier last week as a “sophisticated attack”.

What happened at Optus wasn't a sophisticated attack.

We should not have a telecommunications provider in this country that has effectively left the window open for data of this nature to be stolen.#abc730 pic.twitter.com/KamkiapcZl

— Clare O'Neil MP (@ClareONeilMP) September 26, 2022

Asked about O’Neil’s comments on ABC radio Tuesday morning, Rosmarin thanked reporter Peter Ryan “for letting me address that misinformation”.

Rosmarin said O’Neil’s interview with the ABC occurred before Optus’s briefing with the minister.

Guardian Australia understands that O’Neil’s view that it was not a sophisticated cyber-attack has not changed.

Rosmarin said the breach was “not what it’s made out to be” because the data was encrypted and there were “multiple levels” of protection.

She said it was not the case of having an “exposed API [address] sitting out there”.

“We have had the Australian centre for cybersecurity scan our perimeter … we want to make sure the environment is secure,” Rosmarin said.

Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec pic.twitter.com/NuGe7Pup8l

— Jeremy Kirk (@Jeremy_Kirk) September 26, 2022

The ABC asked Rosmarin if the company could be sure the breach wasn’t the result of human error.

“We know this is the work of some bad actors and really, they are the villains in this story.”

However she said if anything from the investigations “indicates Optus has made an error, we will take full accountability for that”.

Pressed on the harsher penalties that exist for companies in Europe, Rosmarin said: “I’m not sure what penalties benefit anybody. Optus is doing everything possible to be transparent and on the front foot. Our customers understand we are not the villains.”

She emphasised that much of the “data accessed is data already out there”.

Rosmarin indicated she will not be stepping down. “All we’re focused on is protecting our customers. Someone has to be accountable for doing that.”


Natasha May and Josh Taylor

The GuardianTramp

Related Content

Article image
Optus data breach: Australians will be able to change their driver’s licence with telco to pay
Federal opposition wants commonwealth to allow people to get new passports for free too – and quickly

Natasha May

27, Sep, 2022 @10:27 AM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Government flags new cybersecurity laws and increase in fines after Optus breach
Clare O’Neil says penalties for telcos are ‘totally inappropriate’ and data breach was ‘significant error’

Sarah Martin and Paul Karp

26, Sep, 2022 @5:30 PM

Article image
Optus data security breach: what should I do to protect myself?
Experts say while ‘there’s no need to panic’, there are steps you can take to ensure you’re not exposed to scams or identity theft

Natasha May

26, Sep, 2022 @6:44 AM

Article image
Optus data breach: who is affected, what has been taken and what should you do?
After a malicious cyber-attack, customers of Australia’s second-largest telco are advised they could be at risk of identity theft

Ben Doherty

22, Sep, 2022 @8:31 AM

Article image
Optus tells customers affected by data breach they can no longer use passports as online ID
Exposed passport numbers blocked from being used in national Document Verification System

Tory Shepherd

17, Oct, 2022 @7:02 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM