NewsBite

UPDATED

AFP monitoring dark web for Optus details after major cyber attack

The AFP is monitoring the dark web as fears grow stolen Optus customer data is already being sold online.

Optus' response to massive data breach 'incredibly weak'

The Australian Federal Police (AFP) is monitoring the dark web amid fears stolen Optus customer data is being sold on internet forums.

The telco on Thursday revealed it had been subjected to a massive cyber attack, which has put the data of up to 9.8 million current and former Optus customers at risk.

On Saturday, the AFP confirmed it was aware of reports “alleging stolen Optus customer data and credentials may be being sold through a number of forums”.

“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” a AFP spokeswoman said.

“It is an offence to buy stolen credentials.

“Those who do face a penalty of up to 10 years’ imprisonment.”

However, an Optus spokeswoman said it would not comment on the legitimacy of customer data claimed to be held by third parties, as it works with the AFP and other authorities to find the “criminals” behind the cyber attack.

The news comes after it was revealed Optus argued against changing privacy laws to give Australians more rights over their data two years before losing the personal information of customers from as far back as 2017.

Optus chief executive officer Kelly Bayer Rosmarin has said she is “devastated” by the cyberattack. Picture: John Feder/The Australian.
Optus chief executive officer Kelly Bayer Rosmarin has said she is “devastated” by the cyberattack. Picture: John Feder/The Australian.

The Singaporean-owned telco giant more than once opposed proposed changes to the Privacy Act that would have given customers the right to request their data be destroyed.

The Morrison government launched a review of the Privacy Act in 2020, proposing multiple reforms, including increasing users’ rights to take legal action against companies over data breaches.

In two submissions to the review, Optus argued the existing act was working well.

The company said Australian telcos didn’t need a “right to erasure”, a spin on Europe’s “right to be forgotten, which gives people the right to ask organisations to delete their personal data.

“There are significant technical hurdles to implement this for most sectors of the economy and much more research needs to be conducted,” the company said one submission.

“Optus submits that the compliance cost of an express right to erasure in the Privacy Act is likely to far exceed the benefits that flow from the right. There is insufficient evidence of a problem which would justify the costs.”

Optus said it didn’t “see any justification for changes to the existing Privacy Act”.

“We find that the processes are working reasonably well and have resulted in good outcomes for consumers and businesses,” the telco said in a submission.

“Optus is not of the opinion that there should be additional protections in relation to deidentified, anonymised and pseudonymised information.”

Optus took issue with what it called “over the top” providers — such as Facebook, Google and Apple — being exempt from adhering to separate telecommunications laws, arguing they had been given “favourable treatment” by the federal government.

Optus argued Australian-based telcos were already subject to “greater obligations” under these laws than they were under the Privacy Act.

The telco disclosed on Thursday afternoon it had been subjected to a massive cyberattack that had been detected on its systems on Wednesday.

Optus customers who have had data stolen in the massive cyberattack have been contacted via email (pictured). Picture: NCA NewsWire
Optus customers who have had data stolen in the massive cyberattack have been contacted via email (pictured). Picture: NCA NewsWire

Optus chief executive officer Kelly Bayer Rosmarin said soon as the telco learned of the hack it took action to stop it and launched an investigation.

Speaking to reporters on Friday, Ms Rosmarin apologised to customers.

She said she was “devastated” by the attack, which compromised information including names, dates of birth, addresses, phone numbers and in some cases passport or driver’s licence numbers.

Ms Rosmarin said Optus believed the number of people who had data stolen was substantially lower than its “worst case scenario” of 9.8 million.

The amount of data stolen and the reason for the attack is not yet known, with the Australian Cyber Security Centre and the Australian Federal Police investigating.

An Optus spokeswoman on Saturday said Optus is contacting all customers to notify them of the cyber attack’s impact on their personal details.

More than 9 million customers may have been affected by a massive cyberattack on Optus last week. Picture: NCA NewsWire / Martin Ollman
More than 9 million customers may have been affected by a massive cyberattack on Optus last week. Picture: NCA NewsWire / Martin Ollman

“We will begin with customers whose ID document number may have been compromised, all of whom will be notified today,” she said.

“We will notify customers who have had no impacts last.”

She added Optus would not be sending links in SMS or emails.

“If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus,” she said.

“Please do not click on any links.

“We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals seeking to benefit financially, including through: phishing scams via calls, emails and SMS and offering illegitimate customer details for sale.

“Once again, we apologise.”

Optus has been contacted for comment as to whether it still opposes changes to Australia’s privacy laws.

The Attorney-General’s Department is expected to present the Albanese government with a final report from the review of the Privacy Act before the end of the year.

It is expected to result in new legislation.

Originally published as AFP monitoring dark web for Optus details after major cyber attack

Original URL: https://www.adelaidenow.com.au/technology/online/optus-opposed-giving-australians-more-rights-over-their-own-data-before-cyberattack/news-story/582533e616c28168bbb82bd6d191d30e