Optus hack: what you should do
The FBI will assist local agencies in investigating the Optus hack, as the hacker deletes original post with the links to the data. Here’s what you need to know.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
The FBI will assist local crime-fighting agencies investigating the Optus hack, Attorney-General Mark Dreyfus has revealed.
“The Australian Federal Police is taking this very seriously with a large number of officers involved, working with other federal government agencies and state and territory police and with the FBI in the United States and with industry,” Mr Dreyfus said on Tuesday.
He advised Oputs customers caught up in the hack to be vigilant about their cyber security, and to visit the Office of the Australian Information Commissioner for more information.
AFP Assistant Commissioner Cyber Command Justine Gough said the investigation was going to be “extremely complex and very lengthy” but the AFP specialised in investigations of this type.
“It is important the community knows the AFP and our partners are doing everything within scope to identify the offenders responsible, and to also ensure we can protect individuals who are now potentially vulnerable to identity theft,” Assistant Commissioner Gough said.
“We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities. Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” she said.
Assistant Commissioner Gough described cybercrime as the “break-and-enter of the 21st Century” and said this breach is “not the first and is unlikely to be the last”.
In a quickly evolving scenario on Tuesday, the dark net user “Optusdata” released the private records of 10,000 Optus customers, and threatened to continue to do the same for the next four days unless they were paid $US1 million ($A1.55 million) in the cryptocurrency Monero.
But several hours later the user appeared to backtrack completely, saying in a new post that said: “Too many eyes. We will not sale [sic] data to anyone. We can’t even if we want to [sic].”
“Ransom not payed [sic] but we don’t care any more. Was mistake to scrape publish data in first place,” the latest message read.
The message apologised to “10,2000 Australia [sic] whos [sic] data was leaked” and also offered “Deepest apology” to Optus.
“Hope all goes well from this,” the bizarre message stated.
The hacker later deleted the original post with the links to the data.
But Professor Matthew Warren, Director of the Centre for Cyber Security Research and Innovation at RMIT, said it was possible the user was “just trying to cause mischief online”.
“This profile just sort of appeared from nowhere and is claiming that he is responsible [for the hack],” Prof Warren said.
“We just have to wait and see how it plays out; I couldn’t see a cyber gang apologising for their behaviour because it’s contrary to the way that these gangs operate; they operate to generate income,” he said.
Other IT security experts have suggested the messages from “Optusdata” could constitute security threats in their own right, and shouldn’t be clicked.
After the publication of Optus customer information this morning, some users received a SMS from an unidentified source seeking payment and referencing a Commonwealth Bank account.
A spokesperson for the bank said the account had been identified and blocked, and they were working with the Australian Federal Police and other agencies “to limit the impact of any fraud and scams resulting from the events over the past few days”.
CBA was also communicating directly with its own customers advising them of how to keep their accounts safe, the spokesperson said.
What happened in the Optus cyber attack?
Last Thursday The Australian revealed the personal information of at least 9.8 million current and former Optus customers had been hacked, including names, dates of birth, passport numbers, Medicare numbers, drivers’ licence details and email addresses.
The telco said of the affected customers, 2.8 million had their identification details stolen – which includes things like passport numbers, drivers’ licence numbers and Medicare numbers.
On the weekend a person claiming to be the hacker using the handle “Optusdata” demanded the $US1 million ransom.
How many people are affected?
As of Tuesday, the records of 10,000 customers have been released.
In a ransom note released online, the supposed hackers said they “Will release 10,000 record every day for 4 day when they not pay”.
Optus claims 9.8 million customers had their information compromised, but according to a report in Bank Info Security, the hacker/s claim to have the information for 11.8 million people.
How do you know if you have been hacked?
The website Have I Been Pwned is a good resource to discover if your email address or phone number have been caught up in any data breaches.
What information was taken from Optus customers?
Optus has advised the hacked information may include customers’ names, dates of birth, phone numbers, email addresses, and, some customers may have had their home addresses, driver's licence and passport numbers included. The telco giant said payment detail and account passwords had not been compromised.
What information is already online after the hack occurred?
The hackers have so far released the data of 10,000 customers, including names, addresses, email addresses and Medicare numbers. Cross-referencing of some of the released information on haveibeenpwned.com suggests it is new data that has not previously been compromised.
The publication of personal information including Medicare numbers was incredibly concerning, said Home Affairs Minister Clare O’Neil.
Ms O’Neil said Optus “never advised” Medicare numbers were part of the compromised information from the breach.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them,” she said. “Reports today make this a priority.”
Ms O’Neil said she wanted to re-assure Australians the “full weight of cyber security capabilities” across government, including the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police were “working round the clock to respond to this breach”.
“I am incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom,” she said.
How did the hack occur?
Ms O’Neil told 7.30 on Monday that Optus “effectively left the window open for data of this nature to be stolen”.
According to the report in Bank Info Security, the hacker/s said they were able to perform the hack by using an Optus Application Programming Interface (API) that gave them access to customer information without even a log-in.
What does the Optus hacker want in exchange for the Optus data?
The hacker has posted a note online saying they want $US1 million ($A1.55 million), payable in cryptocurrency.
“We are businessmen. 1,000,000$US is a lot of money and will keep to our word. If you care about customer you will pay!,” the note from the purported hackers read.
Then in an apparent reference to the telco’s operating revenue, the note continued: “Revenue 9B$ dollar, 1M$US small price to pay!”
“If 1,000,000$US pay then data will be deleted from drive. Only 1 copy exist. Will not sale data too! Completely gone! 4 more days to decide Optus.”
The note then goes on to say the details of 10,000 customers will be released each day for the next four days if the ransom is not paid.
What have Optus customers been told?
Optus is contacting customers chiefly via email, but those whose license or passport numbers were compromised may have been contacted by SMS.
ID Care, Australia and New Zealand’s National Identity and Cyber Security Support Service, advises anybody contacted via sms or phone call by a person claiming to be from Optus, asking you to verify personal details or billing information not to engage with them, but to contact Optus yourself.
The telco has advised that no email from them will contain a hyperlink, because of the risk of phishing scams.
What is Optus CEO’s position?
Optus Chief Executive Kelly Bayer Rosmarin has been slammed for not alerting customers quickly enough about the hack (she said the company only discovered it was “of a significant scope” late on Wednesday). Today host Karl Stefanovic said he was “flabbergasted” by the company’s tardiness, and their public relations are “as weak as it gets”.
Ms O’Neil turned up the heat on Optus on Monday, warning that in “other jurisdictions,” such a big data breach would “result in fines amounting to hundreds of millions of dollars”.
The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Ms O’Neil told parliament on Monday. “We expect Optus to continue to do everything they can to support their customers and former customers.”
What can Optus customers do right now to ensure they are protected?
The Australian Competition and Consumer Commission warned Optus customers to “take immediate steps” to secure all accounts, particularly financial institution accounts.
“You should also monitor for unusual activity on your accounts and watch out for contact by scammers,” the ACCC advised.
ID Care says they are unable to advise on a case-by-case basis how much of a customer’s personal information may have been hacked. The organisation advises remaining vigilant about scammers and organising multi-factor authentication for your accounts, wherever possible.
Prof Warren said it was a good idea to add two-factor authentication to any online banking or finance accounts, as well as pensions, social media and email. While that might seem onerous to some users, he said, some additional measures such as face scans and fingerprint identification were relatively easy.
ID Care has also advised the following:
• Scammers often impersonate government and businesses. Never respond to requests to
provide personal and account information, or access to your device.
• Make sure you disconnect and make your own enquiries.
• Never click on any links that look suspicious or provide passwords, personal or financial
information
• Consider subscribing to www.scamwatch.gov.au for the latest information about scams
impacting our community.
• Look out for any suspicious or unexpected activity across your online accounts and report
any fraudulent activity immediately to your provider
What can you do if your licence number has been hacked?
Depending on where you live there are different requirements and steps to change your driver's license number if you are worried it has been hacked.
For Victorians, the current rules surrounding license changes mean you can only apply for a new number if there is proof your existing number has been used in fraudulent activity.
You will not be eligible if your number has only been involved in the Optus data breach.
New South Wales residents currently can apply to have a new license number if the security of their existing number has been compromised in a data breach, you will still need to obtain a police event number or a ReportCyber Receipt number.
NSW government’s digital minister Victor Dominello said he was working with Optus to introduce fast-tracked replacement ID documents for those impacted by the breach, but his advice for now is for customers with hacked data to apply as stated above.
If you have a Queensland license you can apply to replace your number either online or at the transport and motoring service centre.
The Queensland department of transport encourages customers worried about the security of their license number to refer to the Australian Cyber Security Centre.
Those who hold a Tasmanian drivers license and were involved in the data breach are able to visit Service Tasmania for further instructions on how to change their number.
The ACT have encouraged customers worried about their license numbers being compromised to contact Optus, stating on their website they are still working out how to proceed.
The Western Australian and Northern Territory departments of transport have not issued any updates regarding license number changes, the current requirements for replacing stolen numbers include visiting the service centre and submitting an application.
Those who obtain a police report number in Western Australia will have the fee removed.
What can customers do about their passport numbers?
Optus customers impacted by the cyber hack should be given new passports for free, the opposition says.
The Coalition has called on the Albanese Government to waive the fees and expedite the processing of new passports for Australians who had their personal data compromised in the massive data breach.
Opposition foreign affairs spokesman Simon Birmingham said it was not acceptable the Depart of Foreign Affairs and Trade website was advising Australians they would have to replace their compromised passports at their own expense.
“This is not good enough and is extraordinary given in Question Time today the Minister for Foreign Affairs indicated there was merit in considering fee waivers and other assistance,” he said.
“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport.”
Mr Birmingham said while Optus “must take responsibility” for the breach, the government also had a responsibility to help Australians protect their personal information and security.
What has Optus offered to help Australian customers to protect their data?
Late on Monday, Optus announced it was offering “the most affected” current and former customers whose information was compromised a free 12-month subscription to a credit monitoring and identity protection service.
Optus would be contacting these “most affected customers” directly in coming days, the company said in a statement.
Prof Warren said the offer of the credit monitoring service was a “good first step” but Optus really had a duty of care to reach out to impacted customers.
Is there a class action for the Optus cyber attack?
Slater and Gordon is investigating a possible class action against Optus on behalf of current and former customers who have been affected by the unauthorised access to customer data announced by the company on September 22.
Class Actions Senior Associate Ben Zocco said that while the circumstances that led to the breach and the scope of customer data unlawfully obtained were yet to be confirmed by Optus, the consequences could potentially be significant for some customers, and the firm was assessing possible legal options for affected customers.
How do I register my interest in the Optus class action?
If you are or were an Optus customer who may have been affected and wish to register your interest in Slater and Gordon’s investigation, or for further information, go here.
How has the Optus hack has turned into a criminal investigation?
The Australian Federal Police launched Operation Hurricane on Monday, saying it would work with the telco, the Defence Signals Directorate and international crime-fighting agencies to track down the perpetrators of the hack.
Online commentators have suggested the awkward wording of the hackers’ statements suggest they do not have English as a first language.
More Coverage
Originally published as Optus hack: what you should do
Read related topics:Explainers