‘Too many eyes’: Optus hacker deletes data, apologises to customers; FBI joins probe
The anonymous hacker issues a ‘deepest apology to Optus’ and has seemingly deleted the stolen data; Attorney-General reveals the agencies investigating the cyberattack.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
The hacker purportedly behind the massive Optus data breach has seemingly deleted the stolen data and apologised to Optus customers, declaring “we will not sale data to anyone [sic].”
The user ‘Optusdata’ has removed their original post, on a popular online data breach forum, which called for Optus to pay a $US1m cyber ransom within seven days.
“Too many eyes. We will not sale data to anyone. We cant [sic] if we even want to: personally deleted data from drive (Only copy),” the user wrote on Tuesday. “Sorry too [sic] 10,200 Australian whos data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.
“Deepest apology to Optus for this. Hope all goes well from this
“Optus if your [sic] reading we would have reported exploit if you had method to contact. No security mail, no bug bountys [sic], no way too [sic] message.
“Ransomware not payed [sic] but we dont [sic] care any more. Was mistake to scrape publish data in first place.
FBI among agencies called in
Attorney-General Mark Dreyfus says the FBI has been called in to help with the investigation into the data breach.
“The government, as well as the Australian Federal Police and other government agencies, are working closely together on the Optus data breach,” Mr Dreyfus said today.
“The Australian Federal Police is taking this very seriously with a large number of officers involved, working with other federal government agencies and state and territory police and with the FBI in the United States and with industry.
“I would also like to reinforce the message that has been given by the Privacy Commissioner publicly, which is that all Optus customers should be vigilant. Do not click on any links in a text message.
“Check all web site sources – just check that it is an official website before taking any future action.
“If you are unsure about why you are being asked to divulge private information, stop and verify who the person or organisation is that is making that request of you.
“To affected Optus customers, I can say that the Office of the Australian Information Commissioner web site has further advice. Please visit oaic.gov.au and follow the prompts.”
The user earlier on Tuesday had posted 10,000 customer records online – including Medicare numbers – as Optus chief executive Kelly Bayer Rosmarin defended her company’s actions, declaring “we are not the villains”.
The anonymous user going behind the name ‘Optusdata’, leaked the customer records after earlier asking for a $US1m cyber ransom from Optus. The hacker has reportedly stolen the drivers licence or passport numbers of some 2.8m Australians, and overall has 11.2m sensitive records, which they are threatening to sell to other cyber criminals.
“Only contact onsite! Optus if you wish to contact message onsite! We are businessmen 1.000.000$US is lot of money and will keep too our word. If you care about customer you will pay! Revenue 9B$ dollar, 1M$US small price to pay!,” the user wrote early on Tuesday.
“If 1.000.000$US pay then data will be deleted from drive. Only 1 copy exist. Will not sale data too. Completely gone!
“4 more day to decide Optus!
“Since they not payed yet here is 10.000 record from address file. Will release 10.000 record every day for 4 day when they not pay.”
The data, viewed by The Australian, contains data such as name, email address, physical address, passport number, driver’s licence number, date of birth, and whether they were a postpaid or prepaid subscriber, as well as in some cases Medicare numbers.
The data has been crosschecked with records in the ‘Have I Been Pwned’ database of hacked email addresses, and some of the email addresses have not previously been leaked, suggesting the records were legitimate.
Optus chief executive Kelly Bayer Rosmarin on Tuesday defended the company’s actions in the face of criticism from cyber security minister Clare O’Neil, saying “we are not the villains.”
Reports that the data was inadequately protected and open for the taking, reiterated in comments from cybersecurity minister Clare O’Neil on Monday, were inaccurate, Ms Bayer Rosmarin said.
“We definitely know this is the work of some bad actors, and really they are the villains in this story,” Ms Rosmarin said in an interview on Tuesday.
“It’s clearly not as simple as has been written in the press, but what I can say is our customer data is encrypted and there are multiple levels of security.”
In response to questions regarding European privacy laws, which expose telcos to millions in fines for similar breaches, Ms Bayer Rosmarin said: “I’m not sure how penalties would benefit anybody.
“The data that has been accessed was most likely out there already,” she said. “It’s a good reminder for people to be super vigilant.”
Ms Rosmarin continues to resist calls that she resign.
“I don’t think anyone is saying that,” she said. “I think in these situations you want someone to be focused on helping customers avoid any harm and that’s all I’m thinking about.”
She added that Optus would work to rebuild trust with its 11 million customers.
“I think we can only deal with the cards that are dealt us, and we are facing into this with accountability, honesty, and transparency,” she said. “Our teams are rallying and working really hard to support customers who understandably have questions. I think we’re operating with enormous integrity. And I think our customers will remember that we’ve done that.”
Optus has contacted customers whose identifying information — including passport and licence numbers — was stolen. It is now contacting those who had other information stolen, such as addresses and contact details, Ms Bayer Rosmarin added.
As The Australian reported on Monday law firm Slater and Gordon, which previously acted on behalf of thousands of asylum seekers who had their personal information leaked online in 2014, is investigating a class-action lawsuit and is encouraging any concerned Optus customers to register their interest in a lawsuit on its website.
“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” Slater and Gordon senior associate Ben Zocco said.
The NSW Government is looking to reissue identity documents to those affected by the Optus hack. Digital Minister Victor Dominello announced he was working behind the scenes with Optus and other government agencies to fast track the reissuing of licenses to those affected by the breach.
“Behind the scenes the NSW Department of Customer Service, Transport for NSW, Cyber Security NSW, ID Support and Registry of Births Death and Marriages – are working with Optus to make the process of reissuing of NSW identity documents as seamless as possible,” he said.
“Customers who are notified by Optus that both their driver's licence number and their driver's licence card number have been compromised are strongly advised to apply for a replacement licence.”
Additional reporting: Joseph Lam.
More Coverage
Originally published as ‘Too many eyes’: Optus hacker deletes data, apologises to customers; FBI joins probe