The bombshell news broke yesterday that the telco had been hit by a major data breach, leaving customers’ personal information exposed.

On Friday morning, an emotional Optus CEO Kelly Bayer-Rosmarin said reports 9.8 million records dating back as far as 2017 may have been compromised was an “absolute worst case scenario”.

Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

She confirmed that a crime gang or foreign state may have been behind the attack, which was first discovered on Wednesday, and said the hackers covered their tracks by moving their digital location markers across a string of different European nations.

“The IP address [used by the hackers] kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe,” Ms Bayer-Rosmarin said.

Game of ‘pure deception’

Australian cybersecurity expert Ajay Unni, the CEO of cyber security services company StickmanCyber, told news.com.au the hackers had used a very common but clever technique to cover up their crime.

“No hacker is going to hack a system using their home IP address,” he said, adding that he was surprised that Ms Bayer-Rosmarin would have publicly mentioned the European link, as it in no way confirmed where the hackers were actually from.

“Hackers will obviously mask their IP address to get in and get out – no thief is going to tell you where they live; it’s the nature of any attack.

“Who knows if they are really from Europe? They could be from anywhere; it could be China masking the address.

“My heart goes out to Optus, but I can’t see the relevance of that statement (about Europe), because obviously hackers are going to mask their ID.”

However, Mr Unni said Optus might have internal intel proving the hackers were actually European, but added that the hackers’ identities wouldn’t fix things for the victims.

“It’s like when there’s a bombing, and people say they suspect it was ISIS – but your suspicion is just as good as my suspicion,” he said.

“Obviously there is a strategy behind it, there’s no doubt about it – they’re not just going to randomly pick a country and say ‘I’m attacking from here’, because why would they do that?

“It’s a game of pure deception, and they probably just want you to think they’re from Europe.”

Mr Unni said if the hackers weren’t actually from Europe, they were likely trying to use the invasion of Ukraine to their advantage, by implicating Russia.

“There’s a war going on in Europe – even a five-year-old should be able to figure it out,” he said. “The hackers might want people to think it was state-based and that Russia wanted to attack.

“The hackers would absolutely have a clear intent in pointing to a European IP address, to cause that next level of speculation.”

He said while changing IP addresses to mask real locations was easy for hackers, it was a sophisticated technique.

“For them it’s absolutely easy to change their IP addresses, but at the same time, there is technology supporting that, which you need to know how to configure and use, so it’s not child’s play,” he said.

Massive wake up call

Mr Unni said the Optus breach was a wake up call for Australia.

“As the complexity and frequency of cyber threats increase exponentially, it is extremely sad to see Australia under attack from cyber criminals who are finding success in exploiting vulnerabilities to gain unauthorised access to businesses and critical infrastructure,” he said.

“Telcos like Optus carry large amounts of information about their customers such as call patterns, incoming/outgoing phone numbers, data/internet usage and other forms of personal information that can be easily exploited.

“The data exposed can now be maliciously used to create fake identities or as a launch pad to further target users individually through spear-phishing campaigns. These campaigns will now be even more effective as cyber criminals have access to more information than just an email address.”

Mr Unni said better training was essential.

“While having technical defences is a step forward in terms of cybersecurity maturity, I cannot emphasise enough the importance of training and educating business users as people are always the weakest link when it comes to cybersecurity.

“Third party risk is another area that requires close attention as larger organisations are often infiltrated through their partnerships with external suppliers,” he said.

“The findings of the Australian Cyber Security Centre’s investigation into Optus’s data breach will reveal the true nature of the attack – whether it was the work of cyber criminals or a state-sponsored attack.

“Optus users need to remain vigilant of any email offering support due to this breach, even if the email appears to be from an authoritative or legitimate source. Optus customers need to do their due diligence when it comes to cyber hygiene and avoid clicking on any links in emails unless their legitimacy has been validated.”

Scandal grows

On Friday, it was revealed that Optus knew about the breach on Wednesday, though the company didn’t release an official statement until Thursday afternoon, after The Australian had already published an article about the cyber attack.

More Coverage

What to do if you’re an Optus customer

Anton Nilsson and Angie Raphael

Optus CEO holds back tears amid shock reveal

Ally Foster

“Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers,” the telco said in a statement at the time.

“Payment detail and account passwords have not been compromised.”

Furious customers have since taken to social media to blast Optus for they way the situation was handled, complaining of a lack of transparency and information from the firm.