Optus CEO makes emotional apology following cyberattack
Optus CEO Kelly Bayer Rosmarin has offered an emotional apology to customers after the telco was accused of “failing” its customers.
Furious Optus customers have lashed out at the telco after finding out about the major cyberattack through the media, rather than being told directly.
Now, it has been revealed that Optus knew about the breach on Wednesday, though they didn’t release an official statement until Thursday afternoon, after The Australian had already published an article about the cyberattack.
Optus confirmed the data breach in a statement on Thursday afternoon, with some nine million people reportedly impacted by the attack.
“Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers,” the telco said in a statement.
“Payment detail and account passwords have not been compromised.”
On Friday morning, Optus CEO Kelly Bayer Rosmarin said reports of 9.8 million records being compromised is the “absolute worst case scenario”.
She described the situation as a “sophisticated attack”, saying she found out about the breach less than a day before the situation was made public.
Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >
“I found out about it less than 24 hours before we went live to the press,” Ms Bayer Rosmarin said.
“It was only late that night that we were able to determine that it was of a significant scope. I think that was sort of a late night call. And by 2pm the next day we had notified everybody and tried to get all our ducks in a row.”
Ms Bayer Rosmarin appeared to become emotional at the end of the press conference when asked about how she felt about the data breach.
“Obviously, I’m angry that there are people out there that want to do this to our customers,” she said, appearing to be on the verge of tears.
“I’m disappointed that it’s undermined all the great work we’ve been doing to be a pioneer in this industry as a real challenger creating new and wonderful experiences for our customers.”
Nearly 2.8 million customers had all of their details taken in the attack and about seven million had information like their dates of birth, email addresses and phone numbers taken by the hackers, The Australian reported.
Speaking to 2GB’s Ben Fordham, Optus Regulatory and Public Affairs Vice President Andrew Sheridan said he wanted to “directly apologise” to the affected customers.
“I think transparency in these situations is critical,” he said on Friday morning.
Fordham then questioned why it took so long for Optus to release a statement and why they only did so after the story had already been released.
“I can absolutely confirm that information did not go from Optus to The Australian, but in terms of using the media …” Mr Sheridan said, before he was cut off by the radio host.
“But hang on, it was known at Optus before The Australian put their story online. It’s not like you found out about it because you read The Australian newspaper,” he said.
“Absolutely Ben and we were preparing to issue a media release,” Mr Sheridan said, before Fordham cut in again and asked when Optus actually knew about the breach.
“We knew about the breach, sort of, late on Wednesday,” he responded.
“You knew about it on Wednesday. You didn’t reveal it on Wednesday, you didn’t reveal it on Thursday morning, you didn’t reveal it Thursday lunchtime,” Fordham said.
“It was only after The Australian newspaper splashed the story on their website that you put out a statement. If you are interested in protecting your customers, why didn’t you alert them the moment you were aware of this potential breach?”
Mr Sheridan claimed there were a “number of steps” that need to be taken in these situations, claiming Optus had actually acted “very, very quickly”.
“I’ve got to call you out Andrew, I don’t think you’ve acted quickly at all,” Fordham said.
The 2GB host claimed there have been many cases in the past where companies have notified customers of potential breaches straight away.
“You guys failed to do that,” he said.
When asked if Optus could guarantee that if this happened again they would alert customers immediately, Mr Sheridan said he couldn’t make that promise.
He said customers would be told “as soon as it is sensible to do so” in order to ensure they are being given accurate information.
Furious customers have taken to social media to blast Optus for they way the situation was handed.
“Checks emails. Nothing from Optus telling me about this,” Guardian audience editor Dave Earley said on Twitter.
“Terrible that customers are finding out via the media and not Optus,” another Twitter user said.
Another wrote: “It’s disgusting, you haven’t informed anyone about this data hack, not one email, only found today from news sources, not happy!”
Hey @optus communication to customers and advice would be handy. We are facing identity theft, yet you have communicated nothing.
— KB 🈠(@chdyctt) September 22, 2022
@Optus pathetic response from Optus about security breach. Found out on Wednesday that there was a breach but didn't tell their customers only after The Australian newspaper reported on it. Will be changing providers.
— Jason Fairleigh (@JasonFairleigh) September 22, 2022
‘Can’t say anyone is safe’: New warning
Delia Rickard, Deputy Chair of the Australian Competition and Consumer Commission (ACCC), has offered a fresh warning as the telco continues to reel from the attack.
Speaking to Nine’s Today, she warned that other Telcos could also be vulnerable to similar security breaches.
“In this day and age cybercrime is huge and whilst most agencies are spending a fortune to protect themselves you can’t say that anyone is 100 per cent safe,” Ms Rickard said.
The breach is thought to have been launched through a weakness in Optus’ firewall and affects both current and former customers.
Ms Rickard said there a number of things people can do to protect themselves if they are concerned their personal details may have been exposed.
Simple steps like enabling two-factor authentication on all banking and regularly checking your accounts to see if any unknown purchases have been made can help keep your details safe.
Ms Rickard also said people should be on the lookout for any contact from potential scammers.
“I think one of the really important things is when you are contacted by anyone that you are not expecting, whether they say they are the government, your bank, any identity at all, when you are dealing with people remotely you will never know who you are dealing with,” she said.
“Because the scammers have so much data about you they will know your name, they will know your age, they will be able to personalise scams and we know that when somebody calls you and has your name and a few details you are much more likely to trust them.
“So I think be highly sceptical as well.”
It is also possible to get a free credit reference check every three months which allows you to see if anyone has been applying for loans in your name.
Ms Rickard said this whole situation was “very concerning”.
Mystery surrounds hackers responsible for attack
It is still unclear who was responsible for the Optus attack, with officials continuing to search for the hackers involved.
Ms Bayer Rosmarin said Optus has received no ransomware demands so far and that the attack is the subject of criminal proceedings.
“We’re keeping it all open, it could be criminal, it could be state-based actors. We’re working closely with all the government authorities and the Australian Federal Police to look into it,” she said on Friday morning.
Former head of the Australian Cyber Security Centre Alastair MacGibbon believes the source of the breach was most likely a criminal group.
“They take information and then monetise our personal data,” he told Nine’s A Current Affair.
“The fact that Optus has come out so quickly is actually a significant benefit to us.
“This is pretty quick in cyber crime terms.”
Mr MacGibbon said sometimes organisations will spend week investigating the hack before they even notify the government.
Ms Bayer Rosmarin said the telco acted immediately to stop any further action after learning of the attack, and authorities had been called in to assist in investigating the source.
“We are very sorry and understand customers will be concerned,” she said.
“Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.
“Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”
Optus has said its services were not affected in the breach and remain safe to use, with messages and voice calls not compromised.
Optus said it would send “proactive personal notifications” to customers they identify as having “heightened risk”, but says it will not send any links in emails or SMS messages.
The telco told customers to head to their website for information or to contact them with any concerns.
On Thursday, the Australian Federal Police said they had been notified of the incident but could not comment further.
The federal government has been made aware of the situation, with the Australian Cyber Security Centre providing security advice and technical assistance.
– with NCA NewsWire
Major relief for Aussies with stolen data
Hundreds of thousands of Australians who had their data stolen can breathe a sigh of relief.
Aussies warned of new Centrelink scam
Australians have been warned about a cruel scam website that claims to promote a “cost-of-living bonus payment” from Centrelink.
Major new support for scam victims
Victims of scams could have an easier time getting compensation with the federal government announcing the latest crackdown on fraudsters.