Telstra and big bank reveal data breach hit more than 30k employees
One of Australia’s big four banks and another telco are dealing with their own cyber breaches just days after the Optus hack.
As millions deal with the repercussions of the Optus data breach, more companies have had the data of their employees leaked.
Telstra and NAB have had the names and email addresses of current and former employees accessed by hackers.
Up to 30,000 names and email addresses of past and present Telstra staff were uploaded to the same forum where the Optus breach was shared last week.
NAB says the data of its employees was accessed through a “third-party provider for an employee and member benefits program”.
“This is not a breach of NAB systems,” an NAB spokesperson said.
“None of our customers’ banking or financial information has been breached or compromised.
“The data released is five years old and is very basic, such as names and emails and we believe there is minimal risk.”
NAB has not had a “direct relationship” with the provider for “a number of years”, the spokesperson said.
A Telstra spokesperson confirmed that it was also the subject of a “third party provider” breach.
“It is not a Telstra data breach, it has nothing to do with our systems or networks.”
“The data contained which is staff names and email addresses is from 2017. It’s six years old.”
Telstra confirmed “It involves our employees, many of which no longer work for the company.”
“We’ve been made aware of a data breach affecting a third party that included limited Telstra employee information from 2017.”
“To be clear, it was not a breach of any Telstra systems. The data released is very basic in nature – limited to full names and email addresses used to sign up to the platform.”
“No customer account information was included. We believe it’s been made available now in an attempt to profit from the Optus breach.”
“The relevant authorities have been notified, we've let current employees know, and while the data is of minimal risk to former employees, we will attempt to notify them too.”
There is no private, personal information involved in the leak, as only first and last names and work email addresses of employees was shared.
It is understood that hackers are using a technique called data-scraping where old data is pulled together in the hopes that they can sell it as current data.
On Saturday, Telstra group executive for transformation, communications and people Alex Badenoch said the data was of a third party which had provided a rewards program for Telstra staff.
A total of 12,800 of the 30,000 names leaked were still employed by Telstra.
“We understand this may cause some anxiety to our people, particularly in the current climate of heightened awareness around cyber security,” Telstra said in a statement to staff.
“If you wish to find out more about the breach, or to find out if your email address was exposed, please contact our cyber team … In the meantime, we remind you as always to remain vigilant about any unexpected communications.”
Telstra is reportedly working with the third party to determine the cause of the breach.
It comes after millions of Australians had their personal information – including full names, addresses, passports and driver's licenses – accessed in the broad-ranging breach of the Optus database last week.
About 9.8 million people had information such as dates of birth, email addresses and phone numbers taken by the hackers.
The breach has affected current and former customers of Optus.
Around the country, people are lining up to change their personal information, including drivers license and passport numbers.
The breach is reportedly affecting every government department.
Although initially said to be a “sophisticated attack” Optus is facing backlash over speculation the breach allowed hackers to “opportunistically steal the information”.
On Monday, the telco announced it had employed Deloitte to conduct a review into its cyber security and processes.
CEO Kelly Bayer Rosmarin said the telco acted immediately to stop any further action after learning of the attack, and authorities had been called in to assist in investigating the source.
“We are very sorry and understand customers will be concerned,” she said.
Optus said it would send “proactive personal notifications” to customers they identify as having “heightened risk”, but says it will not send any links in emails or SMS messages.
The telco told customers to head to their website for information or to contact them with any concerns.
Optus customers who may have had their data stolen are urged to:
-Be careful of possible scam calls;
-Consider strengthening password and other online security measures; and
-Be on the lookout for more information from Optus in the coming days.