NewsBite

Advertisement

This was published 2 years ago

Optus boss digs in over cyberattack as government fury grows

By Nick Bonyhady and Matthew Knott
Updated

The Albanese government has escalated its attacks on Optus over the company’s massive data breach, demanding to know why customers were not informed their Medicare numbers may have been accessed as part of the cyberattack that hit almost 10 million accounts.

The confrontation between the government and the telco followed an incident in which someone claiming to be the hacker released unverified details of 10,000 customers online but then withdrew demands that Optus pay $1.55 million to prevent the release of more customer data.

Optus’ chief executive has vowed to stay on to lead the response to the hack.

Optus’ chief executive has vowed to stay on to lead the response to the hack. Credit: Cole Bennetts

The purported hacker claimed they were attracting too much attention and had deleted the data as authorities including the Federal Bureau of Investigations (FBI) in the United States joined the Australian Federal Police’s probe into the hack’s origins.

“Deepest apology to Optus for this,” the anonymous poster said in a claim that prompted Optus to confirm it had not paid a ransom.

Pressure is growing on Optus boss Kelly Bayer Rosmarin, with opposition cybersecurity spokesman James Paterson calling on her to resign if the company’s defence of its security practices turns out to be misleading.

“The federal government and Optus must publicly clarify the facts about this hack, because if the Optus CEO has misled the public about sophistication of the attack, or the encryption of the data or its protection, as the Minister has implied in her comments, then Ms Bayer Rosmarin position’s is clearly untenable,” Paterson said.

Optus chief executive Kelly Bayer Rosmarin has refused to resign over the hack.

Optus chief executive Kelly Bayer Rosmarin has refused to resign over the hack.

Bayer Rosmarin vowed to stay on in her job despite the attack, insisting the company was not a “villain” and rejecting the government’s accusations the company left itself open to a “quite basic” hack.

Clare O’Neil, the minister responsible for cybersecurity, doubled down on her criticisms of Optus, saying she was very concerned about reports that Medicare numbers were included in the hack.

Advertisement

“Medicare numbers were never advised to form part of compromised information from the breach,” O’Neil said in a statement. She said Optus should tell consumers exactly what personal information had been stolen from their accounts as a priority.

Optus customers were informed following the attack that ID document numbers had been compromised but driver’s licences and passports were given as examples, not Medicare.

Bayer Rosmarin said there was “misinformation” about her company’s cybersecurity but did not deny that personal customer information was accessed through an application program interface — a common way for computers to exchange information.

“Our data was encrypted and we have multiple layers of protection,” Bayer Rosmarin said on Tuesday morning. “So it’s not the case of having some completely exposed API sitting out there.”

O’Neil said on Monday night that Optus had “effectively left the window open for data of this nature to be stolen”, flagging bigger fines for data breaches, tougher laws on telecommunications companies and reforms to consumer information rules.

Loading

James Paterson, the opposition spokesman for cybersecurity, said he agreed with O’Neil that it was not a sophisticated cyberattack. Responding to enquiries from Paterson, Foreign Minister Penny Wong told the Senate the government would consider whether to waive fees for new passport applications for Optus customers affected by the hack.

Attorney-General Mark Dreyfus revealed the FBI, America’s principal law enforcement agency, was assisting the AFP in Operation Hurricane, its investigation into who was behind the attack.

Bayer Rosmarin argued Optus should not be seen as the wrongdoer and was doing everything it could to help customers. “We are not the villains,” she said. But she pushed back against the introduction of major new fines for companies that allow data to be breached while also saying Optus would take "full responsibility" if investigations found it had made an error.

“I’m not sure what penalties benefit anybody," Bayer Rosmarin said.

Asked whether she would take responsibility for the hack occurring on her watch and resign, Bayer Rosmarin said: “All we’re focussed on is protecting our customers. So, someone has to be accountable for doing that and that’s exactly what I’m focussed on.”

Optus’ customers have been left fuming by the company’s response, with many complaining of contradictory information from the company and difficulties replacing driver’s licenses.

The personal records of 10,000 Optus customers have been released, according to an apparent extortionist.

The personal records of 10,000 Optus customers have been released, according to an apparent extortionist. Credit: Justin McManus

In a post overnight by someone claiming to be the hacker behind the breach, the extortionist warned that 10,000 more records would be released each day over four days unless Optus paid a $1.55 million cryptocurrency ransom. That demand does not rank among the largest threatened by cyber criminals but is not among the lowest either.

Loading

On Tuesday morning, the purported hacker abruptly reversed course, saying: “Too many eyes. We will not sale [sic] data to anyone. We can’t even if we want to: personally deleted data from drive (only copy).”

An Optus spokesman said “we didn’t pay” after speculation the company may have transferred a ransom.

The veracity of the posts from the purported hacker has not been confirmed.

Optus has stressed that investigations are ongoing, as have the AFP, limiting what it can say. The recent hack has affected up to 9.8 million Australians, with 2.8 million having extensive data taken, including personal document identification numbers.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

Loading

Original URL: https://www.theage.com.au/link/follow-20170101-p5bl7x