Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017

Optus chief Kelly Bayer Rosmarin says European-based hackers could have customer details from as far back as 2017.

DAVID SWAN

Optus chief Kelly Bayer Rosmarin on Friday.

3 min read

1:16PMSeptember 23, 2022.

Updated 3:20PMSeptember 23, 2022

The Australian Business Network

Optus chief executive Kelly Bayer Rosmarin has delivered an emotional apology for the company’s data breach which has affected up to nine million of the telco’s customers.

Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.

It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.

“[I feel] terrible,” Ms Bayer Rosmarin told reporters.

“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers.

“And I’m very sorry, and it should not have happened.”

'Can be used as a weapon': Major Optus data breach impacts millions of people

As The Australian first reported on Thursday Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million of the telco’s users was compromised in one of the nation’s biggest-ever data breaches.

The nation’s top cyber spies at the Australian Signals Directorate are working with Optus to trace the perpetrators of the devastating cyber attack, which exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers. A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen.

The company has hosed down speculation the hack was due to human error by an employee, describing that claim as inaccurate.

The attack, discovered on Wednesday night, comes just days ahead of a visit to Australia by the entire board of Optus parent company Singtel.

It’s understood hackers exploited a weakness in Optus’s firewall. Sources said it remained unclear whether the attack was by a criminal or state-based hacking group.

It’s understood that some Optus phone numbers have been sold online via the dark web, as early as a week ago.

Ms Bayer Rosmarin said that customers who were with the telco as far back as 2017 have been impacted, though the company would not disclose details of how the hack occurred.

“The exact mechanics are subject to a criminal investigation and we won’t be divulging that,” she said.

“Without saying too much, the IP address [of the hackers] kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe, and in terms of the customer data, I think it dates back to 2017.”

The company has turned off online SIM swaps and replacements, instead requiring customers to physically visit an Optus retail store with a relevant ID.

“We are in the process of contacting customers who have been directly impacted,” the company said in a statement on its website.

“If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.

“If you are a business customer, contact us on 133 343 or your account manager.”

PwC partner Rob Di Pietro, who leads the firm’s cybersecurity and digital trust unit, said in an interview that the Optus hack would serve as a wake-up call for many Australian companies, and a reminder of the significant threats posed by hackers.

“With attacks of this nature, where large amounts of personal information are stolen or compromised, the identities could then be sold on the black market, which leads to the risk of identity fraud,” he said.

“Another option will be for the attackers to start approaching impacted individuals with the information they have, to try elicit further information such as financial details. These are things that affected customers should potentially be on the lookout for.”