NewsBite

Optus faces potential class action lawsuit following massive data breach

Optus is in the sights of Slater and Gordon with the law firm considering legal action over the cyber attack which has left millions of the telco’s customers exposed and furious.

DAVID SWAN
4 min read
11:13AMSeptember 26, 2022.
Updated 3:37PMSeptember 26, 2022
The Australian Business Network
Print
The Optus hack is believed to have affected more than nine million Australians. Picture: NCA NewsWire / John Gass
The Optus hack is believed to have affected more than nine million Australians. Picture: NCA NewsWire / John Gass

Australia’s second largest telco Optus is facing a potential class action lawsuit following last week’s massive data breach, with law firm Slater and Gordon assessing legal options for the estimated 10 million affected customers.

Slater and Gordon, which previously acted on behalf of thousands of asylum seekers who had their personal information leaked online in 2014, is encouraging any concerned Optus customers to register their interest in a lawsuit on its website.

“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” Slater and Gordon senior associate Ben Zocco said.

“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.

“Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’ advice to be on the lookout for scam emails and text messages. Very real risks are created by the disclosure of their personally identifiable information, such as addresses and phone numbers.”

Mr Zocco said the fact that some customers appear to have had identification information such as drivers’ licence and passport numbers disclosed is extremely concerning.

“This information alone would go a long way in allowing a criminal to steal an affected customer’s identity,” he said.

“We are continuing to explore potential legal avenues for affected customers. In the meantime, we encourage anybody who may have been affected by the data breach to register their interest in Slater and Gordon’s investigation on our website, and to otherwise remain vigilant and look out for suspicious account activity or contact by email, SMS and phone.”

Optus on Monday announced it will pay for a credit monitoring service for affected customers, amid concerns that criminals could gain unauthorised access to bank customers’ accounts, or open bogus accounts for criminal purposes.

“Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft. No passwords or financial details have been compromised,” a spokeswoman said.

“The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost. Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams.”

As The Australian reported on Monday a hacker claiming to be behind the data breach has demanded $1m in cryptocurrency to avoid the sensitive data being leaked on to the dark web.

An anonymous person using the nickname Optusdata published two samples of alleged Optus customer information on data leak website Breach­Forums, declaring that Optus could prevent the sale of the data to cyber criminals if it paid $1m in the cryptocurrency Monero.

The purported hacker said Optus had one week to pay the cyber ransom. “Optus if you are reading! Price for us to not sale (sic) data is 1.000.000$US! We give you 1 week to decide,” the user wrote.

“Buyers, price for users data 150.000$US. Price for addresses data 200.000$US. Together 300.000$US. Exclusive sale cost 1.000.000$US total. No sale will be made for 1 week until Optus reply.”

Some users responded to the post, saying they were interested in purchasing the data.

The data samples, viewed by The Australian, contained about 100 records and included fields such as name, email address, physical address, passport number, driver’s licence number, date of birth, and whether they were a postpaid or prepaid subscriber.

Optus CEO Kelly Bayer Rosmarin was apologetic for the data breach when she fronted a press conference on September 23.
Optus CEO Kelly Bayer Rosmarin was apologetic for the data breach when she fronted a press conference on September 23.

Cyber security researcher Jeremy Kirk, who first reported the extortion attempt, said he had verified some of the information by speaking to a neighbour caught up in the hack.

The Australian Federal Police said it was aware of reports “alleging stolen Optus customer data and credentials may be being sold through a number of forums”.

“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” a spokeswoman said.

“It is an offence to buy stolen credentials.

“Those who do face a penalty of up to 10 years’ imprisonment.”

The Australian first reported the cyber attack, which has led to calls for changes to Australia’s cyber security laws.

Home Affairs Minister Clare O’Neil, who met Australian Signals Directorate officials at the weekend, is working on changes to require that banks and other financial institutions be informed immediately about significant data breaches affecting their customers.

Prime Minister Anthony Albanese describes the Optus cyber attack as a “wake-up call” for the private sector in data security. Picture: Monique Harmer
Prime Minister Anthony Albanese describes the Optus cyber attack as a “wake-up call” for the private sector in data security. Picture: Monique Harmer

Prime Minister Anthony Albanese said on Monday the Optus hack affecting 9.8 million Australians is a “huge wake-up call for the corporate sector in terms of protecting the data which is there” and that the government would aim to push through changes to privacy laws.

“We want to make sure as well that we change some of the privacy provisions as well so that, if people are caught up in these, the banks can be let know,” Mr Albanese told 4BC radio. “We know that in today’s world there are actors, some state actors but also criminal organisations, that want to get hold of people’s data.”

Opposition home affairs spokeswoman Karen Andrews on Monday warned that Australian companies did not take cyber security seriously enough and pushed for an increase in penalties for ransomware attacks and the ability for authorities to go after the cryptocurrency assets of cyber criminals.

Additional reporting: Ben Packham.

More Coverage

Scramble to thwart further data theft after Optus hack
DAVID SWAN, BEN PACKHAM
Optus executive’s awkward interview
Ally Foster

Add your comment to this story

To join the conversation, please Don't have an account? Register

Join the conversation, you are commenting as Logout

More related stories
Meta urged to regulate youth data use
Nation

Meta urged to regulate youth data use

Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.

Read more

Original URL: https://www.theaustralian.com.au/business/technology/optus-says-it-has-contacted-all-customers-affected-by-the-cyber-attack/news-story/84c3e1278697e4a3012c62af8a7f9e27