Millions at risk in massive Optus data breach

Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million users was compromised.

Ben Packham and DAVID SWAN

3 min read

8:11PMSeptember 22, 2022.

Updated 11:00PMSeptember 22, 2022

The data of up to nine million Optus customers has been compromised in a massive cyber attack. Picture: NCA NewsWire / Andrew Henshaw

Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million of the telco’s users was compromised in one of the nation’s biggest-ever data breaches.

The nation’s top cyber spies at the Australian Signals Directorate are working with Optus to trace the perpetrators of the devastating cyber attack, which exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers.

A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen.

Optus chief executive Kelly Bayer Rosmarin apologised to the telco’s 10 million customers, describing the cyber breach as “absolutely devastating”.

The attack, discovered on Wednesday night and revealed publicly by The Australian on Thursday, comes just days ahead of a visit to Australia by the entire board of Optus parent company Singtel.

It’s understood hackers exploited a weakness in Optus’s firewall. Sources said it remained unclear whether the attack was by a criminal or state-based hacking group.

Cyber security experts warned Optus customers to exercise caution as there was a high risk their data would be sold on the dark web to criminals seeking to obtain credit in their name.

Scammers were likely to use the breach to trick Optus customers into providing information they would otherwise not disclose, CyberCX chief strategy officer Alastair MacGibbon said.

“Certainly if you're an Optus customer now you need to be extra careful about people claiming either to be Optus trying to help you out, or the police,” Mr MacGibbon said.

“Of course, the more documentation and information you have on a person, the more you can mimic that person to steal their identity and obtain credit or other things in that person's name.”

“You're going to see scams carried out either by criminals who will have very accurate information, or by criminals who are now piling in on this event in order to be able to carry out their scams.”

Ms Bayer Rosmarin said the company is investigating the incident and has notified regulators and the Australian Federal Police. It’s understood Optus has not received any demands for ransomware payments.

9 million people impacted by Optus data breach

“We were able to notice and stop them but not fast enough. I just want to apologise to all of our customers and all of our people. This is not what we expect of ourselves,” she said.

“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.”

She said while customers’ personal information was exposed, payment details and account passwords had not been compromised. Optus uses customers’ passport information and driver’s licences to conduct credit checks.

It will reach out to “customers believed to have heightened risk”, and is encouraging customers with concerns to make contact via the My Optus app.

“Optus has also notified key financial institutions … While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Ms Bayer Rosmarin said.

A spokesman for Cyber Security Minister Clare O’Neil said ASD’s Australian Cyber Security Centre was providing advice and technical assistance to Optus.

He said Australians and Australian organisations were being broadly targeted by cyber criminals and state-based actors seeking to steal sensitive data, through the “rapid exploitation of technical vulnerabilities”.

Opposition cyber security spokesman James Paterson said the breach was “very concerning”. “It is important to understand how this happened, who the attacker is, what mitigations can be made, and what changes are necessary to prevent it from recurring,” Senator Paterson said.

The Office of the Australian Information Commissioner said it had been made aware of the data breach and would work with Optus to ensure compliance with the requirements of the Notifiable Data Breaches scheme.

“Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” the OAIC said.

The breach is believed to be the biggest of specifically Australian consumer data. However, major Australian companies with global user bases have also fallen victim to massive data breaches.

Australian graphic design platform Canva was hit by a cyber attack in May 2019 that saw the data of 137 million of its global users exposed, while a December 2020 hack on Australian “internet of things” company Ubiquiti Networks affected up to 85 million users.