Scramble to thwart further data theft after Optus hack

New measures will be introduced to rapidly inform financial institutions of major data breaches.

DAVID SWAN and Ben Packham

3 min read

8:39PMSeptember 25, 2022.

Updated 9:17PMSeptember 25, 2022

Last week’s Optus hack affected some 9.8 million Australians. Picture: NCA NewsWire / John Gass

New measures will be introduced to rapidly inform financial institutions of major data breaches to prevent customer accounts from being unlawfully accessed after last week’s Optus hack affecting some 9.8 million Australians.

Privacy laws prevent banks from being told when customer information has been stolen from other service providers, limiting their ability to take extra precautions to protect accounts.

Home Affairs Minister Clare O’ Neil. Picture: Pradeep Pathirana

Home Affairs Minister Clare O’Neil, who met Australian Signals Directorate officials at the weekend, is working on changes to require that banks and other financial institutions be informed immediately about significant data breaches affecting their customers.

Information stolen in the Optus hack did not include bank details, but the number of Australians caught up in the data breach raises the possibility that criminals could gain unauthorised access to bank customers’ accounts, or open bogus accounts for criminal purposes.

As the nation’s cybersecurity authorities work to trace those responsible, a hacker claiming to be behind the data breach demanded $1m in cryptocurrency to avoid the sensitive data being leaked on to the dark web.

An anonymous person using the nickname Optusdata published two samples of alleged Optus customer information on data leak website BreachForums, declaring that Optus could prevent the sale of the data to cyber criminals if it paid $1m in the cryptocurrency Monero.

The purported hacker said Optus had one week to pay the cyber ransom. “Optus if you are reading! Price for us to not sale (sic) data is 1.000.000$US! We give you 1 week to decide,” the user wrote.

“Buyers, price for users data 150.000$US. Price for addresses data 200.000$US. Together 300.000$US. Exclusive sale cost 1.000.000$US total. No sale will be made for 1 week until Optus reply.”

Some users responded to the post, saying they were interested in purchasing the data.

The data samples, viewed by The Australian, contained about 100 records and included fields such as name, email address, physical address, passport number, driver’s licence number, date of birth, and whether they were a postpaid or prepaid subscriber.

Cyber security researcher Jeremy Kirk, who first reported the extortion attempt, said he had verified some of the information by speaking to a neighbour caught up in the hack.

The Australian Federal Police said it was aware of reports “alleging stolen Optus customer data and credentials may be being sold through a number of forums”.

“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” a spokeswoman said.

“It is an offence to buy stolen credentials.

“Those who do face a penalty of up to 10 years’ imprisonment.”

An Optus spokeswoman said: “Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings. Once again, we apologise. We will provide further updates as new information comes to hand.”

Optus chief executive Kelly Bayer Rosmarin on Friday said the company believed the number of people whose data had been stolen was substantially lower than its “worst-case scenario” of 9.8 million.

'Can be used as a weapon': Major Optus data breach impacts millions of people

She said at the time, the company had not received any demands to pay a cyber ransom.

Optus late on Friday began contacting affected customers via email, addressed as an “urgent update from Optus about your personal information” from Ms Rosmarin.

“Importantly, no financial information or passwords have been accessed,” the email said. “The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as driver’s licence number or passport number. No copies of photo IDs have been affected.”

The email said Optus was “currently not aware of customers having suffered any harm” but offered a checklist for people to follow to protect themselves.

This included suggestions to “look out for suspicious or unexpected activity across online accounts, including your bank accounts” and to “never click on links that look suspicious”.

It was also revealed at the weekend that Optus had argued in 2021 against changing Australian privacy laws to give users more control over their data, making the case in two submissions that the existing Privacy Act was working well.

The company said Australian telcos didn’t need a “right to erasure” – which would have allowed Australian customers to request their data to be destroyed – and such a proposal would bring “substantial compliance costs and place a further drag on innovation and limit the benefits of digitalisation.”

Australian Strategic Policy Institute researcher Fergus Hanson said there should be consequences for companies found to have been deficient in protecting consumers’ data.

Additional reporting: NCA Newswire