Optus could be slapped with a $2.2m fine following an investigation scrutinising the telco's handling of customer data, as authorities determine whether the company met critical requirements for fraud prevention. 

The investigation, undertaken by Commissioner Angelene Falk from the Office of the Australian Information Commission, will determine whether Optus' handling of consumer data complied with the Australian privacy principles.

“The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business,” a statement from the OAIC read.

“The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.”

The OAIC investigation will be co-ordinated with a second investigation by the Australian Communications Media Authority.

“When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved,'' ACMA chair Nerida O'Loughlin said.

"All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.

"We look forward to full cooperation from Optus in this investigation.”

The Optus hack, first reported by this newspaper more than two weeks ago, saw the personal information of near 10m Australians exposed by a hacker who later claimed to have deleted the data after publishing the records of 10,000 people online. The hacker’s initial demand was $1.5m in the cryptocurrency Monero. 

The scams have already begun

Victims of the the Optus breach have already reported messages from suspicious phone number requesting their transfer large sums of money into unverified bank accounts.

One customer on Tuesday reported a text message from a hacker demanding $2000 be paid into a CommBank account, with threats their data would be sold for "fraudulent activity within 2 days".

CommBank in response tweeted "We are aware of the SMS. We have identified and blocked this account. We continue to work closely with the AFP and other investigative government and regulatory authorities to limit the impact of any fraud and scams resulting from the events over the past few days."

FBI called in

The FBI has been called in to help with the investigation into the data breach, Attorney-General Mark Dreyfus said on Tuesday afternoon.

“The government, as well as the Australian Federal Police and other government agencies, are working closely together on the Optus data breach,” he said.

“The Australian Federal Police is taking this very seriously with a large number of officers involved, working with other federal government agencies and state and territory police and with the FBI in the United States and with industry.

“I would also like to reinforce the message that has been given by the Privacy Commissioner publicly, which is that all Optus customers should be vigilant. Do not click on any links in a text message.

“Check all web site sources – just check that it is an official website before taking any future action.

“If you are unsure about why you are being asked to divulge private information, stop and verify who the person or organisation is that is making that request of you.

“To affected Optus customers, I can say that the Office of the Australian Information Commissioner web site has further advice. Please visit oaic.gov.au and follow the prompts.”

Hacker backs out of threat

"Too many eyes," the post reads. "We will not sale data (sic) to anyone.We can't even if we wanted to: personally deleted data from drive (only copy)... Ransom not paid but we don't care any more. Was mistake to scrape publish data in first place." 

The details of the 10,000 Optus customers were released following the telco's massive data breach last week, and the alleged hacker previously said they would continue to release contacts if Optus did not meet their demands. 

The people behind the breach released the details, including passport and driving licence numbers, dates of birth and home addresses, and threatened to release the same number of records every day for the next four days until a ransom of $1.5m was paid.

Cyber security researcher and writer Jeremy Kirk from ISMG Corp, who claims to have been in contact with the alleged hacker, tweeted the "bad news" on Tuesday.

“The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn’t give into the extortion demand,” he wrote on Twitter.

Mr Kirk shared a screenshot of a message allegedly written by the hacker, in which the person demanded Optus only contact them online.

“We are businessmen 1.000.000$US is a lot of money and will keep too (sic) our word,” the message read.

The payment must be made in decentralised cryptocurrency Monero, the alleged cybercriminal said, which would make it hard to track the identity of the recipient.

The government's response

Optus chief executive Kelly Bayer Rosmarin on Tuesday defended the company's actions in the wake of the breach, saying "we are not the villains."

"We definitely know this is the work of some bad actors, and really they are the villains in this story," Bayer Rosmarin told ABC Radio on Tuesday.

"Of course we will investigate what happened… If something comes out that Optus has made an error or did something wrong, we will be accountable for that."

However, the government is furious with Optus over its loss of 9.8m customer records, seeing the incident as a major corporate failure and an urgent warning sign that tougher penalties are required. Cybersecurity minister Clare O'Neil on Monday claimed the data was inadequately protected and open for the taking, but Bayer Rosmarin said that was not the case. 

"It is not what is being portrayed," she said. "Our data was encrypted and we have multiple layers of protection."

Bayer Rosmarin continues to resist calls that she resign. She is staying on to ensure affected customers are looked after, she said.

The Australian Signals Directorate is now working with Optus to lock down its systems and catch the culprits.

What should Optus customers do?

Bayer Rosmarin warned Optus customers to "be vigilant", as she fronted the media a day after revealing the massive cyber attack.

“Unfortunately, because this is not the most vulnerable information like financial detail and passwords, we don’t have a simple message of ‘just change your password’,” Bayer Rosmarin told an online press conference on Friday.

“Really what customers can do is just be vigilant. If they receive a notification that a password has been changed on one of their online services or their bank, and they did not initiate that, then assume that they need to report that and get on top of it straightaway.

“So it really is increased vigilance, and just being alert to any activity that seems suspicious or odd or out of the ordinary.”

Bayer Rosmarin said that Optus is currently receiving increased reports of users being asked to share their passwords over the phone.

“If somebody calls you and says they want to connect to your computer and give them your password, say no, don’t allow that to occur,” she said. “We know that was already occurring before so it might not be related, but it’s a good reminder to people not to fall for that one.

“Also, in terms of contacting our customers, we have not been very specific and prescriptive about how we’re doing that specifically for the reason that we do not want to give people the opportunity to get out in front of us with a phishing attack. We will be contacting our customers, we won’t be telling you exactly how we’re doing that, except to say that we will not be sending any links in SMS and email messages.”

Customer can also go to haveibeenpwned.com to check if their work and personal emails have been involved in breaches.

Chair of  cyber security at the University of Queensland Ryan Ko said this is an alarming breach as there isn't much consumers can do as services, like the ones Optus provides, require identities to be verified.

"When you sign up you need to provide all these personal details so the onus is on how companies respond to breaches and how they will prevent it from happening again. It's also on governments on how they regulate the storage of data. Cyber criminals are opportunistic and information can be stolen from one common point. So the way we respond from a corporate and governance point of view will be important here," Professor Ko told The Oz.

He said customers should wait to see how Optus responds, in terms of communicating how this will be prevented from happening again, but warns these types of situations will continue. 

"We need to shift the focus from 'cyber security' to 'cyber resilience'," Professor Ko said. 

This breach puts a dampener on the good news out of Optus - a Singapore-owned company - this year.

In the six months to March 31 this year, Optus’ total mobile customer base rose by 207,000.

NSW victims can get a new licence

Optus will cover the cost of anyone in NSW whose licence has been compromise and needs a replacement, NSW Customer Service Minister Victor Dominello confirmed on Tuesday evening.

Those impacted will be contacted by the telco in coming days.

"Behind the scenes the NSW Department of Customer Service, Transport for NSW, Cyber Security NSW, ID Support and Registry of Births Death and Marriages - are working with Optus to make the process of re-issuing of NSW identity documents as seamless as possible," he said. 

"Customers who are notified by Optus that both their Driver Licence number and their Driver Licence card number have been compromised are strongly advised to apply for a replacement licence."

(This is the sign we all need to tighten our security - here is how to avoid getting hacked on your other devices and accounts)

More related stories

News

Meghan Markle’s favourite face gym is opening in Australia, Greta Thunberg publishes Andrew Tate’s contact details

All the news that's fit to mint.

Read more

News

Emily Ratajkowski joins the competitive world of online dating, Nick Kyrgios quits at the last minute

All the news that's fit to mint.

Read more