- Updated
- Technology
- Optus data breach
This was published 2 years ago
‘Sophisticated attack’: Optus hackers used European addresses, could be state linked
By Nick Bonyhady
Optus has confirmed up to 9.8 million customers’ personal details dating as far back as 2017 may have been accessed in a sophisticated cyberattack on the company that could have been executed by a crime gang or even a foreign state.
In a press conference on Friday, Optus chief executive Kelly Bayer Rosmarin said the attackers, who were discovered on Wednesday, hid their tracks by shifting their online location markers across an array of European countries.
Growing emotional at the end of a press conference on Friday morning, Bayer Rosmarin said she felt terrible that the attack had happened, angry at the hackers and disappointed Optus had been unable to stop it.
“I’m very sorry and apologetic,” she said. “It should not have happened.”
Bayer Rosmarin would not say how many customers the country’s second-largest telecommunications company had contacted about the breach nor how it stored customer data, pointing to an ongoing criminal investigation.
“The IP address [used by the hackers] kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe. And in terms of the customer data, I think it dates back to 2017.”
Early indications are that the breach occurred through a vulnerability in an API – a common way for computer systems to talk to each other – that has since been shut down.
Optus’ public affairs boss Andrew Sheridan denied an ABC report, citing an anonymous company insider, that the API had been left vulnerable as a result of “human error”.
“I can categorically confirm that that is not the case,” Sheridan said on Melbourne radio, without going into details.
Retired major general Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said hacking groups were known to try to hide their identity and location by using multiple addresses.
He said Optus had responded quickly in disclosing the breach, which underscored the risks to all other major Australian organisations.
“There’ll be plenty of CEOs and boards looking and saying, ‘There but by the grace of God go I,’ ” said Thompson, now a strategic adviser with cybersecurity firm Paraflare among other corporate roles. “This could have happened to anyone.”
The 9.8 million figure is an “absolute worst case” and the company expects the true number affected to be smaller, with reports that about a third of Optus’ customer database was copied. A spokesman for the company said the data was encrypted and secured but had still been accessed.
She emphasised that the company had gone public with the breach quickly so that customers could be alert to scams or fraudulent requests and was continuing to investigate in conjunction with the Australian Cyber Security Centre, the government agency that responds to major digital incidents.
In a statement, the Australian Federal Police confirmed it had received a referral from Optus on Friday and said its cyber command division would pursue the “complex, criminal investigation”.
“No passwords or bank details were taken,” Bayer Rosmarin said. “So, there isn’t a simple message like update your passwords or talk to your financial institution.”
She declined to say how Optus would contact affected customers but said it would tell all customers “over the next few days” how much, if any, of their data had been stolen.
Small business customers may have been caught up in the breach but Optus has confirmed that its enterprise wing and other brands on its network, such as Coles Mobile and Amaysim, have not been affected.
A spokesman for Cybersecurity Minister Clare O’Neil declined a request to interview the minister, deferring to Optus on the breach. Her office has previously confirmed the cybersecurity centre is involved and pointed to rising online attacks against Australian businesses.
But Opposition Leader Peter Dutton questioned the government’s silence, saying O’Neil was “missing in action”. “There are a lot of people who are very concerned, particularly older Australians, about what has happened here,” Dutton said in Canberra.
On September 17, a pseudonymous user on an online hacking forum purported to offer more than 1 million Optus phone numbers for sale. But other users have cast doubt on whether that database is related to the hack, suggesting it could have been compiled from other sources.
“We are still working to validate that that information is relevant and is even Optus data,” Bayer Rosmarin said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.