Australia’s cybersecurity minister lambasts Optus, while alleged hacker apologises in change of heart and drops ransom demand
Optus, the second largest mobile operator in Australia, continues to feel the impact after suffering that country’s largest ever cybersecurity breach.
Last week the operator, owned by Singapore Telecommunications Ltd, confirmed a cyberattack had compromised the data belonging to millions of its customers.
As many as 9.8 million accounts may be compromised, equivalent to 40 percent of Australia’s population. Stolen data includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.
And it seems the Australian government is not at all happy at Optus and its security regime.
Clare O’Neil, minister for Home Affairs and Cybersecurity, appeared on ABC730 on Monday, and said the government has received “quite detailed” information about the data stolen from Optus in the hack.
She confirmed the breach had exposed basic personal information of 9.8 million Australian citizens.
The country has a population of 25.7 million people.
But even worse, extensive (and sensitive) personal data such as license numbers and passport numbers for 2.8 million people has also been leaked into the public realm.
The data taken, the minister said, “effectively amounts to 100 points of ID check,” making the “scope for identity theft and fraud quite significant in particular for those 2.8 million Australians.”
ICYMI: Minister for Cyber Security @ClareONeilMP spoke to @latingle about the Optus data breach, and says Australia is "probably a decade behind" in privacy protections. #abc730 pic.twitter.com/boqoKceL0j
— abc730 (@abc730) September 26, 2022
When asked why a telecoms company would have that amount of sensitive public information, the cybersecurity minister disputed Optus claims that it was a victim of a “sophisticated” hack, and said the attack was not all sophisticated and was in fact “quite a basic hack” and Optus had “left the window open.”
The minister confirmed she was not buying the line from Optus that it was a sophisticated attack, bluntly saying it wasn’t.
She also said that Optus offer of one year’s credit monitoring for victims was “not an adequate response,” and warned the operator this was “not the end of the story.”
Clare O’Neil also noted that Australia in general was probably about a “decade behind” in adequate privacy protections” and about “five years behind in cyber protections.”
Meanwhile the Guardian reported that the alleged Optus hacker has had a change of heart and has apologised for the data breach and dropped the ransom threat.
It comes after an online account sought a ransom after it published records of 10,000 Optus customers, and threatened to release more, before change of heart and retracting the threat and deleting all demands.
The hacker had on Monday night allegedly uploaded a text file of 10,000 records to a data breach website and promised to leak 10,000 more records each day for the next four days unless Optus paid $1m in cryptocurrency.
The text leak contained names, dates of birth, email addresses, driver’s licence numbers, passport numbers, Medicare numbers, phone numbers and address information, the Guardian noted. It also included more than a dozen state and federal government email addresses, including four from the defence department and one from the Department of Prime Minister and Cabinet.
But by late Tuesday morning, the alleged attacker had apparently had a change of heart, deleting their posts and claiming they had also deleted the only copy of the Optus data.
“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” they reportedly said in a new post.
“Sorry too [sic] 10,200 Australian whos [sic] data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.”
The alleged attacker apologised to Optus and said they would have reported the exploit if Optus had made it possible to report.
Optus reportedly said no ransom has been paid.