Optus Warns Cyberattack Compromised Data Of 10 Million Customers

data breach, security breaches

Mobile operator Optus blames “offshore entity” for what could be Australia’s largest ever data breach, impacting up to 10 million customers

Optus, the second largest mobile operator in Australia, has suffered one of that country’s largest ever cybersecurity breaches.

The operator is owned by Singapore Telecommunications Ltd, and on Thursday it confirmed a cyberattack has compromised the data belonging to millions of customers.

Stolen data includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Data breach

A bit of good news is that payment detail and account passwords have apparently not been compromised.

“Following a cyberattack, Optus is investigating the possible unauthorised access of current and former customers’ information,” the operator stated.

It said that upon discovering this, it immediately shut down the attack and is working with the Australian Cyber Security Centre to mitigate any risks to customers.

The operator said it has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” said Kelly Bayer Rosmarin, Optus CEO.

“As soon as we knew, we took action to block the attack and began an immediate investigation,” said the CEO. “While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.”

“We are very sorry and understand customers will be concerned,” Bayer Rosmarin added. “Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”

Foreign attacker

Reuters reported that the operator said it will contact up to 10 million customers whose personal details were taken.

It cited chief executive Kelly Bayer Rosmarin as saying she was angry and sorry that an offshore-based entity had broke into the company’s database of customer information.

As many as 9.8 million accounts may be compromised, equivalent to 40 percent of Australia’s population, but “that is the absolute worst case scenario (and) we have reason to believe that the number is actually smaller than that,” Bayer Rosmarin reportedly said.

Bayer Rosmarin said corporate customers appeared unaffected and there was no indication the intruder took customer bank account details or passwords.

“We will be identifying specifically which customers (were affected) and proactively contacting each customer with clear explanations of which of their information has been exposed and taken,” Bayer Rosmarin said in an online media briefing on Friday.

“I’m angry that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it … and I’m very sorry,” she added.

Reuters reported that she declined to give details of how the attacker breached the company’s security, citing an ongoing criminal investigation, but noted the attacker’s IP address – the unique identifier of a computer – appeared to move between unspecified countries in Europe.

As a major telco, Optus considered itself a target for cyber attackers and routinely repelled attempts to breach its systems but “this particular one is not similar to anything we’ve seen before, and unfortunately it was successful,” she said.