This week has been a very tumultuous time for Australia, with the stormy time not limiting to the core company in question, but also the entire nation and the Australian government being pulled in the deep worries caused by the massive data breach.
Optus has been at the center of the news since last week when personal data of around 9.8 million current as well as former Optus customers were stolen by hackers identifying themselves as Optusdata. They had accessed the customer identity database and exposed it through exploitation of Application Programming Interface. Optus suspects that a test network connected to internet was exposed.
Optus is the 2nd largest telecommunication company in Australia, standing just behind Telstra Corporation Ltd in terms of market share of mobile phone services. Optus had been obtained by SingTel, Asia’s leading communications technology group, in the year 2001.
The hackers had sought a ransom of $1 million. They gave a timeline of 1 week for Optus to decide and pay. On the third day, they had released data of 10,000 customers and threatened to release 10,000 records each day for the following 4 days unless the demanded ransom was paid.
The message from the hacker, optusdata, in breachforums included brief details of the customer information and the ransom amount. "Optus, if you care about customer you will pay! Revenue 9B$ dollar, 1M$ US small price to pay! if 1,000,000$US pay then data will be deleted from drive. Only 1 copy exist. Will not sale data too. Completely gone!"
Updates as on 27th September 2022
The hackers posted an apology on an online forum and stated that they had deleted all the data (the single copy) following the enormous media attention that the case was getting. The demand for the ransom has therefore been withdrawn.
FBI had been called in to assist the Australian Federal Police (AFP) with the investigation into the data breach. The AFP police are using specialist capability to monitor the dark web and other technologies to find those who are breaking the law and selling/buying the breached details.
What Customer Information were accessed?
Although the customer details have been stated to be deleted, what remains already released and circulated are the details of the 10000 customers which the hackers released when the ransom payment was not done.
The details is said to contain customer details such as their names, addresses, date of birth, passport numbers, email addresses,driver license numbers and other contact details. Medicare numbers were also found to be included in the released data. These are the 100 points worth identification documentation that we are needed to submit to prove our identity with a lot of corporations.
As seen with the myriad number of details, the ways in which these details can be exploited are many. It is worrisome.
If your details were involved in the data breach, then you should have received an email or SMS message from Optus, such as shown below: However, those customers who have not received such messages are not ruled out from being a victim. Their email address could have been breached.
According to Commonwealth bank of Australia, they blocked one of their account from being robbed of $2000 from one of the optus data breach victims.
As for the other data obtained by the hacker, getting assurance of no data remaining in the wild for sale or free is very difficult. As rightly said by the Microsoft executive and creator of HaveIBeenPwnded.com Troy Hunt said
“I like the saying of trying to remove data from the internet is like trying to remove pee from a pool. You would certainly be working on the assumption there is an ongoing risk to those individuals.“
There is no guarantee of the hacker’s claim of deletion of the information being true. There remains a huge risk of identity theft as well as other cyber threats to the millions of past and current Optus customers.