Optus: How a massive data breach has exposed Australia

September 29, 2022 2:00 pm

Optus is the country's second largest telecommunications. [Photo Credit: BBC News]

Last week, Australian telecommunications giant Optus revealed about 10 million customers – about 40% of the population – had personal data stolen in what it calls a cyber-attack.

Some experts say it may be the worst data breach in Australia’s history.

But this week has seen more dramatic and messy developments – including ransom threats, tense public exchanges and scrutiny over whether this constituted a “hack” at all.

Article continues after advertisement

It’s also ignited critical questions about how Australia handles data and privacy.

Optus – a subsidiary of Singapore Telecommunications Ltd – went public with the breach about 24 hours after it noticed suspicious activity on its network.

Australia’s second biggest telecoms provider said current and former customers’ data was stolen – including names, birthdates, phone numbers, email addresses, passport numbers and driving licence numbers. It stressed that payment details and account passwords were not compromised.

Those whose passport or licence numbers were taken – roughly 2.8 million people – are at a “quite significant” risk of identity theft and fraud, the government has since said.

Optus said it was investigating the breach and had notified police, financial institutions, and government regulators. The breach appears to have originated overseas, local media reported.

In an emotional apology, Optus chief executive Kelly Bayer Rosmarin called it a “sophisticated attack”, saying the company has very strong cybersecurity.

Early on Saturday, an internet user published data samples on an online forum and demanded a ransom of $1m (A$1.5m; £938,000) in cryptocurrency from Optus.

The company had a week to pay or the other stolen data would be sold off in batches, the person said.

Investigators are yet to verify the user’s claims, but some experts quickly said the sample data – which contained about 100 records – appeared legitimate.

Sydney-based tech reporter Jeremy Kirk contacted the purported hacker and said the person gave him a detailed explanation of how they stole the data.

The user contradicted Optus’s claims the breach was “sophisticated”, saying they pulled the data from a freely accessible software interface.

“No, authenticate needed… All open to internet for anyone to use,” they said in a message, according to Kirk.