On September 22, 2022 a security breach took place on Optus, the Australian telecommunications company compromising 9,800,000 customers. Approximately 38% of the country.
Who?
A hacker using the pseudonym ‘optusdata’ revealed on a forum that they have stolen data from 9.8 million Optus customers. 9.8 million customers data including their full name, date of birth, phone number, and email address was stolen. An additional 12,000 users had their addresses, drivers’ licenses, and passport numbers stolen. With another 14,900 customers having their valid Medicare numbers stolen.
What came next?
On a hacker forum, ‘optusdata’ threated to release the information of 10,000 customers per day until they received a $1million cryptocurrency payment. To make it known that they were serious, the first day 10,200 customers data was released.
After the data was revealed, other opportunists began to contact the 10,200 customers whose data was compromised in an attempt to solicit or extort funds continuing to use the username ‘OptusData’. Though it cannot be confirmed and is unlikely that it was the same person.
How did it end?
When news of Operation Hurricane broke, the hacker did a 180 and released this statement:
“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy)
Sorry too 10.200 Australian whos data was leaked.
Australia will see no gain in fraud, this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.
Deepest apology to Optus for this. Hope all goes well from this
Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.
Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.”
Now what?
Following the breach, the Australian government announced changes to its telecommunications laws in an attempt to protect victims whose data was stolen. The change in law gives telecommunications agencies better coordination with governments and financial institutions to detect and mitigate security related events.
Victims will also be able to change their driver’s license numbers and get new cards free of charge with Optus being expected to pay the millions it will cost for their customers to do so.
There is also talk of a class action victims can be part of.
Optus is also offering to pay a 12-month subscription to a credit monitoring and identity protective service for those affected. Those whose Medicare information was released will be contacted directly by Optus who claims that personal information cannot be accessed with just the number.
It is still unknown as to how the hack took place. Chief executive Kelly Bayer Rosmarin told ABC radio that the hack was a “sophisticated attack that penetrated multiple security layers.” There are theories as to how the breach took place on the internet.
There is an interesting takeaway from part of the hacker’s final statement “Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.” Bug bounties are a great idea for the security posture of a large organization because they only pay for newly discovered vulnerabilities. If the company has a secure network, there is a fantastic value for money. If there are flaws, they will be patched. Not having an in-depth security system when you control such a large portion of the populations private information is unnerving. It is clear that there needs to be an audit of Optus current security posture, and a revamped security plan moving forward. It also begs the question, is it necessary for a telecommunications company to store this much private data about their customers?
SapperNet 
Leave a comment