- Data exposed includes names, birthdate, phone no. and email
- ID information such as driver’s licence or passport numbers may also be involved
- Experts warn to beware of scams in the months head
- Optus shut it down once it was discovered
The personal data of up to nine million Australians may have been been accessed by hackers in a massive cybersecurity breach of the country’s second largest telco, Optus.
The cyberattack includes the details of current and former customers.
Optus said the information exposed includes names, dates of birth, phone numbers and email addresses, and in some instances addresses and ID document such as driver’s licence or passport numbers. The company said it was shut down immediately after the attack was discovered.
Payment detail and account passwords have not been compromised. Other Optus services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised.
Optus said it is working with the Australian Cyber Security Centre to mitigate any risks to customers and has notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators about the cyberattack
Optus CEO Kelly Bayer Rosmarin said that as soon as they knew, the telco took action to block the attack and begin an immediate investigation.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” she said
“While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.
“We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”
Rosmarin said they are not aware of any harm to customers, but they should have “heightened awareness” for fraudulent notifications.
StickmanCyber CEO and founder Ajay Unni said the data held by telcos such as Optus can be easily exploited.
“The data exposed can now be maliciously used to create fake identities or as a launchpad to further target users individually through spear-phishing campaigns. These campaigns will now be even more effective as cyber criminals have access to more information than just an email address,” he said.
“While having technical defences is a step forward in terms of cybersecurity maturity, I cannot emphasise enough the importance of training and educating business users as people are always the weakest link when it comes to cybersecurity.”
Unni said third party risk is another area that requires close attention as larger organisations are regularly infiltrated through partnerships with external suppliers.
“The findings of the Australian Cyber Security Centre’s investigation into Optus’s data breach will reveal the >nature of the attack – whether it was the work of cybercriminals or a state-sponsored attack,” he said.
“Optus users need to remain vigilant of any email offering support due to this breach, even if the email appears to be from an authoritative or legitimate source. Optus customers need to do their due diligence when it comes to cyber hygiene and avoid clicking on any links in emails unless their legitimacy has been validated.”
Optus said contacting them via the My Optus App is the safest option, or call 133 937 for retail customers and 133 343 for business .