Shortly after Australian telecommunications company Optus announced the identity data of millions of customers had been stolen, a person claiming to be the hacker announced they would delete the data for US$1 million.
When Optus didn’t pay, the purported hacker published 10,000 stolen records and threatened to release ten thousand more every day until the ransom deadline. These leaked records contained identity information such as driver’s license, passport and Medicare numbers, as well as parliamentary and defense contact information.
A few hours after the data drop, the purported hacker unexpectedly apologised and claimed to have deleted the data due to “too many eyes”, suggesting fear of being caught. Optus confirms they did not pay the ransom.
They’ve said they deleted the data – now what? Is it over?
Communication from the person claiming to be the hacker and the release of 10,200 records have all occurred on a website dedicated to buying and selling stolen data.
The data they released are now easily available and appear to be legitimate data stolen from Optus (their legitimacy has not been verified by Optus or the Australian Federal Police; the FBI in the United States has now been called in to help the investigation).
The question then is – why would the hacker express remorse and claim to delete the data?
Unfortunately, while the purported hacker did appear to possess the legitimate data, there is no way to verify the deletion. We have to ask: what would the hacker gain from claiming to delete them?
It is likely a copy still remains, and it’s even possible the post is a ploy to convince victims not to worry about their security – to increase the likelihood of successful attacks using the data. There is also no guarantee the data were not already sold to a third party.
Whatever the motivations of the person claiming to be the hacker, their actions suggest we should continue to expect all records stolen from Optus do remain in malicious hands.
Despite the developments, recommendations still stand – you should still be taking proactive action to protect yourself. These actions are good cyber hygiene practices no matter the circumstances.
However it is unclear at this early stage whether free options to change these documents will be made to all data breach victims, or only a subset of victims.
Can I find out whether my data were part of the 10,200 leaked records?
Reports of people being contacted by scammers suggest they are already being used.
Troy Hunt, the Australian cyber security professional who maintains HaveIBeenPwned – a website you can use to check whether your data are part of a known breach – has announced he will not add the leaked data to the site at this stage. So this method will not be available.
The best course of action in this case is to assume your data may have been released until Optus notifies people in the coming week.
Are the released data already being used?
The least technically sophisticated method of targeting Optus customers is to use the details to make direct contact and ask for a ransom. There are reports blackmailers are already targeting breach victims via text message, claiming to have the data and threatening to post it on the dark web unless the victim pays.
The data have already leaked and claims about deleting the data are untrue. Paying anyone who makes these claims will not increase the security of your information.
Data recovery scams – where scammers target victims offering help to remove their data from the dark web or recover any money lost for a fee – have also become prominent. Instead of helping, they steal money or obtain more information from the victim. Anyone who claims to be able to scrub the data from the dark web is claiming to put toothpaste back in the tube. It isn’t possible.
The data could also be used to identify family members to make the “Hi Mum” or family impersonation scam more convincing. This involves scammers posing as a family member or friend from a new phone number, often using WhatsApp, in need of urgent financial help. Anyone receiving this kind of text message should make every effort to contact their family member or friend by other means.
What else can my data be used for?
The scams involved with these data will only grow in the coming days and weeks and may not be confined to the digital world.
Other possible uses involve activities like attempting to take over valuable online accounts or your SIM card, or setting up new financial services and SIM cards in your name. The advice we provided in our previous article applies to these.
Additionally, anyone with reason to be concerned about physical safety if their location is known (for example domestic abuse survivors) should consider the possibility that their names, telephone numbers and address may have leaked or may in the future.
- Jennifer J. Williams, PhD Candidate, Macquarie University; Jeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie University, and Tamara Watson, Associate Professor in Psychological Science, Western Sydney University