Chilling Latest Move by Optus Hacker - What this Means Optus Customers

Last week an anonymous hacker set their sights on Optus. The person was able to hack into Optus’s application programming interface (API) to obtain the personal data of nearly 10 million Optus customers.

Optus said in a statement that information that may have been exposed included customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.

According to the statement, payment details and account passwords had not been compromised by the Optus hacker.

Optus Hacker email — The Optus statement, sent via email to certain Optus customers. Source: Supplied

Over 9 million people were impacted by this mega security breach and, since the breach, which occurred on 22 September 2022, both Optus (telco) and the hacker have issued updates.

Why did this happen?

According to cyber experts, the reason is plain and simple – money. The Optus hacker is demanding a million dollars in the Monero cryptocurrency to delete the data.

Optus has not given in to the attacker’s demands and, according to experts, it would be silly to do so.

Brett Callow of New Zealand-based Emsisoft said,

Were Optus to pay the criminal a million bucks that’s being demanded, it’d simply be paying on the basis of a pinkie promise that the stolen data would be destroyed.

And as that pinkie promise would be coming from an untrustworthy bad-faith actor, it’d carry zero weight.

The company could find itself being extorted for a second time or the data could be released online anyway. Bottom line: it’d make zero sense for Optus to pay.”

Optus responds with a free subscription service

Optus issued a statement that “the most affected current and former customers” whose information was compromised had the option of a 12-month subscription to Equifax Protect, a credit monitoring and identity protection service that can help reduce the risk of identity theft.

Such customers would be contacted, Optus added.

Law firm gets involved

Yesterday law firm Slater and Gordon added another dimension to the drama by announcing they would be looking at the possibility of initiating a class action suit against Optus.

In a statement issued on Monday afternoon, the company’s class actions senior associate Ben Zocco said while specifics of the breach were yet to be made public, the consequences could potentially be significant for some customers.

Due to this, he said the law firm was assessing possible legal action for those affected. A page has been set up with information for those who are interested in such an action.

Optus hacker’s shocking move

This morning the Optus hacker, known as Optusdata allegedly released 10,000 customer records with the promise to continue to release 10,000 each day for the next 4 days. After this, if Optus doesn’t pay the money, they will “sell” the info.

The conversation is outlined below after being shared by Brett Callow on Twitter.

If you are an Optus customer, what should you do?

Optus states that they will be in touch with customers in the coming days. You may have already received a letter addressing the cyber attack but not all customers did.

WHAT THE EXPERTS SAY:

At this stage, experts suggest that you don’t need to get a new passport or driver’s license. You may want to change your passwords for all online accounts, including your banking.

Toby Murray, an associate professor in cybersecurity at the University of Melbourne, suggests those impacted should ask their bank to put in place additional verification methods (like an extra security challenge question) on the accounts, particularly for over-the-phone authentication.

Murray says Optus customers might consider asking the same from other valuable accounts such as superannuation providers or Centrelink.

WHAT OPTUS SAYS:

Optus recommended those affected by the incident contact reputable sources for information such as Moneysmart, ID Care and the Office of the Australian Information Commissioner.

WHAT A LAW FIRM SAYS:

Slater and Gordon recommend that anyone impacted register their interest in Slater and Gordon’s investigation.

They also suggest customers”otherwise remain vigilant and look out for suspicious account activity or contact by email, SMS and phone.”