According to Australian Federal Police, the Optus data breach is one of the largest cyberattacks the country has ever seen and is currently under investigation.
"We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it," said Kelly Bayer Rosmarin, Optus CEO.
The threat actor was able to access Optus’ data through an unsecure API endpoint prior to the discovery by the company on September 22, 2022. Data stolen included customer name, date of birth, phone number, driver licenses and passport numbers. Fortunately, the cybercriminal was unable to access any account passwords or financial information.
The hacker uploaded a sample of the stolen data on a popular data leak site called BreachForums claiming that they had over 11 million user records in their possession. The hacker included a note that read, “Optus if you are reading! Price for us to not sale [sic] data is 1,000,000$US! We give you 1 week to decide.”
With Optus refusing to pay and Federal authorities closing in, the threat actor seemed to have a change of heart. A few days after making the original demand the cybercriminal back tracked stating that they had deleted the data. The post stated, “Too many eyes. We will not sale data to anyone. We can't if we even want to: personally deleted data from drive (only copy).”
The hacker even went as far as to apologize to Optus and the Australian citizens that fell victim to the breach calling it a “mistake.”. The apology which was posted on BreachForums stated, “Deepest apology to Optus for this. Hope all goes well from this” even going so far as to claim that they would have reported the unsecure API if there was a way to notify the company.
Prior to the apology the Australian police force put together a task team called “Operation Hurricane” in an effort to track down the criminals. If discovered, those who orchestrated the Optus breach could face up to 10-years in prison.
Optus is currently notifying victims of the data breach - offering a 12-month subscription to Equifax Protect, a credit monitoring service to those most affected. Victims can also get a new driver’s licenses and have their old ones destroyed via the South Australia's Minister for Infrastructure, Transport, Energy & Mining free of charge.
Due to the breach the Australian government is considering a tougher stance on data breaches going forward. “A very substantial reform task is going to emerge from a breach of this scale and size,” Cybersecurity Minister Clare O’Neil told Australian Broadcasting Corp.
While O’Neil cited that some countries would have fined Optus “hundreds of millions of dollars” for a breach of this proportion – Australia current laws don’t allow for a company to be financially liable.