Optus is investigating claims millions of customers’ details are being ransomed for a whopping $US1million – AUD$1.53million – in cryptocurrency to hackers.
Online forums revealed unverified claims the stolen data would be sold for $US300,000 if the telco did not comply with demands in a week.
It comes after Optus announced it would finally contact account holders whose personal details may have been compromised in this week’s major data hack.
The company came under fire this week after it revealed it had a huge data breach, where personal details of 9.8 million customers, as far back as 2017, were stolen (pictured, an Optus store in Sydney)
Customers from as far back as 2017 could be affected by the hack, since Optus keeps customer verification details for six years.
Optus came under fire this week after it revealed it had a huge data breach, where personal details of 9.8million customers were exposed to hackers.
The telco asserted that no passwords or financial details were compromised but other personal details could have been stolen.
Data exposed to the cyber attack included names, addresses, dates of birth, phone numbers, drivers’ licences and passport details.
In an alarming twist the Australian Federal Police is looking into reports that stolen customer data and identification numbers could be for sale through a number of forums, including the dark web.
‘The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,’ a spokesperson said.
Anyone who buys stolen credentials faces up to 10 years in prison.
Optus said it would not be able to comment on some aspects of the case, since the AFP are investigating.
But the company said it will be reaching out to those who have had their details compromised, in a statement on Saturday.
Optus customers whose passport or driver’s licence numbers were stolen in the massive data breach are being contacted first (pictured, a stock photo)
‘Optus will be contacting customers to notify them of the cyber attack’s impact, if any, on their personal details,’ it said.
‘We will begin with the customers whose ID document number may have been compromised – all of whom will be notified on [Saturday].’
Optus customers whose passport or driver’s licence numbers were stolen in the massive data breach are being contacted first.
‘We will notify customers who have had no impact, last,’ the statement read.
The security hack brought about questions over how long telcos should keep data and the compensation customers ought to get when these breaches happen.
It was revealed that Optus objected to potential law changes in 2020 which would have given customers the right to destroy their own data.
The company said there were ‘significant hurdles and costs’ to getting a system up and running.
The Morrison government launched a review into the country’s Privacy Act, where the attorney-general’s department did a survey on whether Australians should be given the choice to erase their personal data.
Another change put on the table was giving users rights to take direct legal action when breaches of their information occurred.
‘As the cyber attack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident,’ a company statement said
Optus rejected both changes.
Meanwhile, Optus warned the cyber attack on Thursday could trigger a rush of scams by criminals, including phishing calls, emails and text messages.
It said its text messages or emails to customers won’t carry internet links, so if anyone was sent a link it could be a scam.
‘Please do not click on any links,’ Optus said in a statement on Saturday.
‘As the cyber attack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident,’ it said.
‘Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings.’
Optus CEO Kelly Bayer Rosmarin (pictured) admitted she felt ‘terrible’ the breach had happened under her watch
Meanwhile, Optus CEO Kelly Bayer Rosmarin issued an emotional apology over the overseas hack, saying she was disappointed the telco had not prevented it.
The company’s boss admitted she felt ‘terrible’ the breach had happened under her watch.
‘I think it’s a mix of a lot of different emotions,’ she said looking downcast.
‘Obviously I am angry that there are people out there that want to do this to our customers.
‘I’m disappointed we couldn’t have prevented it.’
Ms Bayer Rosmarin also revealed that the IP addresses linked to the hackers had moved around various European countries, and that it was a ‘sophisticated’ breach.
She added it was too soon to tell if it was a criminal organisation or another state was responsible for the attack.
The data that was potentially stolen has been dated back to 2017.
Ms Bayer Rosmarin said the reported figure of 9.8million people having their data breached was the ‘worst case scenario’ and Optus expected the number to be much fewer.
Optus vice president Andrew Sheridan said human error was not to blame for the breach.
Optus, which began contacting millions of customers on Friday, has apologised for the breach.
The telco said getting information out through news channels was the ‘quickest and most effective way’ to alert customers and communicate the severity of the situation.
Optus was contacted for comment by Daily Mail Australia.