Optus customers slam telco for failing to protect data in major breach as hackers demand ransom

The mysterious hacker who claims to have stolen the personal details of millions of Optus customers has demanded $1.5 million in ransom money as outraged Australians rage at the telco giant for failing to protect their data. 

The hacker has warned personal addresses, dates of birth, phone numbers, drivers’ licences, and passport details of millions will be leaked if Optus doesn’t pay $US1million (AU$1.53million) in cryptocurrency Monero.

They claim to have access to the details of 11.2 million Optus customers in a major breach that tech experts at this stage believe is legitimate. 

The mysterious hacker who claims to have stolen the personal details of millions of Optus customers has demanded $1.5million in ransom money (pictured, an Optus store in Sydney)

The hacker has warned personal addresses, dates of birth, phone numbers, drivers' licences and passport details of millions will be leaked if Optus doesn't pay AUD$1.53million

The hacker has warned personal addresses, dates of birth, phone numbers, drivers’ licences and passport details of millions will be leaked if Optus doesn’t pay AUD$1.53million

The ransom demand appeared on an online forum on Saturday morning with the hackers warning the telco it had one week to respond. 

‘Optus if you are reading! price for us to not sale data is 1.000.000$US We give you 1 week to decide,’ part of the message read. 

The warning comes as Optus customers take to social media to vent their frustration, with chief executive and parenting educator Dannielle Miller just one of the millions of people who say the company’s response has been ‘inadequate’. 

Ms Miller told Daily Mail Australia she has been an Optus customer for 30 years and expected more from the telco after decades of loyalty. 

She said the apology from Optus boss Kelly Bayer Rosmarin ‘missed the mark’. 

‘The CEO referred to Optus as a victim of cyber-hacking. They’re not the ones who have had their personal details hacked – the customers are the victims,’ she said.

‘It’s hard to hear them crying victim when it’s clear they’ve been very slack.’

The ransom demand appeared on an online forum on Saturday morning with the hackers warning the telco company they had one week to respond (pictured, an Optus store in Sydney)

The ransom demand appeared on an online forum on Saturday morning with the hackers warning the telco company they had one week to respond (pictured, an Optus store in Sydney)

Ms Miller said she intended to close the Optus accounts belonging to herself, her daughter and her employees and plans to advise them to change carriers. 

She said customers who may be forced to change details like their licence number should be compensated by Optus for any out-of-pocket expenses. 

‘I’m personally not after compensation, what matters to me is peace of mind and security for my data,’ she said, adding customers needed to be prioritised. 

On Friday morning, Ms Bayer Rosmarin made an emotional apology to the millions of Optus customers whose details had been compromised. 

Pictured: Optus CEO Kelly Bayer Rosmarin

Pictured: Optus CEO Kelly Bayer Rosmarin

She confirmed payment details and account passwords were protected but admitted she felt ‘terrible’ the breach had happened under her watch. 

‘I think it’s a mix of a lot of different emotions,’ she said looking downcast. 

‘Obviously I am angry that there are people out there that want to do this to our customers, I’m disappointed we couldn’t have prevented it.

‘I’m very sorry and apologetic. It should not have happened.’ 

The telco has copped criticism for its handling of the major breach, with customers frustrated it took three days for Optus to start personally contacting them. 

The company said ‘proactive personal notifications’ will be sent to those they believe have a ‘heightened risk’ of being involved and earlier this week said getting information to customers through the media was the most ‘effective’ way. 

The company came under fire this week after it revealed it had a huge data breach, where personal details of 9.8 million customers, as far back as 2017, were stolen (pictured, an Optus store in Sydney)

The company came under fire this week after it revealed it had a huge data breach, where personal details of 9.8 million customers, as far back as 2017, were stolen (pictured, an Optus store in Sydney)

Customers from as far back as 2017 could be affected by the hack, since Optus keeps customer verification details for six years. 

Data exposed to the cyber attack included names, addresses, dates of birth, phone numbers, drivers’ licences and passport details. 

In an alarming twist, the Australian Federal Police is looking into reports that stolen customer data and identification numbers could be for sale through forums, including the dark web.

‘The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,’ it said.

Anyone who buys stolen credentials faces up to 10 years in prison.

Optus said it would not be able to comment on some aspects of the case, since the AFP was investigating. 

But the company said it would reach out to those who had their details compromised, in a statement released on Saturday. 

Optus customers whose passport or driver's licence numbers were stolen in the massive data breach are being contacted first (pictured, a stock photo)

Optus customers whose passport or driver’s licence numbers were stolen in the massive data breach are being contacted first (pictured, a stock photo)

‘Optus will be contacting customers to notify them of the cyber attack’s impact, if any, on their personal details,’ it said. 

‘We will begin with the customers whose ID document number may have been compromised – all of whom will be notified on [Saturday].’

Optus customers whose passport or driver’s licence numbers were stolen in the massive data breach are being contacted first.

‘We will notify customers who have had no impact, last,’ the statement read. 

The security hack brought about questions over how long telcos should keep data and the compensation customers ought to get when these breaches happen.

It was revealed that Optus objected to potential law changes in 2020 which would have given customers the right to destroy their own data. 

The company said there were ‘significant hurdles and costs’ to getting a system up and running. 

The Morrison Government launched a review into the country’s Privacy Act, where the attorney-general’s department did a survey on whether Australians should be given the choice to erase their personal data. 

Another change put on the table was giving users rights to take direct legal action when breaches of their information occurred. 

'As the cyber attack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident,' a company statement said

‘As the cyber attack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident,’ a company statement said 

Optus rejected both changes.

On Thursday, Optus warned the cyber attack could trigger a rush of scams by criminals, including phishing calls, emails and text messages. 

It said its text messages or emails to customers won’t carry internet links, so if anyone was sent a link it could be a scam.

‘Please do not click on any links,’ Optus said in a statement on Saturday.

‘As the cyber attack is now under investigation by the Australian Federal Police, Optus cannot comment on certain aspects of the incident,’ it said.

‘Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings.’ 

Optus CEO Kelly Bayer Rosmarin (pictured) admitted she felt 'terrible' the breach had happened under her watch (pictured, an Optus store in Sydney)

Optus CEO Kelly Bayer Rosmarin (pictured) admitted she felt ‘terrible’ the breach had happened under her watch (pictured, an Optus store in Sydney)

Optus’ CEO has revealed that the IP addresses linked to the hackers had moved around various European countries, and that it was a ‘sophisticated’ breach.

Ms Bayer Rosmarin added it was too soon to tell if it was a criminal organisation or another state was responsible for the attack.

The data that was potentially stolen has been dated back to 2017.

She said the reported figure of 9.8million people having their data breached was the ‘worst case scenario’ and Optus expected the number to be much fewer.

Optus vice president Andrew Sheridan has said human error was not to blame for the breach.

Optus has been contacted for comment by Daily Mail Australia.  

***
Read more at DailyMail.co.uk