News, Culture & Society

Optus data breach: NSW Government replace driver’s licenses stolen as hacker apologises for leak

The New South Wales and Queensland governments confirmed it will replace all driver’s licenses compromised by Optus’ massive data leak.

Up to 10millions Australians at at risk of having their private and sensitive information sold online after a hacker infiltrated the telecommunication giant’s system and raided the details of its current and former customers.

Victor Dominello, the NSW Minister for Digital and Customer Service, confirmed on Tuesday evening they would cover the $29 cost of replacing licenses impacted by the online espionage.

‘Firstly I am sorry it has taken several days to reach this landing. People are understandably stressed and need a pathway forward,’ he posted to his Twitter account.

QLD Premier Annastacia Palaszczuk also confirmed her government would replace all licenses and numbers free of charge. 

The New South Wales Government confirmed it will replace all driver’s licenses compromised by Optus’ massive data leak

Mr Dominello said Optus would be contacting its customers who need to apply for a new license in the coming days.

‘People in NSW with a digital driver licence will have an interim card number issued instantaneously via the Service NSW app. A new plastic licence card will be issued within 10 business days,’ he said.

‘The cost to replace your driver licence is $29 and will be charged by Service NSW at the time of application – reimbursement advice will be issued by Optus to customers in the coming days.’

Anyone concerned over their identity possibly having being leaked should contact ID Support NSW on 1800 001 040. 

Ms Palaszczuk said Transport and Main Roads Queensland would be issuing new licenses free of charge.

‘The licence is a highly secure ID document, but we’ve been hearing from a lot of people who are concerned so we are giving people the opportunity to obtain a fresh licence,’ she posted to Twitter on Tuesday night. 

Victor Dominello confirmed on Tuesday evening the government would cover the $29 cost of replacing licenses impacted by the online espionage

Victor Dominello confirmed on Tuesday evening the government would cover the $29 cost of replacing licenses impacted by the online espionage

The hacker claiming to be responsible for the data breach suddenly apologised for the cyber-attack – as customers receive threatening text messages demanding they pay $2,000 to have their details erased. 

In a bizarre post on Tuesday morning, ‘optusdata’ claimed there were ‘too many eyes’ on them and said they would not sell or leak the hacked data of up to 10million Australians. 

In broken English, optusdata said: ‘Deepest apology to Optus for this. Hope all goes well from this’. 

However, Australians are now receiving threatening texts demanding they pay $2,000 to have their ‘confidential information erased off the system’. 

In a bizarre post on Tuesday morning, 'optushacker' claimed there were 'too many eyes' on them and said they would not sell or leak the hacked data of up to 10 million Australians

In a bizarre post ‘optusdata’ claimed there were ‘too many eyes’ on them and claimed they would not sell or leak the hacked data of over 10million Australians

The text warns Optus customers that if they do not comply, their information will be ‘sold for fraudulent activity’ in two days time. 

The message asks the $2000 be transferred to a Commonwealth Bank account under the name ‘Optusdata’ and that customers send a copy of their receipt. 

‘Optus has left security measures allowing us to access the personal information of their customers including name, email, phone number, date of birth, address and licence number,’ the text reads.  

‘Optus has not responded to our demand of paying the 1M$USD ransom as such as your information will be sold and used for fraudulent activity within 2 days or until a payment of $2000AUD is made then the confidential information will be erased off our systems.’

The threatening texts comes just hours after the hacker said they would release 10,000 records every day for four days if a $1.5million ransom remained unpaid.

Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account (pictured, the text message)

Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account (pictured, the text message)

The customer records the hacker has released so far included passport, drivers licence and Medicare numbers, as well as dates of birth and home addresses.

In their original apology, the Optus hacker claimed they would’ve told the telco about their vulnerability but there was no way of getting in touch. 

‘Optus if your (sic) reading we would have reported exploit if you had method to contact,’ the apology continued. 

‘No security mail, no bug bountys, no way too message. Ransom not paid but we don’t care any more.’

The hacker said they couldn’t release more data even if they wanted to because they had ‘personally deleted data from drive’ which they claim is the only copy.

Cybersecurity journalist Jeremy Kirk said the apology wasn’t a guarantee ‘optusdata’ could be trusted but said it would be the ‘best outcome’ for customers. 

He said it was ‘disappointing’ others on the forum had copied the stolen data and were distributing it – despite the hacker deleting the original samples. 

‘This means that those 10,200 Optus users in these three data samples would be at an immediate heightened risk of fraud, ID theft,’ he tweeted. 

Shara Evans, a tech analyst who has worked for large telco’s in the United States, believes Optus has been less than forthcoming over whether the stolen data was encrypted or not.

‘If the data was encrypted the company would be on the front foot saying ‘yes it’s been encrypted, we’re not going to tell you the exact method for security purposes’,’ she told Daily Mail Australia. 

‘Any data that someone may have gotten their hands on would be in an ‘encrypted state’ – whether they used encryption or tokenisation or any other methodology to scramble the data that would have solved 99.9 per cent of the problem.’

Ms Evans said Optus should have maintained separate silos for storing their customer’s personal information. 

‘All of this stuff should have been separately kept, separately stored with audit trails, multiple firewalls and encryption,’ she said. 

The hacker demanded a ransom of US$1million - or $1.5million Australian - be paid in Monero, a decentralised cryptocurrency (pictured, an Optus store in Sydney)

The hacker demanded a ransom of US$1million – or $1.5million Australian – be paid in Monero, a decentralised cryptocurrency (pictured, an Optus store in Sydney)

Mr Kirk questioned the motivations behind the backflip, tweeting: ‘Many questions around this: Why has this person seemingly changed their mind?’

‘Can we trust this person now? What does this person mean by writing about not being able to delete the data from the drive?’

The cybersecurity journalist, who says he has been in contact with the hacker, shared details of the ransom note on Tuesday morning.

‘The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn’t give into the extortion demand,’ he wrote on Twitter. 

Early on Saturday morning, the hackers demanded a ransom of US$1million – or $1.5million Australian – be paid in Monero, a decentralised cryptocurrency which would obscure the identity of the recipient. 

‘We are businessmen 1.000.000$US is a lot of money and will keep too (sic) our word,’ the hacker’s message read.

The ransom demand came after Home Affairs Minister Clare O'Neil launched a scathing attack on Optus in parliament, saying it was a 'basic' hack (stock image)

The ransom demand came after Home Affairs Minister Clare O’Neil launched a scathing attack on Optus in parliament, saying it was a ‘basic’ hack (stock image)

The ransom demand came after Home Affairs Minister Clare O’Neil launched a scathing attack on Optus in parliament, saying it was a ‘basic’ hack.

She laid blame for the security breach, which involved 9.8 million current and former customers, at the feet of the telco.

‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ Ms O’Neil said on Monday.

‘We expect Optus to continue to do everything they can to support their customers and former customers.’

However, Optus has rejected Ms O’Neil’s claim that the hack was not ‘sophisticated’.

The telco’s CEO Kelly Bayer Rosmarin said the breach was ‘not as is being portrayed’.

In their bizarre apology, the Optus hacker claimed they would've told the telco about their vulnerability but there was no way of getting in touch (pictured, Optus in Sydney)

In their bizarre apology, the Optus hacker claimed they would’ve told the telco about their vulnerability but there was no way of getting in touch (pictured, Optus in Sydney)

It comes after the hacker, known as 'Optushack', appeared on the dark web demanding Optus to pay a ransom of $1.5million or they would release another 10,000 records every day for the next four days

The ransom demand appeared on the dark web, with the hacker demanding $1.5million

‘Unfortunately I think our briefing of the Minister happened after she (made those claims),’ she told the ABC.

‘Our data was encrypted and we have multiple layers of protection.’ 

Ms Bayer Rosmarin said the company could not do much about the ransom threat while it was being investigated by the Australian Federal Police.

‘We have seen that there is a post like that on the dark web and the Australian Federal Police is all over that,’ she said.

Speaking to the Today Show on Tuesday morning, Mr Kirk said no one knows the true identity of the hacker.

‘This is the real challenge for investigators right now, they want to find this person, because this person is perpetrating extortion against an international company, and is in possession of a huge amount of personal data,’ he said.

Cybersecurity threat analyst Brett Callow, said the hacker's only motivation was money and echoed Ms O'Neil's claims that it was not a sophisticated attack

Cybersecurity threat analyst Brett Callow, said the hacker’s only motivation was money and echoed Ms O’Neil’s claims that it was not a sophisticated attack

‘There’s just a lot of ways to stay anonymous on the Internet and so what police and other investigators will be doing right now is trying to find out if that person has made any mistakes. 

‘Anything that leads to their in real life identity so hopefully they can make an arrest.’ 

Cybersecurity threat analyst Brett Callow, said the hacker’s only motivation was money and echoed Ms O’Neil’s claims that it was not a sophisticated attack.

‘It would sound like something potentially a highschool kid could’ve pulled off,’ he said.

Operation Hurricane was established by the AFP on Monday to identify the people behind the breach as well as prevent identity fraud.

Assistant Commissioner of Cyber Command Justine Gough said the investigation into the source of the data breach would be complex.

Optus boss Kelly Bayer Rosmarin says the company couldn't do much about the ransom threat as it was being investigated by the Australian Federal Police

Optus boss Kelly Bayer Rosmarin says the company couldn’t do much about the ransom threat as it was being investigated by the Australian Federal Police 

‘We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,’ she said.

‘Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them.’

The task force will work with the Australian Signals Directorate, overseas police as well as Optus.

Ms Gough said customers should be more vigilant in monitoring unsolicited texts, emails and phone calls in the wake of the Optus breach.

‘The AFP will be working hard to explain to the community and businesses how to harden their online security because ultimately it is our job to help protect Australians and our way of life,’ she said.

Early on Saturday morning, the hackers demanded the ransom of US$1million - or $1.5million Australian - be paid in Monero, a decentralised cryptocurrency which would obscure the identity of the recipient (pictured, an Optus store in Sydney)

Early on Saturday morning, the hackers demanded the ransom of US$1million – or $1.5million Australian – be paid in Monero, a decentralised cryptocurrency which would obscure the identity of the recipient (pictured, an Optus store in Sydney)

Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.

Class actions senior associate Ben Zocco said the leaked information posed a risk to vulnerable people, including domestic violence survivors and victims of stalking.

Consequences may be less severe for other customers but the information could easily lead to identity theft, he added.

Ms O’Neil called on the telco to provide free credit monitoring to former and present customers who had their data stolen in the breach.

Optus has announced it will be providing the most affected current and former customers with a free 12-month credit monitoring subscription to Equifax Protect.

Home Affairs Minister Clare O'Neil slammed Optus saying the security breach was 'basic', however the telco has rejected those claims

Home Affairs Minister Clare O’Neil slammed Optus saying the security breach was ‘basic’, however the telco has rejected those claims

Ms O’Neil said the government was looking to work with financial regulators and the banking sector to see what steps could be taken to protect affected customers.

‘One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,’ she said.

‘In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.’

Prime Minister Anthony Albanese said the data breach was a ‘huge wake-up call’.

As the government prepares to introduce new cybersecurity measures, Mr Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.

What Optus has said about the breach:

How did this happen?

Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.

Has the attack been stopped?

Yes. Upon discovering this, Optus immediately shut down the attack.

We are now working with the Australian Cyber Security Centre to mitigate any risks to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.

Why did we go to the media first instead of our customers?

The security of our customers and their data is paramount to us. We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly.

What information of mine may have been exposed?

The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Customers affected will be notified directly of the specific information compromised.

Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payments details, and account passwords have not been compromised.

What should I do to protect myself if I suspect I am a victim of fraudulent activity?

We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts, including:

Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.

Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.

Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.

How do I contact Optus if I believe my account has been compromised?

If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.

If you are a business customer, contact us on 133 343 or your account manager.

How do I know if I have been impacted?

We are in the process of contacting customers who have been directly impacted.

***
Read more at DailyMail.co.uk