FBI joins investigation into Optus data breach as hacker withdraws ransom demand
Optus #Optus
No effort is being spared in looking into the Optus customer record breach, with the FBI joining the Australian Federal Police in probing the alarming incident. Attorney-General Mark Dreyfus revealed the international cooperation as the group behind the breach scrapped its ransom demand and claimed to have deleted the 11 million customers’ records it scraped from the telco’s website. Mr Dreyfus told parliament a whole-of-government response had been launched, with the AFP not only working with government and industry but also the FBI.
The attorney-general also expressed concern Optus did not report the exposure of Medicare numbers in the breach.
Opposition defence spokesman Andrew Hastie described the government’s response to the hack as “lacklustre and slow”. “Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information and obtain a new passport,” shadow foreign affairs spokesman Simon Birmingham and shadow cyber security spokesman James Patterson said in a statement.
They said the Department of Foreign Affairs was advising on its website that “if you choose to replace your passport you’ll have to pay” as the department was not responsible for the data breach.
‘Very sorry’: Account claiming to be hacker says it has dropped Optus ransom
The group behind the has reportedly dropped its ransom demand and claims to have deleted the 11 million customers’ records it scraped from the telco’s website. It comes after an alleged attempt to force Optus to pay US$1 million ($1.54 million) by Friday after the group released a batch of 10,000 Australian customers’ sensitive details on a data breach forum on the clear web.
The illegally obtained information includes passport and driver’s licence numbers, dates of birth and home addresses, according to cyber security researcher and writer Jeremy Kirk from ISMG Corp.
“Too many eyes. We will not sale (sic) data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” an account claiming to be a hacker posted on the forum on Tuesday. It said it would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty. It said it was “very sorry”. “Australia will see no gain in fraud, this can be monitored,” the post read.
The batch released on Tuesday was still online as of 1.30pm Sydney time.
Mr Dreyfus told a Labor caucus meeting on Tuesday that the option to allow Australians to change their driver’s licence numbers was being considered with the privacy commissioner. That option is not available in Victoria and the ACT. Mr Dreyfus said the commissioner wasn’t notified by Optus of the breach involving almost 10 million customers, until late Friday, the day after it was first reported. “Optus has a responsibility for the privacy of both current and former customers,” he said.
An ongoing privacy review will be completed this year.
When asked about the situation in question time, Acting Prime Minister Richard Marles described the data breach as a “wake up call”. “The truth is that what has occurred over the last week has been a wake-up call for corporate Australia,” he said. “The Australian Federal Police right now are doing everything within their power to pursue the criminal investigation, but what is really important for those Optus customers is the steps that they take now in terms of their own security.” Mr Marles said it was important for customers to not click on links, to check the sources of websites, and to not divulge personal information over the phone. “Now, we will be continuing to work very closely with Optus, and indeed, other companies in the telecommunications sector and other sectors within the economy, including banks, to make sure that we can do everything to minimise the impact of what has been a very concerning event.”
“But it has been a wake-up call for corporate Australia, and I know now that cyber security is right there in the top echelon of issues which face corporate Australia as it does government of course, and we need to be doing everything we can to make sure that protection is in place.”
Federal Home Affairs Minister Clare O’Neil has criticised Optus following the data breach. Source: AAP
In a statement on Tuesday morning, Home Affairs Minister Clare O’Neil said she was incredibly concerned at the reports of personal information, including Medicare numbers, being shared either for free or for ransom. “Medicare numbers were never advised to form part of compromised information from the breach,” she said. “Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.”
Ms O’Neil said the full weight of cyber security capabilities across the government is working to respond to the breach.
How could the cyber attack have been prevented?
Government Services Minister Bill Shorten said Optus needs to do better. “Based on what I’ve been told, Optus hasn’t done enough … to protect their customers and their follow-up needs to be much more diligent,” he told the Nine Network’s Today. “I think it’s time for … a big overhaul of how our data is kept by big corporations.
“We’re doing everything we can to apprehend the hackers but there is no doubt the defences of the company were, as I’ve been informed, inadequate.”
Mr Shorten said the hack raised questions about how much of people’s data big companies should keep and for how long.
Ms O’Neil told the ABC on Monday that the attack was not “sophisticated”.
Australian Federal Police to investigate the breach
A federal police investigation has been launched into the data breach, which has affected 9.8 million Australians. Operation Hurricane has been established by the AFP to identify the people behind the breach, as well as prevent identity fraud of those affected. Assistant Commissioner of Cyber Command Justine Gough said the investigation into the source of the data breach would be complex.
The task force will work with the Australian Signals Directorate, overseas police, as well as Optus.
Opposition cyber security spokesman James Paterson told Sky News the government bore some responsibility and criticised its response to the hack as “slow”.
Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers. Class actions senior associate Ben Zocco said the leaked information poses a risk to vulnerable people, including domestic violence survivors and victims of stalking. On Monday, Optus announced it will be providing the most affected current and former customers with a free 12-month credit monitoring subscription to Equifax Protect. Payment details and account passwords have not been compromised. Have you been affected by the Optus data breach? We want to hear from you. Contact SBS News at