Customers’ personal data stolen as Optus suffers massive cyber-attack

Optus has suffered a massive cyber-attack, with the personal information of customers stolen, including names, dates of birth, addresses, and contact details.

The telco suffered the data breach when hackers, believed to be working for a criminal or state-sponsored organisation, accessed the sensitive information by breaking through the company’s firewall.

The Australian Cyber Security Centre is working with Optus to lock down its systems, secure any data against further breaches, and trace the attackers. The Australian federal police and the Office of the Australian Information Commissioner have also been notified.

Optus has 9.7 million subscribers, according to publicly available data, but the company said it was still assessing the size of the data breach.

The company confirmed information which may have been exposed included Optus customers’ names, dates of birth, phone numbers, email addresses and, for a cohort of customers, physical addresses and identification document numbers such as driving licence or passport numbers.

Optus said payment details and account passwords have not been compromised, and that services, including mobile phones and home internet, were not affected.

The company insisted voice calls had not been compromised, and that Optus services remained safe to use and operate.

“We are devastated to discover that we have been subject to a cyber-attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” Optus chief executive Kelly Bayer Rosmarin said.

“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.

“We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.

“Optus has also notified key financial institutions about this matter,” Bayer Rosmarin said.

“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”

Sign up to Guardian Australia’s Morning Mail

Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter

Privacy Notice: Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our Privacy Policy. We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply.

Home affairs minister Clare O’Neil said the Australian Cyber Security Centre was providing cyber security advice and technical assistance to Optus, and that Australian companies and organisations were being consistently targeted for cyber-attacks by cybercriminals and hostile nations.

“The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) has seen broad targeting of Australians and Australian organisations, through rapid exploitation of technical vulnerabilities by state actors and cybercriminals seeking to exploit weaknesses and steal sensitive data.”

The Office of the Australian Information Commissioner issued a statement late on Thursday saying it was working with Optus “to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme”.

“Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” the OAIC said.

“The NDB scheme ensures individuals are informed and can take steps to protect themselves from any further risk. Following a breach, individuals need to be alert to any suspicious or unexpected activity on their personal accounts or devices.”