November 10, 2024

Optus cyberattack: Telco silent on how hackers breached system but urges customers to be vigilant

Optus #Optus

Optus is refusing to reveal how a cyberattack compromised the data of its almost 10 million customers — including names, dates of birth, passport and driver’s licence numbers and emails — but now believes only a small portion may be affected.

Chief executive Kelly Bayer Rosmarin told reporters on Friday that the “sophisticated” attack — which could be one of the biggest in Australian history — was now the subject of a criminal investigation and the telecommunications giant said it was not able to detail how hackers accessed its data.

The hack of data, which the telco confirmed is stored in Australia, was identified when a staffer spotted suspicious activity on Wednesday night and the company worked to shut it down. It was only after system experts reviewed network logs that it later understood the true scale of the attack.

SEE MORE IN THE VIDEO PLAYER ABOVE

Optus revealed on Thursday afternoon that up to 9.8 million customers may have been affected. Information that was exposed includes customers’ names, dates of birth, phone numbers and email addresses. For about 2.8 million customers, their addresses, ID document numbers such as driver’s licence or passport numbers were also exposed.

Optus said it was required under law to hold such identification details for up to six years but the data did not include images.

Payment detail, account passwords and enterprise accounts have not been compromised.

Ms Bayer Rosmarin said the unprecedented breach should ring alarm bells for even the most prepared companies about the need to remain vigilant about their cyber security.

“I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings. And so we will not be divulging details about that,” she said.

“It’s safe to say that Optus has very strong cyber defences. Cybersecurity has a lot of focus and investment here. And so this should serve as a warning call to all organisations, there are sophisticated criminals out there. And we really need all organisations to be on alert.”

Australian Consumer and Competition Commission deputy chair Delia Rickard said the cyberattack was extremely worrying due to the large amount of personal information fraudsters might be able to access.

“These are all the things that you need for identity theft and also all the things you need to personalise a scam and make it much more convincing,” she told Nine’s Today program on Friday.

Ms Rickard said any Optus customers who suspected they were victims of fraud should request a ban on their credit records and be highly sceptical of unexpected calls from people purporting to represent banks or government agencies.

The Federal Government has initiated a review into data security on social media platforms, however Opposition communications spokeswoman Sarah Henderson said the action was “too little, too late”.

TELCO INDUSTRY Camera Icon Optus is refusing to reveal how a cyberattack compromised the data of its almost 10 million customers — including names, dates of birth, passport and driver’s licence numbers and emails — but now believes only a small portion may be affected. Credit: News Corp Australia

Ms Bayer Rosmarin said Optus still did not know if the attack was run by state-sponsored hackers or cyber criminals but it was continuing to work with the Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner.

Ms Bayer Rosmarin urged customers to remain on watch for any unusual online behaviour so the telco could spot any emerging patterns and identify the attackers.

But the company said compromised data of 9.8 million customers was a “worse case” scenario and it had reason to believe that number would be smaller.

“Importantly, it’s a very small subset of data. It does not include any financial details, it does not include passwords,” Ms Bayer Rosmarin said.

“We will be identifying specifically which customers and which fields of data and proactively contacting each individual customer with very clear explanations, which of their data has been exposed and potentially taken.

Kelly Bayer Rosmarin Camera Icon Optus CEO Kelly Bayer Rosmarin has apologised to affected customers. Credit: News Corp Australia

“While we work through that, we’ve got the absolute worst case scenario number at 9.8 million. But we expect the number to be considerably less than that. Once we’ve worked through the information.”

Optus said it would shortly start contacting affected customers — prioritising those most at risk — but would not divulge how it would do so for fear of alerting scammers.

“We do not want to give people the opportunity to get out in front of us with a phishing attack,” Ms Bayer Rosmarin said.

“The important thing is we will be contacting our customers, we won’t be telling you exactly how we’re doing that, except to say that we will not be sending any links in SMS and email messages.”

Ms Bayer Rosmarin said because the hackers had not stolen the most vulnerable information, such as financial details and passwords, Optus did not have just one “simple message”, such as changing passwords.

“Really what customers can do is just be vigilant if they receive a notification that a password has been changed on one of their online services, and they have not initiated that, to assume that they need to report that and get on top of it straightaway,” she said.

“So it really is increased vigilance, and just being alert to any activity that seems suspicious or odd or out of the ordinary.

“And also, I’m just responding to having reviewed logs of what sort of calls have been coming into the office, if somebody calls you and says they want to connect to your computer and give them your password or let them in, say no, don’t allow that to occur.

“We know that was already occurring, of course, but it might not be related. But it’s a good reminder to people not to fall for that one.”

Scamwatch has advised Optus customers to secure their personal information by changing online account passwords and enabling multi-factor authentication for banking.

Affected customers should also place limits on bank accounts as well as monitoring for any unusual activity.

Leave a Reply