Police ‘all over’ dark web ransom threat to release 10,000 customer records a day, Optus CEO says
Optus #Optus
The chief executive of Optus, Kelly Bayer Rosmarin, says federal police are “all over” a post on the dark web purporting to release 10,000 customer records from the recent data breach and threatening to release more until a $1m ransom is paid.
Rosmarin also told ABC radio the company’s massive security breach was “not as being portrayed”, after the minister for home affairs accused the company of leaving the “window open” for the data to be stolen.
On Monday night, the purported hacker released a text file of 10,000 records, promising to leak 10,000 each day for the next four days unless Optus pays them $1m.
The released records include email addresses from the Department of Defence and the Office of the Prime Minister and Cabinet.
The Optus attack has affected up to 10 million customers, including 2.8 million people who had their driving licence or passport number leaked.
The purported hacker said they had obtained the data through an opening Optus had left accessible in its network, and the company had not yet contacted them.
The Australian federal police has launched Operation Hurricane to work with overseas law enforcement authorities to determine who had obtained the data and was attempting to sell it.
Guardian Australia has verified the file contains records with people’s names, dates of birth, email addresses, phone numbers, postal addresses, and in some cases, licence numbers, passport numbers and Medicare card numbers.
There are approximately 20 state and federal government emails listed in the dump, including four from the Department of Defence, and one from the Department of the Prime Minister and Cabinet.
Asked about the claim, Rosmarin said the company had “seen that there is a post like that on the dark web and the Australian federal police is all over that”.
“They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal and verify [the claim].”
The minister for home affairs, Clare O’Neil, told ABC’s 7.30 program on Monday evening: “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
O’Neil described the hack as “basic,” contradicting Rosmarin’s description earlier last week as a “sophisticated attack”.
Asked about O’Neil’s comments on ABC radio Tuesday morning, Rosmarin thanked reporter Peter Ryan “for letting me address that misinformation”.
Rosmarin said O’Neil’s interview with the ABC occurred before Optus’s briefing with the minister.
Guardian Australia understands that O’Neil’s view that it was not a sophisticated cyber-attack has not changed.
Sign up to Guardian Australia’s Morning Mail
Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter
Privacy Notice: Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our Privacy Policy. We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply.
Rosmarin said the breach was “not what it’s made out to be” because the data was encrypted and there were “multiple levels” of protection.
She said it was not the case of having an “exposed API [address] sitting out there”.
“We have had the Australian centre for cybersecurity scan our perimeter … we want to make sure the environment is secure,” Rosmarin said.
The ABC asked Rosmarin if the company could be sure the breach wasn’t the result of human error.
“We know this is the work of some bad actors and really, they are the villains in this story.”
However she said if anything from the investigations “indicates Optus has made an error, we will take full accountability for that”.
Pressed on the harsher penalties that exist for companies in Europe, Rosmarin said: “I’m not sure what penalties benefit anybody. Optus is doing everything possible to be transparent and on the front foot. Our customers understand we are not the villains.”
She emphasised that much of the “data accessed is data already out there”.
Rosmarin indicated she will not be stepping down. “All we’re focused on is protecting our customers. Someone has to be accountable for doing that.”