- The exposed data includes names, date of birth, phone number. and email
- ID information such as driver’s license or passport numbers may also be involved
- Experts warn to watch out for scams during the month
- Optus shut it down as soon as it was discovered
The personal data of up to nine million Australians may have been accessed by hackers in a massive cybersecurity breach at the country’s second largest telco, Optus.
The cyber attack includes the data of current and former customers.
Optus said the information released includes names, dates of birth, phone numbers and email addresses, and in some cases addresses and identity documents such as driver’s license or passport numbers. The company said it was shut down immediately after the attack was discovered.
Payment details and account passwords have not been compromised. Other Optus services, including mobile and home internet, will not be affected and messages and voice calls will not be affected.
Optus said it is working with the Australian Cyber Security Center to mitigate any risks to customers and has notified the Australian Federal Police, the Australian Information Commissioner’s office and key regulators of the cyber attack.
Optus CEO Kelly Bayer Rosmarin said that as soon as they learned about it, the telco took action to block the attack and immediately launch an investigation.
“We are devastated to discover that we have been the victim of a cyber attack that resulted in the disclosure of our customers’ personal information to someone who should not see it,” she said.
“While not everyone may be affected and our investigation is not yet complete, we want all our customers to be aware of what happened as soon as possible so that they can increase their vigilance.
“We are very sorry and we understand that customers will be concerned. Rest assured that we are working hard and collaborating with all relevant authorities and organizations to help protect our customers as much as possible.”
Rosmarin said they are not aware of any harm to customers, but they should have “heightened awareness” for fraudulent reports.
StickmanCyber CEO and founder Ajay Unni said the data of telcos like Optus can be easily misused.
“The exposed data can now be maliciously used to create false identities or as a starting point to further target users individually through spear-phishing campaigns. These campaigns will now be even more effective as cybercriminals have access to more information than just an email address,” he said.
“While technical protection is a step forward in terms of cybersecurity maturity, I cannot emphasize the importance of training and educating business users enough, as people are always the weakest link when it comes to cybersecurity.”
Unni said third-party risk is another area that requires a lot of attention, as larger organizations are regularly infiltrated through partnerships with third-party vendors.
“The findings of the Australian Cyber Security Center investigation into the Optus data breach will reveal the nature of the attack – whether it was the work of cybercriminals or a state-sponsored attack,” he said.
“Optus users should remain vigilant for email providing support for this breach, even if the email appears to be from an authoritative or legitimate source. Optus customers should do their due diligence when it comes to cyber hygiene and avoid clicking links in emails unless their legitimacy has been validated.”
Optus said contacting them through the My Optus app is the safest option, or call 133 937 for private customers and 133 343 for businesses.