Fears Optus hackers are holding personal details to ransom for $1.5MILLION
>
Optus is investigating claims that millions of customer data are being ransacked for as much as $1 million – AUD$1.53 million – in cryptocurrency for hackers.
Online forums revealed unverified claims that the stolen data would be sold for $300,000 if the telco failed to comply within a week.
It comes after Optus announced it would finally contact account holders whose personal information may have been compromised in this week’s big data hack.
The company came under fire this week after it revealed it had a massive data breach, in which personal data of 9.8 million customers was stolen as far back as 2017 (pictured, an Optus store in Sydney)
Customers as early as 2017 could be affected by the hack, as Optus keeps customer credentials for six years.
Optus came under fire this week after it revealed it had a massive data breach that exposed personal information of 9.8 million customers to hackers.
The telco claimed no passwords or financial information had been compromised, but other personal information could have been stolen.
Data exposed to the cyber attack included names, addresses, dates of birth, phone numbers, driver’s licenses and passport details.
In an alarming twist, Australian Federal Police are investigating reports that stolen customer data and identification numbers could be for sale through a number of forums, including the dark web.
“The AFP uses specialist capabilities to monitor the dark web and other technologies and will not hesitate to take action against those who break the law,” a spokesperson said.
Anyone who buys stolen credentials faces up to 10 years in prison.
Optus said it would not be able to comment on some aspects of the matter as the AFP is investigating.
But the company said it will contact those who compromised their data, in a statement on Saturday.
Optus customers whose passport or driver’s license numbers were stolen during the massive data breach will be contacted first (pictured, stock photo)
“Optus will contact customers to inform them of the potential impact of the cyber attack on their personal data,” it said.
‘We will start with the customers whose ID document number may have been compromised – all of whom will be notified [Saturday].’
Optus customers whose passport or driver’s license number was stolen during the massive data breach will be contacted first.
“We will notify non-impact customers last,” the statement read.
The security hack raised questions about how long telcos should keep data and the compensation customers should receive when these breaches occur.
It was revealed that Optus was objecting to possible legislative changes in 2020 that would have given customers the right to destroy their own data.
The company said there were “significant hurdles and costs” to getting a system up and running.
Morrison’s government launched a review of the country’s privacy law, with the Attorney General’s Department investigating whether Australians should be given the choice to erase their personal data.
Another change that was brought to the table was that users were given the right to take direct legal action if their information was breached.
“As the cyber attack is now under investigation by the Australian Federal Police, Optus is unable to comment on certain aspects of the incident,” the company said in a statement.
Optus rejected both changes.
Meanwhile, Optus warned that Thursday’s cyber attack could spark a flurry of scams by criminals, including phishing calls, emails and text messages.
It said its text messages or emails to customers don’t contain internet links, so if someone got a link, it could be a scam.
“Please don’t click links,” Optus said in a statement on Saturday.
“As the cyber attack is now under investigation by the Australian Federal Police, Optus is unable to comment on certain aspects of the incident,” it said.
“Given the investigation, Optus will not comment on the lawfulness of customer data it claims is held by third parties and urges all customers to exercise caution in their online transactions and transactions.”
Optus CEO Kelly Bayer Rosmarin (pictured) admitted she was ‘terrible’ that the breach had happened under her supervision
Meanwhile, Optus CEO Kelly Bayer Rosmarin offered an emotional apology over the overseas hack, saying she was disappointed the telco hadn’t prevented it.
The company’s boss admitted she was “terrible” that the breach had taken place under her supervision.
“I think it’s a mix of a lot of different emotions,” she said downcast.
‘Of course I’m angry that there are people who want to do this to our customers.
“I’m disappointed we couldn’t have prevented it.”
Ms Bayer Rosmarin also revealed that the IP addresses associated with the hackers had moved in several European countries and that it was an “advanced” breach.
She added that it was too early to say whether it was a criminal organization or whether another state was responsible for the attack.
The data that may have been stolen dates back to 2017.
Ms Bayer Rosmarin said the reported figure of 9.8 million people with a data breach was the worst case scenario and Optus expected the number to be much less.
Optus vice president Andrew Sheridan said human error was not the cause of the breach.
Optus, which contacted millions of customers on Friday, has apologized for the breach.
The telco said spreading information through news channels was the “fastest and most effective way” to warn customers and communicate the seriousness of the situation.
Optus was contacted for comment by Daily Mail Australia.