Optus customers slam telco for failing to protect data in major breach as hackers demand ransom
>
The mysterious hacker who claims to have stolen the personal data of millions of Optus customers has demanded $1.5 million in ransom as enraged Australians rage at the telco giant for failing to protect their data.
The hacker has warned that personal addresses, dates of birth, phone numbers, driver’s licenses and passport details of millions will be leaked if Optus does not pay $US1 million (AU$1.53 million) in cryptocurrency Monero.
They claim to have access to the data of 11.2 million Optus customers in a major breach that technical experts say is legitimate at this stage.
The mysterious hacker who claims to have stolen the personal data of millions of Optus customers has demanded $1.5 million in ransom (pictured, an Optus store in Sydney)
The hacker has warned that personal addresses, dates of birth, phone numbers, driver’s licenses and passport details of millions will be leaked if Optus fails to pay AUD $1.53 million
The ransom demand appeared on an online forum Saturday morning, with the hackers warning the telco it had a week to respond.
‘Optus if you read! price for us not to sell data is 1,000,000$US We give you 1 week to decide,” read part of the message.
The warning comes as Optus customers take to social media to express their frustration, with chief executive and educator Dannielle Miller being just one of millions of people saying the company’s response was “inadequate.”
Ms Miller told Daily Mail Australia that she has been an Optus customer for 30 years and expected more from the telco after decades of loyalty.
She said Optus boss Kelly Bayer Rosmarin’s apology “missed the mark.”
“The CEO called Optus a victim of cyber hacking. It’s not those whose personal information has been hacked – the customers are the victims,” she said.
“It’s hard to hear them cry the victim when it’s obvious they’ve been very lax.”
The ransom demand appeared on an online forum Saturday morning, with the hackers warning the telecommunications company they had a week to respond (pictured, an Optus store in Sydney)
Ms Miller said she plans to close the Optus accounts of herself, her daughter and her employees and plans to advise them to switch providers.
She said customers who may be forced to change details such as their license number should be compensated by Optus for out-of-pocket expenses.
“Personally, I’m not looking for compensation, what’s important to me is peace of mind and security for my data,” she said, adding that customers should be prioritized.
On Friday morning, Ms Bayer Rosmarin offered an emotional apology to the millions of Optus customers whose data had been compromised.
Pictured: Optus CEO Kelly Bayer Rosmarin
She confirmed that payment details and account passwords were protected, but admitted that she was “terrible” that the breach had taken place under her supervision.
“I think it’s a mix of a lot of different emotions,” she said downcast.
“Of course I’m angry that there are people who want to do this to our customers, I’m disappointed that we couldn’t have prevented it.
“I am very sorry and apologise. It shouldn’t have happened.’
The telco has been criticized for handling the major breach, with customers frustrated that it took three days for Optus to contact them personally.
The company said “proactive personal notifications” will be sent to those they believe are “increased risk” of being involved and said earlier this week that getting information to customers through the media is the most “effective.” way.
The company came under fire this week after it revealed it had a massive data breach, in which personal data of 9.8 million customers was stolen as far back as 2017 (pictured, an Optus store in Sydney)
Customers as early as 2017 could be affected by the hack, as Optus keeps customer credentials for six years.
Data exposed to the cyber attack included names, addresses, dates of birth, phone numbers, driver’s licenses and passport details.
In an alarming twist, Australian Federal Police are investigating reports that stolen customer data and identification numbers could be for sale through forums, including the dark web.
“The AFP uses specialist capabilities to monitor the dark web and other technologies, and will not hesitate to take action against those who break the law,” it said.
Anyone who buys stolen credentials faces up to 10 years in prison.
Optus said it would not be able to comment on some aspects of the case as the AFP was investigating the matter.
But the company said it would contact those who had compromised their data, in a statement released Saturday.
Optus customers whose passport or driver’s license numbers were stolen during the massive data breach will be contacted first (pictured, stock photo)
“Optus will contact customers to inform them of the potential impact of the cyber attack on their personal data,” it said.
‘We will start with the customers whose ID document number may have been compromised – all of whom will be notified [Saturday].’
Optus customers whose passport or driver’s license number was stolen during the massive data breach will be contacted first.
“We will notify non-impact customers last,” the statement read.
The security hack raised questions about how long telcos should keep data and the compensation customers should receive when these breaches occur.
It was revealed that Optus was objecting to possible legislative changes in 2020 that would have given customers the right to destroy their own data.
The company said there were “significant hurdles and costs” to getting a system up and running.
Morrison’s government launched a review of the country’s privacy law, with the Attorney General’s Department investigating whether Australians should be given the choice to erase their personal data.
Another change that was brought to the table was that users were given the right to take direct legal action if their information was breached.
“As the cyber attack is now under investigation by the Australian Federal Police, Optus is unable to comment on certain aspects of the incident,” the company said in a statement.
Optus rejected both changes.
Optus warned Thursday that the cyber attack could spark a wave of scams by criminals, including phishing calls, emails and text messages.
It said its text messages or emails to customers don’t contain internet links, so if someone got a link, it could be a scam.
“Please don’t click links,” Optus said in a statement on Saturday.
“As the cyber attack is now under investigation by the Australian Federal Police, Optus is unable to comment on certain aspects of the incident,” it said.
“Given the investigation, Optus will not comment on the lawfulness of customer data it claims is held by third parties and urges all customers to exercise caution in their online transactions and transactions.”
Optus CEO Kelly Bayer Rosmarin (pictured) admitted she was ‘terrible’ that the breach had happened under her supervision (pictured, an Optus store in Sydney)
The Optus CEO has revealed that the IP addresses associated with the hackers had moved across several European countries and that it was an “advanced” breach.
Ms Bayer Rosmarin added that it was too early to say whether it was a criminal organization or whether another state was responsible for the attack.
The data that may have been stolen dates back to 2017.
She said the reported figure of 9.8 million people having their data breached was the worst case scenario and Optus expected the number to be much less.
Optus vice president Andrew Sheridan has said human error was not the cause of the breach.
Optus has been approached for comment by Daily Mail Australia.