A single mistake by an IT programmer could have opened the door to a massive cyber attack on Optus that resulted in the personal data of up to 10 million customers being stolen.
The breach – the largest in Australia’s history – allegedly gave hackers access to some customers’ passport and driver’s license numbers, email and home addresses, dates of birth and phone numbers.
The telco has said its investigators don’t know who is responsible for the attack or the reason behind it — with the hack appearing to be coming from several European countries at once.
But an Optus insider told the ABC that while the case is still under investigation, ‘this infringement, like most, amounts to human error’.
“(Optus) wanted to make integrating systems easier to comply with two-factor authentication regulations from the industry’s watchdog, the Australian Communications and Media Authority (ACMA),” the insider said.
During the process, Optus’ customer identity database may have been opened up to other networks. This would have allowed hackers outside the company to gain access to the Optus database.
Optus responded to the ABC report as “inaccurate.”
Massive cyberattack on Optus that may have stolen personal data of up to 10 million customers could be due to IT programmer’s mistake
The company’s CEO, Kelly Bayer Rosmarin, confirmed that payment information and account passwords had not been compromised, but admitted she was “terrible” that the breach had occurred under her supervision.
Ms Bayer Rosmarin also revealed that the IP addresses associated with the hackers had moved in several European countries. That led to fears that a powerful nation — such as Russia or China — or a sophisticated organized group could be to blame.
Nigel Phair, director of the Institute for Cyber Security, said it was difficult to investigate to identify the perpetrator of a cyber attack.
“It may or may not be (from Russia or another country), but I do know that cybercriminals are very good at hiding their tracks,” he told Daily Mail Australia.
“It’s most likely a group of people, but it could be one person or more, they could be in a room together or around the world.”
The Australian Federal Police are investigating.
Mr Phair added that he believed Optus knew a lot more than they showed, and could provide more information to customers.
He added that those who subscribe to the telco should be “very concerned.”
“It will probably be the worst data breach Australia has ever had,” he said.
The director of the Institute for Cyber Security at UNSW, Nigel Phair, said identifying those behind cyber breaches was one of the hardest things to investigate.
“The amount of data criminals that can gain access is as bad as it gets.”
Although Optus has told customers that their passwords have not been stolen, Mr Phair pointed out that if hackers had other personal information, such as email addresses and dates of birth, they could change the passwords themselves.
The cybersecurity expert said he believed the attack likely came from a criminal group, which will try to monetize the information in any way possible – including selling it on the dark web.
“Cyber attacks are common, but their success is not that common,” he said.
“The problem is that affected people can’t do much. There is nothing you can do to make yourself safer.
“All you can do is be extremely vigilant about anything unusual like text messages or phone calls coming in — really looking for the unexpected.”
Optus says it doesn’t know whether a state-based actor — such as Russia (Vladimir Putin is pictured above) or China — or a criminal group of hackers was responsible for the attack
WHAT OPTUS SAID ABOUT THE DATA Breach?
How did this happen?
Optus fell victim to a cyber attack. We took immediate action to block the attack that targeted Optus customer data only. Optus’ systems and services, including mobile and home internet, are unaffected and messages and voice calls are unaffected. Optus services will continue to be safe to use and operate as usual.
Has the attack stopped?
Yes. Upon discovering this, Optus immediately stopped the attack.
We are now working with the Australian Cyber Security Center to mitigate any potential risk to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.
Why did we go to the media first instead of our customers?
The security of our customers and their data is our top priority. We did this because it was the fastest and most effective way to alert as many current and former customers as possible so they could be vigilant and monitor suspicious activity. We are now in the process of contacting customers directly affected.
What information about me may have been made public?
The information that may have been released includes customer names, dates of birth, telephone numbers, email addresses and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Affected customers will be notified directly of the specific information that has been compromised.
Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payment information, and account passwords have not been compromised.
What should I do to protect myself if I suspect I have been the victim of fraudulent activity?
We’re not currently aware of any customers who have suffered damage, but we encourage you to raise awareness of your account, including:
Watch out for suspicious or unexpected activity on your online accounts, including your bank accounts. Immediately report any fraudulent activity to the related provider.
Watch out for contact from scammers who may have your personal information. This could be suspicious emails, texts, phone calls or social media posts.
Never click on links that look suspicious and never give out your passwords or personal or financial information.
How do I contact Optus if I think my account has been hacked?
If you believe your account has been compromised, you can contact us via the My Optus app – which remains the safest way to contact Optus, or call us on 133 937 for consumer customers. Due to the impact of the cyber attack, waiting times may be longer than usual.
If you are a business customer, please contact us at 133 343 or your account manager.
How do I know if I have been affected?
We are in the process of contacting customers directly affected.
Meanwhile, Ms Bayer Rosmarin said it was too early to say whether the infringement on Optus was a criminal or a state-based attack.
“Of course I’m upset that there are people who want to do this to our customers, I’m disappointed we couldn’t have prevented it,” she said.
‘I am very sorry and apologise. It shouldn’t have happened.’
The data that may have been stolen dates back to 2017.
Ms Bayer Rosmarin said the reported figure that 9.8 million people had their data breached was the worst case scenario, and Optus expected the number to be much less.
“It’s a small subset of data, it doesn’t contain financial details, it doesn’t contain passwords,” she said.
The AFP said on Friday that they would work with Optus to “obtain the critical information and evidence needed to conduct this complex criminal investigation.
“The AFP’s specialist Cyber Command will work closely with a number of agencies, including the Australian Signals Directorate.”