Optus has confirmed its recent data breach is subject to a “criminal investigation”, with up to 9.8 million customers potentially affected.
At a media conference, Optus CEO Kelly Bayer Rosmarin was unable to divulge details on its customer data storage, security vendors and partners and a concrete figure of the number affected, claiming “the exact mechanics are subject to a criminal investigation”.
Although Bayer Rosmarin was unable to rule out the possibility of a ransomware attack, she stated that there had been no ransom demands so far.
“It's a very small subset of data. It does not include any financial details. It does not include passwords,” she told reporters. “When we work through it, we will be identifying specifically which customers and which fields of data and proactively contacting each individual customer with very clear explanations of which of their data has been exposed and potentially taken.”
Bayer Rosmarin added that the IP address of the attacker moved between a number of countries in Europe, although noted that the attack did not necessarily stem from Europe.
She also said she believes the number of breached customers to be smaller than 9.8 million, but the telco was unable to determine the actual figure at this time.
When asked by ARN about Optus' cyber security partners, Bayer Rosmarin said Optus would take “full accountability” of the breach.
“I'm not going to go rattling off a number of our vendors,” she said. “It is our responsibility and we will be working with all those vendors to set things right.”
The stolen information included identification items such as licence numbers and passport numbers, which Bayer Rosmarin said was the field that was compromised.
“They have not got images of any of those documents, nor any bank details or passwords,” she said. “The reason that we hold on to customer data for a period of time is that that it is the law. We have to be able to go back in our records for six years and so we do hold information for the required length of time.”
When news of the attack broke on 22 September, Bayer Rosmarin said the telco took action to block the attack and begun an immediate investigation alongside the Australian Cyber Security Centre.
Other information exposed may include customers’ names, dates of birth, phone numbers and email addresses, while an unspecified number of customers had their addresses, ID document numbers like driver’s licences and passports also targeted.
However, payment details and account passwords, as well as its mobile, home internet, messages, voice call, wholesale, satellite and enterprise services, were unaffected.
In addition, customer data from Amaysim, which Optus acquired in November 2020 for $250 million, was also unaffected.
The Australian Competition and Consumer Commission (ACCC) put out a warning about the breach, beseeching customers to protect their accounts and watch for scams following the breach.
“It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm,” the notice read. “Optus customers should take immediate steps to secure all of their accounts, particularly their bank and financial accounts. You should also monitor for unusual activity on your accounts and watch out for contact by scammers.”
This isn’t the first time Optus has come under fire for a data breach, with it facing a class action in April 2020 over an alleged breach that saw roughly 50,000 customers’ details leaked to White Pages.
In that case however, the data was allegedly leaked by Optus itself.
While not related to a data breach, in May 2021, the telco’s identity verification practices have also been placed under the spotlight when it was warned by the Australian Communications and Media Authority (ACMA), along with Telstra and Medion Mobile, for not adequately verifying people’s identities prior to transferring mobile phone numbers from other telcos.