Millions of Optus customers potentially exposed in massive data breach
Optus, the second largest mobile network operator in Australia, announced that a cyber attack targeted its customer data systems, potentially exposing the personal information of nearly 10 million customers.
Key Takeaways
- Exposed data include customer names, date of birth, email addresses, and phone numbers. Home addresses, driver’s license numbers, passport numbers, and Medicare details might have also been exposed for a subset of customers.
- A user account (“optusdata”) on a hacked data forum publicly (but not directly) demanded a US$1 million ransom in cryptocurrency from Optus, threatening to release the sensitive data of several million customers.
- Following through with the threat, “optusdata” released the sensitive information of around 10,200 people, some of which were verified to be legitimate. A few hours after, however, the attacker(s) cancelled their demand and posted a public apology to Optus and its affected customers.
- The incident remains unresolved, with Optus and government agencies giving official statements (sometimes at odds with each other) and launching remedial actions to stem the impact of the breach. Meanwhile, shocked and upset Optus customers are queuing up in some locations to get replacements for their driver’s licenses, passports, and Medicare cards.
Who is Optus?
On September 22, Optus announced that it has experienced a cyber attack that potentially exposed the personal data of 9.8 million current and former subscribers. Central to the announcement are its official apology and a request for vigilance delivered by CEO Kelly Bayer Rosmarin to all of the company’s customers.
The Sydney-based wireless carrier, which serves between 30% – 40% of Australia’s total population, also outlined its immediate response that included a) shutting down the attack; b) launching an internal investigation; c) notifying regulators, the media, and affected customers; and, d) working with relevant government agencies to minimise impact and mitigate customer risks.
Among the three wireless carriers in Australia, Optus is a subsidiary of Singtel, a telecommunications conglomerate majority-owned by the Singapore government through its investment arm, Temasek Holdings. Operating the largest mobile network in Singapore and the second largest in India, Singtel also owns Brisbane-based IT consulting unit Dialog, which experienced an unrelated data breach weeks before the attack on Optus was announced. Meanwhile, Optus fully owns wireless communication brands gomo and Virgin Mobile Australia (phased out since 2018) whose respective customers were also impacted by the data breach.
Who attacked Optus?
With the data breach incident still under active investigation by government agencies, the identity of the attacker(s) remains uncertain. Only one individual/entity using the username “optusdata” has emerged on an online data breach forum. On September 23, optusdata claimed to be in possession of the hacked data of 11 million Optus customers and threatened to sell their sensitive personal information on the black market unless the telecom giant pays US$1 million in Monero, a cryptocurrency.
Getting no response from Optus, the threat actor(s) behind the username “optusdata” proceeded to release 10,200 customer records on September 26 but deleted the post a few hours later. Moreover, the alleged attacker(s) revoked their ransom demand and issued a public apology to Optus and the 10,200 customers whose data have been leaked, claiming that they have deleted their only copy of all the stolen data. Nonetheless, optusdata acknowledged that the previously exposed customer records may well be exploited by other cyber criminals.
“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” the post went. “Sorry too 10,200 Australian whos data was leaked,” it continued.
IT security professionals seriously doubt the attacker(s)’ remorse, with some experts finding out that links included in optusdata’s messages use “drive-by and explicit download techniques” to install malware. Some analysts believe that the threat actors decided to rescind their ransom/extortion attempt to evade the aggressive inter-agency response of Australian law enforcement and cybersecurity agencies.
Notably, the individual or entities behind the user name “optusdata” have yet to be confirmed officially as the attacker by Australian authorities.
When did the attack happen?
Investigators have yet to determine the exact moment the attack started. However, it is certain that the cyber attack started before Optus’ September-22 announcement.
Here’s a simplified timeline encompassing key events surrounding the data breach:
Optus Data Breach Timeline
September 22
- Optus announces discovery of data breach, claims attack was “sophisticated”
- Optus shuts down attack and starts investigation
- Optus notifies authorities, customers (via media), and key financial institutions
September 23
- Alleged attacker posts US$1 M extortion/ransom demand on dark web hacking community forum
- Australian Federal Police (AFP) receives notification from Optus about breach
September 24
- Optus directly contacts affected customers starting with those whose ID data have been compromised
September 25
- Fallout from data breach spreads as customer outrage intensifies, with many sharing their frustrations on different online channels
September 26
- Alleged attacker releases personal records of 10,200 Optus customers on dark web forum
- Home Affairs Minister/Minister for Cyber Security Clare O’Neil accuses Optus for leaving window open for attack, claims attack was basic, not “sophisticated”
- Slater & Gordon, a well-known law firm, announces class action investigation
- AFP launches Operation Hurricane, seeks cooperation from international law enforcement agencies
- Government announces plans to strengthen cybersecurity legislation and overhaul privacy laws
September 27
- Alleged attacker revokes initial extortion demand, posts apology to Optus and 10,200 exposed customers
- NSW, Victoria, Queensland, South Australia state governments announce respective residents affected by breach can have driver’s license replacements free
September 28
- Australian state and federal governments demand that Optus pay customers’ replacement documents
- Optus announces exposure of ~37,000 Medicare card details
- Government authorities announces FBI’s ongoing assistance with breach probe
- Major law firm Maurice Blackburn announces investigation of legal claim against Optus
September 29
- S&P warns Optus credit rating and market share at risk after hack
- Bloomberg reports data hack could cost Optus a quarter of annual profit
- Optus announces data exposure of gomo subscribers and former Virgin Mobile Australia customers
September 30
- AFP launches Operation Guardian with other agencies and institutions to protect 10,000+ Optus customers whose data have been leaked
October 1, 2
- Government accuses Optus of being less transparent and cooperative as it should
October 3
- Optus hires Deloitte to conduct external, independent audit/forensic investigation
October 11
- Australian Competition and Consumer Commission (ACCC) chair reports sharp rise in scam complaints since breach
- Office of Australian Information Commissioner (OAIC) and Australian Communications and Media Authority (ACMA) launch separate but coordinated investigations
October 16
- Council of Small Business Organisations Australia (COSBOA) launches learning and certification program to help small businesses prepare for major overhaul of data protection and privacy laws
October 17
- Exposed passports blocked for use in national Document Validation System (DVS), no longer usable as online ID
- Australian Communications and Media Authority (ACMA) issues alert on Optus impersonation scams
October 18
- PM Lee Hsien Loong offers help of Singapore’s cybersecurity agencies to assist Australia in addressing data breaches at Optus and Dialog
October 24
- Federal government moves to increase penalty for data privacy breaches from $2.2 million to at least $50 million
- Federal opposition calls for tougher penalties to curb cyber crime, wants 10-year jail term for cyber extortion
October 25
- OAIC gets $5.5 million budget to investigate breach
October 26
- Government introduces new bill amending current privacy legislation to increase penalties under the Privacy Act and provide OAIC and ACMA with greater enforcement and information-sharing powers, respectively
November 8
- Optus agrees to reimburse costs of new driving licenses for NSW residents hit by hack
November 9
- House of Representatives passes ammendments to privacy penalty bill
- AFP expands Operation Guardian to also protect affected Medibank customers
November 11
- Optus provisions $140 million for data breach-related expenses including customer remediation costs
- Parent company Singtel writes down Optus’ goodwill value by more than $1 billion, citing market woes instead of hack
November 13
- Government considers ban on ransom payments for data breaches
- Feds’ Scamwatch programme publishes guide on how to avoid scams after Optus breach
- AFP and Australian Signals Directorate join forces, form 100 officer-strong, standing cybercrime operation targeting hackers
November 28
- Ammendments to privacy penalty bill mandating higher fines pass both Houses of Parliament.
November 29
- OAIC welcomes passing of Privacy Bill, notes closer alignment with Europe’s General Data Protection Regulation (GDPR) and stronger mandate over offshore-domiciled entities doing business in Australia.
December 8
- Home Affairs Minister reveals plans for new cyber security strategy, aims to make Australia “world’s most cyber-secure country by 2030.”
December 12
- Privacy Legislation Amendment (Enforcement and Other Measures) receives Governor-General’s assent, now in force as law (Act No. 83 of 2022).
2023
January 18
- Optus brand loses $1.2 billion in value, drops from 11 to 17 in Brand Finance’s 2023 ranking of Australia’s most valuable brands.
January 25
- ACMA publishes alert on email-based Optus impersonation scams.
How was the attack orchestrated?
Optus, through its CEO Kelly Bayer Rosmarin initially described the breach as a “sophisticated attack.” Here’s a couple of statements given during a press conference and a radio station interview.
“The IP address kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe. And in terms of the customer data, I think it dates back to 2017.”
“[The data breach] was a sophisticated attack that penetrated multiple security layers.”
In contrast, the alleged attacker under the username “optusdata” revealed to journalist Jeremy Kirk that the breach just exploited an unsecured API endpoint, which means any online user can access the data without having to log in. “No authenticate needed. That is bad access control. All open to internet for any one to use,” the alleged attacker said in response to Kirk’s query.
Australia’s Cyber Security Minister Clare O’Neil seemed to agree, refuting the Optus CEO’s assertion that the attack was “sophisticated,” and placing the blame squarely on the network operator:
“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country … We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
Many analysts and security experts appear to believe that the unsecured API (application program interface) was the attack vector most likely exploited in the breach. Available online, the said API reportedly facilitates access to (unencrypted) customer data even without an authorisation or authentication protocol. If that were the case, anyone who knows about the API can collect Optus’ customer data. Malicious hackers can then just automate the process via a script to harvest massive chunks of personal data.
To date, Optus has yet to clarify how their customer data have been accessed. Notably, a more recent statement from Optus appeared to temper their original statement and admit that there was a weakness in their system:
“Optus, like many large organisations, is subject to many cyber attack attempts and we have in place strong defences that have protected and continue to protect our customers and Optus’ systems. In this instance, we had a specific weakness that was exploited.”
As the days passed following Optus’ announcement of the cyber attack, the government allegation that the data breach stemmed from the telco’s irresponsible security lapses have become more pronounced. By early October, the government accused Optus of being less transparent and cooperative than it should have been.
Which data were compromised?
According to Optus, 9.8 million customer records were exposed, including the following personal information:
- Customer’s name
- Date of birth
- Phone number
- Email address
For a subset of the exposed records, the following customer information (mostly identification numbers) were also accessed:
- Postal address
- Driver’s License number
- Passport number
- Medicare card number (around 36,900 Medicare card numbers have been exposed, according to Optus)
The following information have NOT been compromised:
- Payment details
- Account passwords
- Messages
- Voice Calls
Who is affected?
Subscribers of the following services from 2017 onwards are affected:
- Prepaid and Postpaid Optus Mobile
- Personal Optus Broadband
- Optus Business (SMB)
- Gomo
Amaysim, Coles Mobile, Catch Mobile, Enterprise, and Wholesale customers are not affected.
Optus’ home and mobile internet services have also not been affected.
What should you do if you were affected by the breach?
IT Security experts advise customers to stay vigilant even amid outrage and extreme stress following the data breach.
If you are affected, look out for and report any suspicious emails, texts, phone calls, social media messages, and other activities across your online accounts. NEVER click on suspicious links or provide access credentials to parties that contact you for some reason or another. Remember that government agencies, financial institutions, and other legitimate organisations adhere to data policies that prevent them from asking for your personal information over SMS, phone, or email.
For customers whose data have been compromised, Optus provides a one-year free subscription to Equifax Protect, an identity protection and credit monitoring service that helps reduce the odds of financial and identity theft.
If you receive a direct message from Optus that your current ID information has been compromised, it is best to replace your driver’s license and/or Medicare numbers. In most states and territories, replacement fees have been either waived by the state government or will be reimbursed by Optus.
Resources for affected Optus customers
If you have been affected by the Optus data breach, here are several primary resources that can help you mitigate the impact and re-secure your accounts, identity information, and other personal data.
- Government Fact Sheet. Cyber and Infrastructure Security Centre, Department of Home Affairs. (Official government inter-agency fact sheet on the Optus Breach, aimed at helping affected customers.)
- Optus notifies customers of cyber attack compromising customer information. Optus. (Official announcement about the data breach.)
- Latest updates & support on the cyber attack. Optus. (Details remedial actions taken by Optus, provides customer support resources, and answers frequently asked questions.)
- What to do if you’ve been affected by the recent Optus data breach. Services Australia. (Includes advice on how to replace your Medicare card.)
- Optus Data breach. Australian Passport Office. (Advice on how to manage exposure of your passport details.)
- Optus data breach: an update for APRA regulated entities. Australian Prudential Regulation Authority (Provides advice for APRA-regulated entities such as banks, credit unions, building societies, general insurance and reinsurance companies, life insurers, and private health insurers.)
- What additional cyber security steps can I do? Australian Cyber Security Centre (Provides advice on how to secure your identity and cites several resource links including the government’s ‘Have You Been Hacked?’ application and Identity theft webpage.
- Advice on Optus data breach. Office of the Australian Information Commissioner.
- Optus data breach: How you can get a free replacement driver’s licence. SBS News. (Provides detailed, state-specific advice on replacement driver’s licenses.)
- Impacted by the Optus data breach? Here’s how to replace your passport, drivers licence and Medicare card. Australian Broadcasting Corp. (Provides comprehensive advice on how to replace driver’s license, passport, and Medicare numbers.)
- Moneysmart: Identity Theft. Moneysmart. (A service of the Australian Securities and Investments Commission; provides advice to victims of Optus data breach on how to detect and prevent identity theft/fraud.)
- How to Avoid Scams After the Optus Data Breach. ACCC/Scamwatch. (provides basic practical tips on how to avoid scams.)
Notes:
Victims of the Optus data breach who are residents of Queensland, Victoria, New South Wales, Western Australia, and South Australia can acquire driver’s license replacements for free. The Queensland, Western Australia, and South Australia government will waive the fees while Optus will reportedly shoulder the costs for replacements in NSW and Victoria in the form of reimbursements. Other states and territories have yet to announce their response to the breach.
The federal government is also considering the reissuance of new passports to those affected, to be financed by Optus.
For customers whose Medicare information has been exposed, you can find actionable advice on Optus’ support page.
Next Steps for Everyone
The Optus Data Breach is turning out to be among the worst cyber attacks in Australia to-date. As the fallout spreads, all stakeholders in the country’s IT ecosystem – consumers, businesses, and the government – have reached a painful reckoning: you adapt to the threat landscape or you suffer.
Though no fault of their own, consumers are the true victims in the data breach. They are the ones with further exposure to all sorts of risks such as identity theft, financial fraud, and other scams. To protect themselves moving forward, only proactive vigilance and a heightened awareness of cyber criminal activities and tactics will suffice.
For government authorities, smarter legislation for protecting data and penalising breaches will compel organisations to adopt progressively better IT security systems and protocols.
Much of the responsibility rests on businesses who are the gatekeepers of so much consumer data. The only viable option is for the business sector to keep their cybersecurity posture well ahead of the similarly evolving state of cyber crime. Zero tolerance for weaknesses and vulnerabilities (such as that allegedly exploited in the Optus data breach) must be the default mode for businesses of every type.
