Optus cyberattack exposes 2.8 million to identity theft

An unprecedented breach occurred late last week when Optus, Australia’s second-largest wireless telecommunications carrier, disclosed that it had been breached. The fallout is still materializing, but so far it has been confirmed that 2.8 million Optus customers (former and current) have had personally identifiable information including driver’s licenses and passport numbers leaked.

Optus has over 9.8 million customers out of Australia’s population of over 26 million citizens. It is unknown at this time if the impact of the breach will exceed the 2.8 million reported thus far.

The Australian Cybersecurity Minister Clare O’Neil described the hack as “unprecedented” in Australian history, and “in some countries, such a breach would result in fines amounting to hundreds of millions of dollars.”

O’Neil is calling for action in response to the breach, stating that “a very substantial reform task is going to emerge from a breach of this scale and size.”

Jeremy Kirk, a Sydney-based cybersecurity writer concludes that an application programming interface (or API) was left open to the public. Failing to secure this API resulted in data being accessible to anyone in the public, Optus “effectively left the window open for data of this nature to be stolen.”

It is “a basic hack”, Kirk concludes.

Calls for Optus to pay

The Australian government is not mincing words in response, with Prime Minister Anthony Albanese rejecting any notion that Australian taxpayers should help pay for reimbursing impacted Optus customers.

“We believe that Optus should pay, not taxpayers,” Albanese states to Parliament.

Foreign Minister Penny Wong wrote to Optus CEO Kelly Bayer Rosmarin requesting confirmation that Optus would reimburse all costs, not Australian taxpayers.

“There is no justification for these Australians – or for taxpayers…on their behalf – to bear the cost of obtaining a new passport,” Wong wrote.

10,200 customers already at risk

Optus discovered the breach on September 21, and disclosed the breach publicly on September 22.

As is standard in these types of hacks, Optus is providing affected customers with a free 12-month membership to Equifax to monitor personal identify theft and credit inquiries.

The Australian Federal Police (AFP) on Monday, September 26 states it is gathering “crucial evidence” on the hack.

The hacker behind the breach – simply known as “optusdata” – briefly released approximately 10,200 records – increasing the fallout of the hack by revealing PII of affected Optus customers.

The hacker is asking for $1 million as part of an extortion demand, but says aside from the 10,200 records already leaked, the remainder “will not be sold or leaked.”