Optus alerted its customers of the security breach on Thursday, one day after the hack was first identified and confirmed that the attack was swiftly shut down. However, cyber security experts have urged the telco’s 11 million customers to be “extra vigilant” of incoming calls, texts and emails over the coming weeks.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The telco shut down the cyber attack and is working with the Australian Federal Police, Australian Signals Directorate, and Office of the Australian Information Commissioner (OAIC) to mitigate risk and find the culprit.
Optus chief executive Kelly Bayer Rosmarin is "devastated" by the breach. In an interview with the ABC, Bayer Rosmarin revealed personal data that had been compromised included home addresses, ID documents such as driver’s licences and passports, phone numbers and customer names.
"Please be assured that we are working hard and engaging with all the relevant authorities and organisations to help safeguard our customers as much as possible.
"As soon as we knew, we took action to block the attack and began an immediate investigation.
"We are very sorry and understand customers will be concerned," Bayer Rosmarin said.
Initially, Optus discovered the attack on Wednesday due to "unusual activity", Bayer Rosmarin explained, but she did not confirm the number of customers affected.
No ransomware note has been identified yet.
The telco has confirmed the attack did not compromise its services such as mobile and home internet, nor payment details or account passwords. The company has also verified that messages and voice calls had "not been compromised and were safe to use as well".
Bayer Rosmarin added that both current and former customers may have potentially been affected by the cyber attack, with the amount of people affected as "significant" but she did not reveal a specific number, as it is still too early to confirm.
"We want to be absolutely sure when we come out and say how many," Bayer Rosmarin said in the ABC interview.
Former Australian Cyber Security Centre boss Alastair MacGibbon noted that "this was the next step and that these efforts might overlap with criminals trying to capitalise on the attack".
Speaking with The Australian Financial Review, MacGibbon warned that Optus customers must be "extra vigilant of the calls they receive, texts they receive and email they receive".
"If it is a scammer, they will have much more accurate information.
"And even if they are not the criminal who did the hack, they are going to go out try to capitalise on it.
"Anyone with Optus should really be checking with their credit agency to make sure any of the sensitive data stolen isn’t being used for identity fraud,” MacGibbon said.
The security breach could pave more ways to conduct social engineering attacks, when scammers trick people into handing over sensitive data, where a scammer might pretend to be an Optus representative.
MacGibbon has warned that this Optus breach is one of the biggest attacks he had ever seen in Australia, given the number of people potentially affected and sensitivity of the data compromised.
In line with MacGibbon's commentary, Ajay Unni, CEO and founder of StickmanCyber warned the data exposed can now be maliciously used to create fake identities or as a launchpad to further target users individually through spearphishing campaigns.
"Telcos like Optus carry large amounts of information about their customers such as call patterns, incoming/outgoing phone numbers, data/internet usage and other forms of personal information that can be easily exploited.
"These campaigns will now be even more effective as cyber criminals have access to more information than just an email address.
"While having technical defences is a step forward in terms of cyber security maturity, I cannot emphasise enough the importance of training and educating business users as people are always the weakest link when it comes to cyber security."
According to Unni, third party risk is another area that requires close attention as larger organisations are often infiltrated through their partnerships with external suppliers.
"The findings of the Australian Cyber Security Centre's investigation into Optus' data breach will reveal the true nature of the attack — whether it was the work of cyber criminals or a state-sponsored attack.
"Optus users need to remain vigilant of any email offering support due to this breach, even if the email appears to be from an authoritative or legitimate source.
"Optus customers need to do their due diligence when it comes to cyber hygiene and avoid clicking on any links in emails unless their legitimacy has been validated."
The Australian Cyber Security Centre (ACSC) had been notified of the incident according to a spokesman for Cyber Security Minister Clare O'Neil.
"The Australian Signals Directorate’s Australian Cyber Security Centre has seen broad targeting of Australians and Australian organisations, through rapid exploitation of technical vulnerabilities by state actors and cyber criminals seeking to exploit weaknesses and steal sensitive data."
The OAIC has also confirmed that it had been informed of the breach.
"Following a breach, individuals need to be alert to any suspicious or unexpected activity on their personal accounts or devices.
"Under the Privacy Act, organisations have obligations to protect against unauthorised access, disclosure or loss of personal information.
"When a breach occurs, an organisation should contain the breach and take remedial action," an OAIC spokesperson said.
According to Optus, the type of information which may have been exposed includes:
- Customers' names
- Dates of birth
- Phone numbers
- Email addresses
For a subset of customers compromised data include:
- Addresses
- ID document numbers such as driver's licence or passport numbers
- Optus says payment details and account passwords have not been compromised.
Optus asserts its services remain safe to use and operational as per normal. The telco has also notified key financial institutions about the matter.
"While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious," the company outlined in a statement.
"For customers believed to have heightened risk, Optus will undertake proactive personal notifications and offering expert third-party monitoring services," the company added.
The Optus data breach has been dubbed as one of Australia's largest cyber attacks in history. According to Sean Duca, vice president and regional chief security office for APJ at Palo Alto Networks, this is a well-orchestrated hack that can happen to any organisation.
"What makes this attack remarkable is that it is not just an attack on an Australian organisation, but on Australian individuals.
"Everyone is exposed and at risk when it comes to a serious cyber attack similar to this magnitude.
"Australia is no stranger to cyber attacks, but yesterday's breach of Optus' systems marks perhaps the biggest known attacks on our soil."
As cyber attacks grow in severity, and Australia is increasingly targeted, Duca has called for an even stronger collaboration between the Australian government and the private sector to tackle the rise in cyber attacks.
"Companies big or small, cannot ignore the importance of cyber security in the evolving threat landscape.
"A hit on one of us is a hit on all of us, as cyber security is a team sport," Duca said.
[Related: FBI suspects UK teen cyber extortion gang leader behind Uber and GTA hacks]