Hackers have breached Optus’ systems in one of the largest cyberattacks in Australian history, accessing names, dates of birth, phone numbers, email addresses, physical addresses and driver’s licence numbers of millions of the telecommunications giant’s customers.
Well-placed sources not authorised to speak publicly said that up to 9 million customers had been affected. Many had their contact details exposed to the hackers, who also pilfered even more sensitive details, such as passport and drivers’ licence numbers, for a smaller portion of Optus customers.
Depending on how much of the information the hacker or group have managed to extract, millions of Australians could be at risk of identity theft or fraud if the data is published or Optus could receive a ransom demand.
Optus chief executive Kelly Bayer Rosmarin declined to say who was behind the attack, how it was executed or how many accounts were compromised because investigations are ongoing, but described it as a “significant number” that included current and former customers.
“Unfortunately, we became aware late yesterday that there was an unusual activity [on our network] that was a cyberattack,” Bayer Rosmarin said on the ABC. “We’re still really in the throes of investigating exactly what information has been accessed and working with all the authorities and others to try and determine who has access to them for what purpose.”
Optus’ services such as mobile and internet are still operating and safe to use, the company said in a statement on Thursday. There is no evidence so far that any payment detail and account passwords were compromised or that stolen information has been published.
Early indications from the company are that the hackers are based overseas but not in China and that the hack used a vulnerability in an API – a common tool for computer systems to talk to each other – that has since been shut down.
Bayer Rosmarin apologised to customers who have been affected, said the company was working closely with law enforcement and emphasised it was notifying people early to ensure Australians could be vigilant.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” she said.
”While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned.“
She said Optus was contacting customers at “high risk” and encouraged all to look out for unusual or fraudulent activity. Optus has also informed the Australian Federal Police, Office of the Australian Information Commissioner, financial institutions, government regulators and Australian Cyber Security Centre of the breach.
A spokesman for the commissioner’s office noted that, under law, organisations hit with a data breach must tell people “as quickly as possible” if it is likely to result in serious harm to them. The ACSC declined to comment.
Robert Potter, co-founder of cybersecurity company Internet 2.0, said Optus had done the right thing in disclosing the breach early because it let people respond quickly but added there was still substantial risk if the information gets out.
“The risk of it being on the dark web is around this being used for identity theft,” Potter said.
Alastair MacGibbon, a former head of the cyber security centre now with cybersecurity firm CyberCX, said Optus customers should be watchful for “where the criminals are essentially mimicking them, or stealing their identity, trying to obtain credit in their name, etcetera.”
“[Optus] might have already been contacted by criminals,” MacGibbon said on the ABC, though there is no indication that is the case. “We don’t know necessarily what the motives are.”
Liberal Senator James Paterson, a former chairman of the parliamentary committee overseeing Australia’s intelligence and security agencies, said it was vital to work out who was behind the attack.
“These very concerning reports represent one of the most serious cyberattacks ever suffered by an Australian business,” Paterson said.
Common motives in cyberattacks include industrial espionage, extortion threats or simply showing off. Hacking groups linked to national governments also sometimes use cyber crime for political ends.
Cyberattacks are growing in severity globally and locally. Recently transport firm Uber and the gaming giant Take-Two Games, which makes the multibillion-dollar Grand Theft Auto franchise, have been breached.
A spokesman for Cybersecurity Minister Clare O’Neil declined to answer specific questions, saying they should be directed to Optus, but noted there were more and more online attacks hitting Australian businesses.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.