Optus hacker releases more than 10,000 private records

The hacker behind the Optus security breach has reportedly released more than 10,000 customer records and demanded $1.5 million in ransom money.

The records include passport, drivers licence, and Medicare numbers, dates of birth and home addresses. 

The hacker is now threatening to release another 10,000 records everyday, unless Optus pay a ransom of AUD$1.5million. 

It is estimated 9.8 million current and former customers have been compromised by the breach.

Cybersecurity journalist Jeremy Kirk took to Twitter to share a screenshot of the hacker’s ransom message.

About 11 million Optus customers had personal details stolen in data breach, and a hacker has threatened to release 10,000 of those everyday unless the company gives into a ransom of AUD $1.5m

 

The message states if the USD$1 million is paid, the data will be deleted and will not be sold on.

In the meantime until the ransom is paid, for the next four days 10,000 records each day will be released.  

On the Today Show on Tuesday, Mr Kirk said he had been in touch with the hacker personally as he had found him bragging about the hacked data on an online forum.

He explained the hacker managed to access Optus’ API (application programming interface) – a set of code which interfaces between different software systems.

On any account when you click ‘account details’ it returns data from an API working in the background to fetch that data, Mr Kirk explained.

‘When you do that, you’re logged into your account and you can’t fiddle with the URL and suddenly see my data, because that would be a huge security concern,’ Mr Kirk said.

‘This hacker found Optus’ API and it didn’t require any log-in. This person figured out how that API worked and returned data then sequentially downloaded 10 million Optus customer records.

‘We as consumers have to give them our personal data. And the expectation, in exchange for that, of course, is that companies should protect it at all costs.’

Assistant Commissioner of Cyber Command Justine Gough said the investigation into the source of the data breach would be complex.

‘We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,’ she said.

‘Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them.’

The task force will work with the Australian Signals Directorate, overseas police as well as Optus.

Ms Gough said customers should be more vigilant in monitoring unsolicited texts, emails and phone calls in the wake of the Optus breach.

‘The AFP will be working hard to explain to the community and businesses how to harden their online security because ultimately it is our job to help protect Australians and our way of life,’ she said.

Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.

Class actions senior associate Ben Zocco said the leaked information posed a risk to vulnerable people, including domestic violence survivors and victims of stalking.

Consequences may be less severe for other customers but the information could easily lead to identity theft, he added.

Home Affairs Minister Clare O’Neil launched a scathing attack on Optus in parliament.

Ms O’Neil said responsibility laid squarely at the feet of the telco giant and that the government was looking at ways to mitigate the fallout.

‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ Ms O’Neil said on Monday.

‘We expect Optus to continue to do everything they can to support their customers and former customers.’

The minister called on the telco to provide free credit monitoring to former and present customers who had their data stolen in the breach.

Optus has announced it will be providing the most affected current and former customers with a free 12-month credit monitoring subscription to Equifax Protect.

Ms O’Neil said the government was looking to work with financial regulators and the banking sector to see what steps could be taken to protect affected customers.

‘One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,’ she said.

‘In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.’

Prime Minister Anthony Albanese said the Optus data breach was a ‘huge wake-up call’.

As the government prepares to introduce new cybersecurity measures, Mr Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.

More to come