The Australian telecoms firm Optus disclosed last week that the personal data of approximately 10 million users, or roughly 40 percent of the population, were compromised in a cyber-attack.
According to some analysts, it may be the most severe data breach in Australian history.
This week, however, additional dramatic and chaotic events have transpired, including ransomware threats, furious public discussions, and scrutiny over whether this was indeed a “hack.”
It has also raised serious concerns about Australia’s data and privacy practices.
The warning was triggered on Thursday last week.
Optus, a subsidiary of Singapore Telecommunications Ltd, disclosed the intrusion approximately 24 hours after discovering suspicious network activity.
Names, birthdates, home locations, phone and email contacts, passport and driver’s license numbers, and more were taken from current and previous clients, according to Australia’s second-largest telecom provider. It was emphasized that neither payment information nor account passwords were stolen.
Approximately 2.8 million individuals whose passport or driver’s license data were compromised have a “high” risk of identity theft and fraud, according to the government.
Optus stated that it was conducting an investigation into the breach and had contacted law enforcement, financial institutions, and government agencies. The intrusion appears to have originated abroad, according to local media reports.
Kelly Bayer Rosmarin, the chief executive officer of Optus, issued an emotional apology in which she referred to the incident as a “sophisticated attack” and stated that the firm has extremely robust cybersecurity.
She stated on Friday, “Obviously, I am unhappy that there are people out there who wish to do this to our clients, and I’m disappointed that we were unable to prevent it.”
Then a ransom demand was issued
An internet user released data samples on an online forum early Saturday morning and wanted $1 million (A$1.5 million; £938,000) in cryptocurrency from Optus as ransom.
An individual stated that the corporation has one week to pay or the other stolen data would be sold in batches.
Although investigators have yet to verify the user’s allegations, a small sample of data including approximately 100 entries was swiftly deemed credible by several specialists.
Jeremy Kirk, a tech reporter based in Sydney, contacted the alleged hacker and reported that the individual provided a detailed explanation of how they acquired the data.
The user refuted Optus’s assertion that the breach was “complex” by stating that they obtained the information from a widely accessible software interface.
“No authentication required… Everyone has access to the internet “Kirk reports that they said in a message.
As information circulates, additional stolen details are revealed.
In an additional escalation on Tuesday, the alleged hacker released 10,000 customer records and reiterated the ransom demand.
However, only a few hours later, the person apologized, stating it was a “mistake,” and erased the previously released data sets.
“Too many eyes. We will not sell [sic] data to anyone,” they posted. “Apologies to Optus for the inconvenience. I hope everything goes smoothly from here on out.”
This spawned rumors over whether Optus paid the ransom, which the company disputes, or whether the user was frightened by the police probe.
Others on the forum had copied the now-deleted data sets and continued to share them, which exacerbated the issue.
Optus had not previously disclosed that some customers’ Medicare information – government identity numbers that might enable access to medical records – had also been stolen.
The business reported late Wednesday that this affected about 37,000 Medicare cards.
‘Potentially Australia’s gravest infraction’
Since last week, Optus has been flooded with messages from irate consumers.
People have been cautioned to be on the lookout for indicators of identity theft and opportunistic con artists, who are reportedly already profiting from the misunderstanding.
A class-action lawsuit could be filed against the corporation shortly. Ben Zocco from Slater and Gordon Lawyers stated, “This is potentially the most serious privacy breach in Australian history, both in terms of the number of persons affected and the substance of the material revealed.”
The government described the hack as “unprecedented” and accused Optus of “essentially leaving the door wide” for the theft of critical data.
In a Monday ABC television interview, Cyber Security Minister Clare O’Neil was asked, “You don’t appear to be believing Optus’ argument that this was a sophisticated attack, do you?”
“It was not. So no, “Ms. O’Neil answered. The event garnered considerable online attention.
Tuesday, Ms. Bayer Rosmarin told News Corp Australia: “Multiple layers of protection exist. It is therefore not the case that there are entirely accessible APIs [software interfaces] lying around.
“I believe the majority of customers recognize that we are not the bad guys,” she said, adding that Optus could not comment further while the probe was continuing.
As people scramble to safeguard themselves, requests have been made for the corporation to pay for replacement passports and driver’s licenses.
A decade of cyber-security lag
Ms. O’Neil thinks the incident demonstrates how much Australia lags behind the rest of the globe on privacy and cyber issues.
She told ABC: “We are maybe a decade behind where we should be.”
Both political parties have traded blame for the problem. MPs from the opposition have said that the Labor government is “sleeping at the wheel,” while the government points out that it was only elected in May, following a decade of conservative control.
Ms. O’Neil identified two areas requiring immediate improvement.
She says that the government should be able to penalize firms like Optus more effectively. In certain countries, the corporation might have faced penalties of hundreds of millions of dollars, but in Australia, the maximum sanction is only $2 million, she said.
She also desires to widen the scope of cyber-security rules enacted last year to encompass telecommunications firms.
At the time, the telecoms industry asserted, “Don’t worry about us; we’re cybersecurity experts. We will do it without regulation. This occurrence brings that assumption into question, in my opinion.”
Security experts have also proposed revising data retention regulations so that telecommunications companies are not required to store sensitive data for so long. According to experts, former consumers should have the ability to request that their data be deleted.
According to Optus, existing regulations demand a six-year retention period for identifying data.
Others in the industry have argued that consumers should be able to sue corporations that lose custody of their data, rather than the industry regulator.