Updated: Jun 29
In September of 2022 Optus' IT systems suffered a cyber attack resulting in a breach of data affecting up to 10 million Australian customers. This data included the customer names, dates of birth, phone numbers and email addresses of both current and former customers. Some customers also saw their street addresses, driver's licences and passport numbers leaked as part of the breach. On October 3rd of 2022 Optus announced an "independent external review" to "undertake a forensic assessment of the cyber attack and the circumstances surrounding it. The Klaxon reports that now, 9 months since the review was announced and after numerous requests for more information, they have yet to hear a response from either Optus, Chief Executive Officer, Kelly Bayer Rosmarin, or Managing Director, Gladys Berejiklian, regarding the outcome of the review.
The Cyber Attack
On the 24th of September, Australian media reported that Optus was currently investigating the authenticity of a ransom demand for US$1 Million posted to a hacking forum. The demand stated the ransom was to be paid in cryptocurrency within a week or the breached data would be sold for US$300,000.
Optus CEO, Kelly Bayer Rosmarin claimed the attack was a "sophisticated" one. However, the Federal Government and Home Affairs and Cyber Security Minister, Clare O'Niel rejected this claim, saying that the attack was a "basic" attempt and that Optus had "effectively left the window open."
On the 6th of October, the AFP announced the arrest of a 19-year-old man who allegedly threatened 93 Optus customers, claiming that he would make use of their leaked information to commit financial crimes unless they paid him AUD$2000. The AFP investigation began when they were made aware of text messages being sent to those affected by the leak with the aforementioned demands.
The hack is also currently being investigated by the Office of the Australian Information Commissioner which is intended to explore how Optus managed customer data.
On October 3rd of 2022 Ms. Rosmarin announced a forensic review into the cyber attack. Since the announcement, The Klaxon reports having repeatedly asked Optus to learn of the "terms of references" for the review and the outcomes of the assessment, both of which they have not received. Optus and its senior staff have also not responded to The Klaxon regarding its "world class" cyber security arm, Trustwave, and whether or not this company had been placed to protect Optus' customers.
At time of writing, Serkan Öztürk for True Crime News Weekly has also written to Optus asking if Ms. Berejiklian will be dismissed from her position as a result of the recent ICAC findings against her.
Government Response & Regulation
In October the Australian Federal Government announced emergency regulation to take effect on the 6th of October, forming a 12-month amendment to the Telecommunications Regulations 2021. According to the announcement the amendment is intended to:
"...enable telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach."
Prime Minister Anthony Albanese stressed that it is Optus' responsibility to manage the fallout of the hack:
“We've written to Optus making clear the government's view, which is that taxpayers shouldn't pick up the bill here.”
Mr. Albanese also intends to pursue reforms which would increase the penalties for such situations. The1988 Privacy Act currently states that businesses are capped at fines of only $2.2 million.
Sources & Further Reading