Optus logo

Optus data breach “attacker” says sorry, it was a mistake

Since Australian telecoms company Optus disclosed a security breach on September 22, 2022, a lot has been happening.

Much of it reads like a movie script.

Prologue

A hacker acting under the pseudonym “optusdata” claims to have stolen the data of 10 million Optus customers. The information included home addresses, drivers’ licenses, Medicare numbers, and passport numbers. No passwords or financial details have been compromised.

Optus disclosed the breach on a dedicated page on its website. According to Kelly Bayer Rosmarin, Optus’ CEO:

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it.”

At this point we don’t know what exactly happened, but as always there are some interesting theories about it.

Optus says it has sent an email or SMS message to all the customers whose identification document numbers, such as driver’s license or passport number, were compromised as a result of the cyberattack.

Extortion

On an online forum, optusdata threatened to publish the data of 10,000 Optus customers per day unless they received $1 million in cryptocurrency. They began by posting the data of 10,200 customers.

In a definitely related activity, but probably not by the same threat actor, victims of the data breach have also started to receive text messages saying they must pay AUD 2,000 ($1,300) within two days or their data will be sold on for “fraudulent activity”. While the texts include the name “OptusData” it is probably not the same person, and more likely to be someone who has just gained access to the partial dataset that the original threat actor leaked.

Too much attention

The Australian Federal Police in cooperation with the FBI and other law enforcement organizations are investigating the data breach, and have launched Operation Hurricane.

We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities. Criminals, who use pseudonyms and anonymizing technology, can’t see us but I can tell you that we can see them.

Apparently the heat has grown beyond what the threat actor could bear. In a statement on a forum where they announced the hack, they wrote:

“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy)

Sorry too 10.200 Australian whos data was leaked.

Australia will see no gain in fraud, this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.

Deepest apology to Optus for this. Hope all goes well from this

Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.

Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.”

Note: I left the typos alone since it may give an expert some clues about the writers’ first language

Happy end?

Let’s start with the good news.

Australian victims of the Optus breach will be able to change their driver’s license numbers and get new cards. The New South Wales, Victoria, Queensland, and South Australia governments have started clearing bureaucratic hurdles for anyone who can prove they are victims of the hack. Optus is expected to bear the multimillion-dollar cost of the changeover.

There is also talk about a class action lawsuit.

Optus is offering customers the option to take up a 12-month subscription to a credit monitoring and identity protection service.

The Commonwealth Bank confirmed it had identified and blocked the account of the SMS extortionist.

All the customers who have an unexpired Medicare card will be contacted by Optus. There are a further 22,000 expired Medicare card numbers that were exposed, and the holders of those cards will also be contacted directly. It’s worth noting that Optus says personal information cannot be accessed using just a Medicare number.

The bad news is, of course, in the uncertainty. Can we really trust the threat actor when they claim they have deleted the data? They have proven to be a criminal so why would we take their word for it? We can’t even be hundred percent sure that the person posting that statement is the actual holder of the data.

So, stay safe and be on the lookout for the phishing campaigns that will undoubtedly try to bank on these events.

We will keep you updated here if the plot decides to take another turn.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.