An alleged attacker who was seeking a ransom payment from Optus in exchange for millions of customer records published 10,000 records online on Tuesday before retracting the threat and deleting all demands.
On Monday night the alleged attacker uploaded a text file of 10,000 records to a data breach website and promised to leak 10,000 more records each day for the next four days unless Optus paid $1m in cryptocurrency.
The text leak contained names, dates of birth, email addresses, driver’s licence numbers, passport numbers, Medicare numbers, phone numbers and address information. It also included more than a dozen state and federal government email addresses, including four from the defence department and one from the Department of Prime Minister and Cabinet.
But by late Tuesday morning, the alleged attacker had apparently had a change of heart, deleting their posts and claiming they had also deleted the only copy of the Optus data.
“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” they said in a new post.
“Sorry too [sic] 10,200 Australian whos [sic] data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.”
The alleged attacker apologised to Optus and said they would have reported the exploit if Optus had made it possible to report. Optus said no ransom has been paid.
This sudden about-face will not bring relief to Optus customers stressed about being caught up in the breach.
Optus is still claiming the breach occurred due to a “sophisticated attack”, while the federal government maintains that it was due to an error by the company that had left the data accessible online.
It is unclear if the alleged attacker obtained the customer data – and whether they were the only party to do so.
The attorney general, Mark Dreyfus, confirmed on Tuesday that the Federal Bureau of Investigation in the US was assisting the Australian federal police’s operation to discover who might have accessed the data, and who was attempting to sell it.
There are suggestions scammers are already trying to capitalise on the breach by targeting Optus customers.
The Commonwealth Bank of Australia (CBA) said on Tuesday it had blocked an account referenced in an SMS message designed to extort $2,000 from victims of the Optus data breach.
In the SMS, victims were told that if they did not pay the money “your information will be sold and used for fraudulent activities within 2 days”.
A CBA spokesperson said the bank was “aware of an SMS seeking to solicit funds and referencing a CBA bank account following the Optus data breach, and we have identified and blocked this account”.
The block means that money can’t be transferred into or out of the account. It is understood that no money was transferred into the account between the SMS being sent and CBA blocking it.
“We continue to work closely with the Australian Federal Police and other investigative, government and regulatory authorities to limit the impact of any fraud and scams resulting from the events over the past few days,” the CBA spokesperson said.
Details of the SMS message were first reported on Twitter by a Nine Entertainment reporter on Tuesday morning.
CBA also said it was also offering customers a free service called SavvyShield that makes it easier for people who think their identity has been compromised to block inquiries about their credit history and stop attempts to apply for credit in their name.