Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - AU
The Guardian - AU
Business
Tory Shepherd

The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle

An Optus store in Sydney
Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack, but the federal government and tech experts have cast doubt on that claim. Photograph: Bianca de Marchi/AAP

When Amy Hunting* first heard about one of the biggest cyber attacks in Australian history, she immediately checked to see if her personal details had been compromised.

She realised that, as a customer of the country’s second largest telecommunications provider, Optus, there was a fair chance she was one of about 10 million people whose information had been hacked – but at first, there was no communication. Eventually she got an email saying she had been caught up in the breach, which exposed one in three Australians to the risk of identity theft or financial fraud.

With millions of others, she went about trying to change her driver’s licence. She even had a bar put on her own credit report, to stop anyone from trying to open a new account in her name.

“We’re really careful about our data,” she says.

“I was really frustrated. They’re a big tech company. It’s frustrating and surprising that they’re so laissez faire with their data. Also, that they took their time in informing us.”

The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.

Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.

Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.

The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.

It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.

An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.

“We are businessmen,” Optusdata wrote in an online forum. “1.000.000$US is a lot of money and will keep to our word.”

That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.

As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.

“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”

Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’

Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.

Rachael Falk, chief executive of the Cyber Security Cooperative Research Centre, said while much was still unknown about the attack “sometimes even amateurs get lucky”.

“There are outstanding hackers, often nation states who are really, really good at this and, invariably, it doesn’t take much to find a weakness, a vulnerability, a soft spot,” she said.

“[Or] they can literally be a person in a basement, a person who likes to tinker on the side.”

Optus ‘left the window open’

The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.

She also scoffed at the idea the hack was sophisticated.

“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

Minister for home affairs Clare O’Neil during question time in the House of Representatives this week.
Minister for home affairs Clare O’Neil during question time in the House of Representatives this week. Photograph: Mick Tsikas/AAP

Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”

On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.

“Australian companies should do everything they can to protect your data,” Albanese said.

“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”

The Australian Information Commissioner is also investigating. Commissioner Angelene Falk said companies “must take reasonable steps to destroy or de-identify the personal information they hold”.

“Collecting and storing unnecessary information breaches privacy and creates risk,” she said.

Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.

In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.

On Friday, the Australian federal police announced a special operation to protect the identity of the 10,000 victims whose details were already published online.

Australian federal police assistant commissioner Justine Gough
Australian federal police assistant commissioner Justine Gough has announced a special operation to safeguard the identities of 10,000 people whose personal information was published online. Photograph: Joel Carrett/AAP

AFP assistant commissioner Justine Gough said the operation would “supercharge” their protection against identity crime and financial fraud.

In its recently published annual report, Optus’s parent company, Singtel, touted its ability to protect against data theft and cyber attacks.

“We value the privacy of our customer data stored within our networks and systems as they may be harmed if their data is compromised or misused,” Singtel said.

“We have in place appropriate safeguards and controls to ensure the security and protection of our customer data.”

*Names have been changed.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.