The federal government’s response to the Optus cyberattack all but confirms that the alleged hacker who tried to extort the company is the real deal — and that’s bad news for those affected.
Before the anonymous “Optusdata” user deleted its extortion threat off a popular hacking forum yesterday, the account posted a sample of what it claimed were 10,000 Optus customers’ details. This sample included dozens of Medicare numbers, a piece of personally identifiable information that Optus had not included in its disclosures about the cyberattack.
Optus would not comment on whether Medicare numbers were compromised. Albanese government ministers, on the other hand, were quick to voice their concerns.
Home Affairs and Cyber Security Minister Clare O’Neil released a statement yesterday saying she was troubled by reports about Medicare numbers being leaked: “Medicare numbers were never advised to form part of compromised information from the breach.”
Attorney-General Mark Dreyfus and Health Minister Mark Butler reiterated concerns about Medicare details being made public, the latter saying the government was considering allowing people to get new Medicare numbers.
The reaction by senior ministers suggests that the Optusdata account is being treated by the government as belonging to those responsible for the cyberattack, and not an opportunistic scammer trying to extort the company.
O’Neil has been briefed by security agencies and Optus. Her criticism of the telecommunication company only makes sense if she believed that the anonymous extortionist was releasing real information obtained from Optus.
Hacker’s apology is not the end of the matter
Despite some celebrating the hacker’s apology and promise to delete the data, co-founder of cyber firm Internet 2.0 Robert Potter warned against taking it at its word.
“I would treat any commentary from an anonymous hacker with a grain of salt until it’s verified by law enforcement,” he said.
So far, little is known about the Optusdata account. It claimed there was a pair of them behind the attack, that it wanted US$1 million to “retire” and wrote in a way that suggested that English wasn’t the user’s first language. All that information is based on a handful of posts made by the user without any corroborating evidence.
There is no guarantee for users that the hacker has deleted their data, that they won’t pop up again with a new extortion or use the data in another way.
Potter said the millions of Australian caught up in the data breach will need to be vigilant about the use of their data from now on: “People should assume that the documentation is gone for good once it’s taken.”