Hacker drops ransom demand for Optus customer data
Those responsible for stealing an estimated 10 million Optus customer records have scrapped a ransom demand and claim to have deleted the data, amid reports that personal Medicare numbers have now been put on the market .
Photo: AAP/Dave Hunt
The attempt to force Optus to pay US$1 million (A$1.54 million) by Friday was dropped hours after the group released a batch of 10,000 Australian customers’ sensitive details on a data breach forum on the clear web.
The illegally obtained information includes passport, Medicare and driver’s licence numbers, dates of birth, home addresses and information about whether a person is renting or living with parents.
“Too many eyes. We will not sale (sic) data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” the group said on Tuesday.
It said it would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty.
The batch released on Tuesday was still online as of 1.30pm Sydney time.
Attorney-General Mark Dreyfus told a Labor caucus meeting on Tuesday that the option to allow Australians to change their driver licence numbers was being considered with the privacy commissioner.
That option is not available in Victoria and the ACT.
Dreyfus said the commissioner wasn’t notified by Optus of the breach involving almost 10 million customers until late Friday, the day after it was first reported.
“Optus has a responsibility for the privacy of both current and former customers,” he said.
An ongoing privacy review will be completed this year.
In a statement, Home Affairs Minister Clare O’Neil said she was “incredibly concerned” about reports that Medicare numbers were now being offered for free and for ransom.
“Medicare numbers were never advised to form part of compromised information from the breach,” she said.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them.”
Two people whose details were exposed in Tuesday’s release of Optus data and who asked to remain anonymous, expressed frustration that it contained personal data that, unlike bank details, couldn’t easily be changed.
“No one can put a price on privacy but Optus has certainly lost mine,” a Melbourne man told AAP.
“We’ll find out how easy a mistake it was to make and to not make but c’mon, guys. Really?” said a Canberra man who signed to Optus in 2021.
A check of 12 random email addresses against records held by Have I Been Pwned found nine had not previously been exposed in breaches.
Government Services Minister Bill Shorten said Optus hadn’t done enough to protect customers and its response “needs to be much more diligent.”
“It’s time for … a big overhaul of how our data is kept by big corporations,” he said.
Optus says it was the victim of a sophisticated attack – a characterisation dismissed by Ms O’Neil.
She launched a scathing attack on Optus in parliament on Monday, saying responsibility laid squarely at the feet of the telco giant.
A federal police investigation has been launched into the data breach, which has affected 9.8 million Australians.
Optus says it will offer “the most affected” customers the chance to take up a one-year subscription to credit monitoring service Equifax Protect at no cost.
“Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams,” a statement said.