A third of Australian population likely affected in Optus cyberattack

Australia’s second largest telecommunications provider, Optus, revealed it suffered a cyberattack where data from customers have possibly been accessed. However, the company claims the attack has not affected the platforms and services supporting wholesale, satellite and enterprise customers, and that of enterprise customers. Mobile and home internet services have also not been affected.

Suspicious activity was noticed on 21 September with Optus issuing a media statement on the afternoon of the following day, which was a nation-wide public holiday.

[UPDATE: Optus breach occurred due to a coding error, alleges ACMA ]

What Optus knows about the breach

The 9.8 million number of “possibly” affected customers circulating is the worst-case scenario, said Optus CEO Kelly Bayer Rosmarin at a media conference. That is the equivalent to about 37% of the Australian population. In its most recent financial report, Optus revealed it had over 10 million mobile customers as of 31 March 2022.

Not only have the current Optus mobile users been affected, the company said data of former customers dating back as far as 2017 may have been accessed in the cyberattack.

No financial data was accessed and no passwords, nor any images of any customers’ documents were stolen in the cyberattack, said Bayer Rosmarin. What Optus believes to have been accessed at this point includes names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.  

Optus is working with Australian Cyber Security Centre

Upon discovery, Optus immediately shut down the attack and notified the Australian Federal Police (AFP), the Office of the Australian Information Commissioner and key regulators and it is working with Australian Cyber Security Centre to mitigate risks to customers.

Under the Notifiable Data Breach scheme Optus must notify ACSC “as soon as practicable and no later than 30 days after is made aware of a breach”, and those affected with recommendations on what to do. Optus decided the best course of action was to first alert the media as it investigated the attack to make the information reach its customers faster. 

Optus CEO said the telco will inform all customers about the cyberattack and will do so starting with those that had a larger amount of data was accessed. As of 26 September, Optus had notified all customers whose ID document numbers, such as licence or passport number, were compromised because of the cyberattack. Optus will continue to inform all customers, even those not affected.

The telco is currently investigating the exact mechanics of the “sophisticated” attack and said Optus stores all its data in Australia.

Meanwhile, the AFP wrote in a statement this is an alleged “mass data breach.” It also said it will work with Optus to obtain the crucial information and evidence needed to conduct this “complex, criminal investigation.” Optus declined to comment on its cybersecurity operations and said the AFP requested Optus not to “discuss certain details as it might compromise their ability to find the bad actor.”

Optus warns of possible scam attacks

Optus is urging customers to be aware of possible scams following this cyberattack. Rosmarin said while the telco has chosen to inform those affected, Optus will not send any links in its communication.

Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft. The telco will reach out to customers and offer this service, but it alerts once again it will not include any links in its communication.

The Australian Competition and Consumer Commission’ Scamwatch has warned that Optus customers may be at risk of identity theft and should take “urgent action to prevent harm.”

Optus asked customers to take the following steps:

• Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
• Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
• Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.