Australian mobile phone company Optus said authorities are investigating an online ransom demand following a major data hack that exposed the personal details of nearly 10 million customers.
The Singapore Telecommunications-owned company is still trying to retrieve the data and is working with police and cybersecurity officials, chief executive Kelly Bayer Rosmarin said on Tuesday.
The Australian Federal Police are “all over” an online post indicating that customer details will be sold unless Optus paid a ransom, she said.
So-called ransomware hacks have soared worldwide in recent years, with attackers targeting businesses, schools and even hospitals.
Since January 2020, at least 92 corporate, government and non-profit organisations have suffered major cyber attacks exposing 1 million records or more. Over the course of more than a decade, the tally exceeds 11.43 billion records across 382 entities.
Optus, which revealed the security breach last week, is now under mounting pressure from the government as well as customers, who accuse the company of poor communications after the attack.
Home Affairs and Cyber Security Minister Clare O’Neil has said Optus left the “window open” for data to be taken, and was duped by “quite a basic hack”.
Amid reports that the private information of 10,000 Optus customers has already been released, Ms Bayer Rosmarin defended the quality of the company’s cyber-defences. The hackers, not Optus, are the villains, she said.
“It’s not as its being portrayed,” she said. “Our data was encrypted.”
Still, she said: “If something indicates that Optus has made an error or done something bad we will of course take full accountability for that.”
The Australian Federal Police are working with overseas law enforcement to determine who carried out the attack.
The force said Monday it is also monitoring the dark web ― hidden sites that are only accessible with special software ― following reports that stolen data is being sold there. An AFP spokeswoman declined to comment Tuesday on the reported ransom demand.
According to Ms O’Neil, “basic personal information” had been taken from 9.8 million Optus customers, while for some 2.8 million of them, the theft includes personal data such as driving licence and passport numbers.
In Australia, that’s enough to provide proof of identity to obtain a wide range of services such as loans and credit cards. “The scope for identity theft and fraud is quite significant,” she said.
Australia’s data and technology defences are years behind the criminals, she said.
“We are probably a decade behind in privacy protections where we ought to be,” she said. “We’re about five years behind where we should be in cyber protections when it comes to how fast things are moving.”
