Outraged Optus customers have lashed out at the telco after learning about the major cyber attack through the media, rather than being told directly.
Now it has been revealed that Optus was aware of the breach on Wednesday, though they didn’t release an official statement until Thursday afternoon, after the Australian had already published an article about the cyber attack.
Optus confirmed the data breach in a statement on Thursday afternoon, with some nine million people reportedly affected by the attack.
“Information that may have been made public includes customer names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers,” the telco said in a statement. .
“Payment information and account passwords have not been compromised.”
On Friday morning, Optus CEO Kelly Bayer Rosmarin said reports of 9.8 million compromised records are the “absolute worst-case scenario.”
She described the situation as a “sophisticated attack,” and said she discovered the breach less than a day before the situation was made public.
“I heard it less than 24 hours before we went live to the press,” Ms Bayer Rosmarin said.
“It wasn’t until late that night that we were able to determine that it was significant in size. I think that was some kind of nighttime call. And the next day at 2pm we had informed everyone and were trying to get all our ducks in a row.”
Nearly 2.8 million customers had all their data in the attack, and about seven million had information such as their dates of birth, email addresses, and phone numbers collected by the hackers. the Australian reported.
Speaking to 2GB’s Ben Fordham, Andrew Sheridan, vice president of Optus Regulatory and Public Affairs, said he wanted to offer “immediate apologies” to affected customers.
“I think transparency is key in these situations,” he said Friday morning.
Fordham then wondered why it took Optus so long to release a statement and why they didn’t do so until after the story had already been released.
“I can absolutely confirm that the information has not been transferred from Optus to… the Australianbut in terms of using the media…” said Mr Sheridan, before being interrupted by the radio host.
“But wait a minute, that was already known at Optus the Australian put their story online. It’s not like you found out because you read the Australian newspaper,” he said.
“Absolutely, Ben and we were preparing to issue a press release,” Mr Sheridan said, before Fordham stepped in again and asked when Optus actually became aware of the breach.
“We knew about the breach, a bit, late on Wednesday,” he replied.
“You knew Wednesday. You didn’t reveal it on Wednesday, you didn’t reveal it Thursday morning, you didn’t reveal it Thursday afternoon,” Fordham said.
“It was only after the Australian newspaper splattered the story on their website that you made a statement. If you’re interested in protecting your customers, why didn’t you warn them the moment you became aware of this potential breach?”
Mr Sheridan claimed that a “number of steps” had to be taken in these situations and claimed that Optus had actually acted “very, very quickly”.
“I have to warn you about Andrew, I don’t think you acted quickly,” Fordham said.
The 2GB host claimed that there have been many cases in the past where companies immediately notified customers of potential breaches.
“You failed to do that,” he said.
When asked if Optus could guarantee that if this happened again, they would immediately alert customers, Mr. Sheridan said he couldn’t make that promise.
He said customers would be told “as soon as it is prudent to do so” to ensure they are given correct information.
Outraged customers have taken to social media to criticize Optus for the way the situation was handled.
“Checks emails. Nothing from Optus tells me about this,” Guardian audience editor Dave Earley said on Twitter.
“Terrible that customers find out through the media and not through Optus,” said another Twitter user.
Another wrote: “It’s disgusting, you didn’t inform anyone about this data hack, not one email, only found today from news sources, not happy!”
‘Can’t say someone is safe’: new warning
Delia Rickard, deputy chair of the Australian Competition and Consumer Commission (ACCC), has issued another warning as the telco continues to falter from the attack.
Speaking with Nine’s Todayshe warned that other telecom companies could also be vulnerable to similar security breaches.
“In this day and age, cybercrime is huge and while most agencies spend a fortune to protect themselves, you can’t say someone is 100 percent safe,” said Ms. Rickard.
The breach is allegedly caused by a weakness in Optus’ firewall and affects both current and former customers.
Ms Rickard said there are a number of things people can do to protect themselves if they are concerned about their personal information.
Simple steps like enabling two-factor authentication in all banking and checking your accounts regularly to see if any unknown purchases have been made can help keep your data safe.
Ms Rickard also said that people should be wary of contacting potential scammers.
“I think one of the really important things is when you’re approached by someone you don’t expect, whether they say they’re the government, your bank, whatever identity, if you’re dealing with people remotely, you never know who you’re doing,” she said.
“Because the scammers have so much data about you, they know your name, they know your age, they can personalize scams and we know that when someone calls you and has your name and a few details, you are much more likely to trust them.
“So I think we’re also very skeptical.”
It is also possible to get a free credit reference check every three months so you can see if someone has applied for a loan in your name.
Ms Rickard said this whole situation was “very worrying”.
Mystery surrounds hackers responsible for attack
It is still unclear who was responsible for the Optus attack, and officials continue to search for the hackers involved.
Ms Bayer Rosmarin said Optus has not received any ransomware requests so far and the attack is the subject of criminal proceedings.
“We keep it all open, it could be criminal, it could be state-based actors. We are working closely with all government agencies and the Australian Federal Police to look into it,” she said Friday morning.
Former head of the Australian Cyber Security Center Alastair MacGibbon believes the source of the breach was most likely a criminal group.
“They take information and then earn our personal data,” he told Nine’s A current matter.
“The fact that Optus has come to market so quickly is actually a big advantage for us.
“This is pretty fast in terms of cybercrime.”
MacGibbon said organizations sometimes spend weeks investigating the hack before even notifying the government.
Bayer Rosmarin said the telco took immediate action to halt further action after learning of the attack, and authorities were called in to help investigate the source.
“We are very sorry and we understand that customers will be concerned,” she said.
“Please rest assured that we are working hard and cooperating with all relevant authorities and organizations to protect our customers as much as possible.
“Optus has also informed major financial institutions about this. While we are not aware of customers who have suffered harm, we encourage customers to raise awareness of their accounts, including looking out for unusual or fraudulent activity and reports that appear strange or suspicious.”
Optus has said its services have not been affected by the breach and are safe to use, with messages and voice calls not compromised.
Optus said it would send “proactive personal notifications” to customers it believes are “increased risk”, but says it won’t send links in emails or text messages.
The telco told customers to go to their website for information or to contact them if they had any concerns.
On Thursday, Australian Federal Police said they had been made aware of the incident but could not comment further.
The federal government has been notified of the situation and the Australian Cyber Security Center is providing security advice and technical assistance.
– with NCA NewsWire