Hacker drops ransom demand for Optus customer data

Those responsible for stealing an estimated 10 million Optus customer records have dropped a ransom demand and claim to have deleted the data, amid reports that Medicare personal numbers have now been marketed.

The attempt to force Optus to pay $1 million ($1.54 million) by Friday was halted hours after the group released sensitive details of 10,000 Australian customers on a data breach forum on the clear web.

The illegally obtained information includes passport, Medicare and driver’s license numbers, dates of birth, home addresses, and information about whether someone is renting or living with their parents.

“Too many eyes. We will not sell (sic) data to anyone. We can’t, if we even want to: personally deleted data from disk (copy only),” the group said Tuesday.

It said it would have warned Optus about its vulnerability if the telco had a secure method of contacting or had a bug bounty.

The batch released Tuesday was still online as of 1.30pm Sydney time.

Attorney General Mark Dreyfus told a Labor caucus meeting on Tuesday that the option to allow Australians to change their driver’s license numbers was being considered with the privacy commissioner.

That option is not available in Victoria and the ACT.

Dreyfus said the commissioner was not notified by Optus of the breach involving nearly 10 million customers until late Friday, the day after it was first reported.

“Optus has a responsibility for the privacy of both current and former customers,” he said.

An ongoing privacy investigation will be completed this year.

In a statement, Home Secretary Clare O’Neil said she was “incredibly concerned” about reports that Medicare numbers were now being offered for free and for ransom.

“Medicare numbers were never advised to be part of any compromised information from the breach,” she said.

“Consumers have the right to know exactly what individual personal information has been compromised in Optus’ communications to them.”

Two people whose details were revealed in Tuesday’s release of Optus data and who asked to remain anonymous expressed frustration that it contained personal information that, unlike banking information, could not be easily changed.

“No one can put a price on privacy, but Optus has certainly lost mine,” a Melbourne man told AAP.

“We’ll find out how easy a mistake was to make and not to make, but come on guys. Really?” said a Canberra man who signed with Optus in 2021.

A check of 12 random email addresses against Have I Been Pwned records found that nine had not been previously exposed to breaches.

Public Services Secretary Bill Shorten said Optus hadn’t done enough to protect customers and that its response “needs to be much more diligent”.

“It’s time for… a major overhaul of how our data is held by large companies,” he said.

Optus says it was the victim of a sophisticated attack – a characterization that Ms O’Neil rejected.

She launched a scathing attack on Optus in parliament on Monday, saying the responsibility lay entirely at the feet of the telco giant.

A federal police investigation has been launched into the data breach, which affected 9.8 million Australians.

Optus says it will offer “the most affected” customers the chance to purchase a one-year subscription to its credit monitoring service Equifax Protect at no cost.

“Please note that no communications from Optus regarding this incident will contain any links as we recognize that there are criminals who will use this incident to commit phishing scams,” a statement said.


Local news matters

Media diversity is under threat in Australia – nowhere more so than in South Australia. The state needs more than one vote to move it forward and you can help with a donation of any size to InDaily. Your contribution goes directly to helping our journalists discover the facts. Click below to help InDaily continue discovering the facts.

Donate today

Driven by

Leave a Comment