Breach could be wider than the Singtel-owned telco
Following a cyberattack, Optus is investigating the possible unauthorised access of current and former customers’ information.
Optus immediately shut down the attack when discovered and is now working with the Australian Cyber Security Centre to mitigate any customer risks. The telco has also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customer’s personal information to someone who shouldn’t see it,” said Kelly Bayer Rosmarin, Optus CEO.
Rosmarin said while not everyone may be affected, the investigation is not yet complete.
“We want all of our customers to be aware of what has happened as soon as possible to increase their vigilance,” said Rosmarin. “We are very sorry and understand customers will be concerned. Please be assured that we are working hard and engaging with all the relevant authorities and organisations to help safeguard our customers as much as possible.”
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers. Payment detail and account passwords have not been compromised.
Optus services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as normal.
Optus stated it has also notified key financial institutions about this matter. Although it’s not aware of customers having suffered any harm.
“We encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” said Rosmarin.
Jason Baden, Regional Vice President, A/NZ for multi-cloud security and application delivery company said the personal data of many Australian citizens will be in the hands of criminal or state actors.
“That data could be used to sign up for new mobile services, open mule bank accounts, gambling accounts, or pursue social engineering for purposes of fraud and money laundering,” he said.
“The impact of breaches like this is much wider than the initial organisation hit – now everyone needs to be on notice, both individuals and organisations such as banks, gambling companies, telcos, loyalty programs, and more.”