As the Associated Press reports, Optus disclosed on September 22 that the previous day it had discovered an unauthorized third party had stolen the details of 9.8 million people. Australia has a population of 26 million.
Australian Cybersecurity Minister Clare O’Neil told Australian Broadcasting Corp. that for 2.8 million current and former Optus customers, the breach exposed “significant amounts of personal data.” That included driver’s license and passport numbers, O’Neil said.
The Australian government said it was weighing stricter cybersecurity regulations for telecommunications companies, according to the AP.
On the night of September 26, a purported hacker published 10,000 consumer records online, as The Guardian reports. The threat actor vowed to publish 10,000 more records each day for four days until a $1 million cryptocurrency ransom was paid. The leaked data included not only driver's license and passport numbers but also Medicare numbers, along with names, birthdates, phone numbers, addresses and email addresses.
By the morning of September 27, the purported hacker deleted their posts and claimed that they had deleted all of the remaining data. “Too many eyes,” the threat actor wrote in a new post. “We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy).”
As the Financial Review reports, the Australian Federal Police have begun a global search for the identity of the hacker or hackers behind the incident. Australian Attorney-General Mark Dreyfus said the FBI had been brought in to assist. Optus CEO Kelly Bayer Rosmarin maintained that the incident was not due to shoddy security.
Vice Australia writes: “Government officials are calling for a full, official timeline of events, and the company itself says it’s still in the process of alerting all customers who were impacted. Very cool.”