Australia’s second-largest telecoms provider, Optus, has revealed it suffered a cyberattack where customer data may have been accessed. However, the company says the attack did not affect platforms and services supporting wholesale, satellite and enterprise customers, nor those of enterprise customers. Mobile and home internet services were also unaffected.
Suspicious activity was noticed on Wednesday with Optus issuing a statement to the media on Thursday afternoon, which was a national holiday.
What Optus knows about the breach
The number of 9.8 million “possibly” affected customers circulating is a worst-case scenario, Optus CEO Kelly Bayer Rosmarin said at a news conference on Friday. This equates to approximately 37% of Australia’s population. In its latest financial report, Optus revealed that it had over 10 million mobile customers as of March 31, 2022.
Not only were current Optus mobile users affected, but the company said even data from former customers dating back to 2017 may have been accessed during the cyberattack.
No financial data was accessed and no passwords or images of customer documents were stolen in the cyberattack, Bayer Rosmarin said. What Optus believes has been accessed by cyberattacks at this stage includes names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses, document numbers identification such as driver’s license or passport numbers.
Optus works with the Australian Cyber Security Center
Upon discovery, Optus immediately halted the attack and notified the Australian Federal Police (AFP), the Australian Information Commissioner’s Office and key regulators and is working with Australian Cyber Security. Center to mitigate risk to customers.
Under the Notifiable Data Breach Regime Optus must notify the ACSC “as soon as possible and no later than 30 days after being notified of a violation”, and affected individuals with recommendations on what to do. Optus decided the best course of action was to first alert the media as it investigated the attack so that information would reach its customers more quickly.
The CEO of Optus said the telecommunications company will notify all customers of the cyberattack and will do so starting with those who have had access to a greater amount of data. The phone company is currently investigating the exact mechanics of the “sophisticated” attack and said Optus stores all of its data in Australia.
Meanwhile, AFP wrote in a statement that it was an alleged “massive data breach”. He also said he would work with Optus to obtain the crucial information and evidence needed to conduct this “complex criminal investigation”. Optus declined to comment on its cybersecurity operations and said AFP asked Optus not to “discuss certain details as it could compromise their ability to find the wrong actor”.
Optus warns of possible fraudulent attacks
Optus urges customers to be aware of possible scams following this cyberattack. Rosmarin said that although the telecom operator has chosen to notify those affected, Optus will not send any links in its communication.
The Australian Competition and Consumer Commission’s Scamwatch has warned that Optus customers could be at risk of identity theft and should take “urgent action to avoid harm”.
Optus asked customers to take the following steps:
- Be on the lookout for suspicious or unexpected activity in your online accounts, including your bank accounts. Be sure to immediately report any fraudulent activity to the relevant provider.
- Be careful of the contacts of scammers who might have your personal information. These can be emails, text messages, phone calls or suspicious messages on social networks.
- Never click on links that look suspicious and never provide your passwords or any personal or financial information.
Copyright © 2022 IDG Communications, Inc.