Police are investigating a massive hacking attack against Optus that may have compromised millions of customers, but the company’s boss has only offered an apology and a few words of advice.
Passport and driver’s licence numbers were among the information allegedly stolen in the massive hacking incident.
Australian Federal Police have launched a probe after receiving a referral from Optus about the alleged “mass data breach”.
“The AFP will work with Optus to obtain the crucial information and evidence needed to conduct this complex, criminal investigation,” a statement on Friday read.
“The AFP’s specialist Cyber Command will work closely with a number of agencies, including the Australian Signals Directorate.”
Optus chief executive Kelly Bayer-Rosmarin apologised for the cyber intrusion in a conference call with reporters on Friday, saying “it should not have happened”.
“I’m disappointed that we couldn’t prevent it,” she said.
“It undermines all the great work we’ve been doing to be a pioneer in this industry, be a challenger, and create new and wonderful experiences for our customers. I’m really sorry.”
The cyber breach could have wide-reaching consequences for both private and small business customers, Ms Bayer-Rosmarin acknowledged.
In an “absolute worst-case scenario”, 9.8 million customers were affected, although Ms Bayer-Rosmarin cautioned that authorities were still investigating the breach and the full impact was not yet known.
Unconfirmed screengrabs from a dark web hacker forum show cyber criminals claiming to have access to one million Optus phone numbers.
Ms Bayer-Rosmarin urged customers to be on the watch for suspicious contacts in the near future, fearing bad actors who access the stolen data could use it to place scam calls.
“What customers can do is just be vigilant,” she said.
“It really is about increased vigilance, and being alert to any activity that seems suspicious or odd, or out of the ordinary.
“If somebody calls you and says they want to connect to your computer, and says to give them your password or let them in, don‘t allow that to occur.”
She said passwords and financial details had not been compromised, however other sensitive information had been pilfered.
“We do hold a reference to the identification information, whether it’s the driver’s licence number or passport number. That’s the field that’s been compromised,” she said.
“I again want to reassure people that they have not got images of any of those documents, nor any bank details or passwords.”
Police urge everyone to harden their online security to help prevent falling victim to malware and scams.
Optus customers who may have had their data stolen are urged to:
- Be careful of possible scam calls;
- Consider strengthening password and other online security measures; and
- Be on the lookout for more information from Optus in the coming days.
Brett Callow, threat analyst with the cyber security firm Emsisoft, said companies should do what they could to minimise the collection of personal data.
“Generally speaking, it’s good practice for companies to collect only information that they absolutely need to collect and to retain it for no longer that necessary – in fact, this is a legal requirement in Europe,” he said.
“Minimising the amount of data that is held in this way can obviously help to reduce the number of individuals who are impacted when companies get breached.
“And, really, why should companies hold onto information that they don’t need anyway?”
Ms Bayer-Rosmarin said there was a simple explanation.
“The reason that we hold onto customer data for a period of time is that it is the law,” she said.
“We have to be able to go back in our records for six years and so we do keep all the information for the required length of time.”
How do I know if I am at risk?
Customers who have been affected will be contacted by Optus in the coming days.
Customers who believe their data may have been compromised, or who have specific concerns, were asked to contact Optus through the My Optus App (the company said this is the safest way to interact with Optus), or by calling 133 937.
Optus said it would not send links in any emails or SMS messages.
What should I do to protect my details?
Customers have been advised to chnage their online account passwords and enable multifactor authentication for banking.
They are also being advised to place limits on withdrawls for their banking.
“It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm,” Scamwatch said in a statement.
“Scammers may use your personal information to contact you by phone, text or email.
“Never click on links or provide personal or financial information to someone who contacts you out of the blue.”