By Staff Writer.
Australian telco Optus experienced a massive cyberattack on Wednesday, September 21, with hackers accessing sensitive personal data, including information from ID documents such as driver’s licences and passports. Optus, which is a wholly-owned subsidiary of Singtel, has around 11 million customers in Australia.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customer’s personal information to someone who shouldn’t see it,” Optus CEO Kelly Bayer Rosmarin said in a statement. “As soon as we knew, we took action to block the attack and began an immediate investigation.”
Optus says the stolen data potentially includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, and ID document numbers such as driver’s licence or passport numbers.
Customer payment details and account passwords remain secure while wholesale, satellite and enterprise customers are unaffected. While it remains unclear whether the hackers were a criminal or state-backed group, Optus says their services remain safe to use and will continue to operate as normal.
In an advisory posted online, Optus said the hackers targeted customer data rather than the telco’s systems and services. Optus didn’t say how many customers were impacted, but it did say they were in the process of contacting them directly.
In the advisory, Optus said it was working with the Australian Cyber Security Centre and Australian Signals Directorate and had notified the Australian Federal Police and Office of the Australian Information Commissioner.
“When you sign up you need to provide all these personal details so the onus is on how companies respond to breaches and how they will prevent it from happening again. It’s also on governments on how they regulate the storage of data,” Professor Ryan Ko, Chair of Cybersecurity at the University of Queensland told The Australian. “Cybercriminals are opportunistic, and information can be stolen from one common point.”
Shadow Minister for Communications Sarah Henderson says the Optus cyberattack is a wake-up call for the new Albanese government. The former Morrison government began strengthening Australia’s cybersecurity framework and defences and Senator Henderson says the new government needs to continue the work.
“While the government has initiated a Department of Home Affairs review into data security on social media platforms such as TikTok, this won’t be completed until next year. This is all too little, too late,” Senator Henderson said in a statement, adding that the Albanese government must not “kick the can down the road.”
In addition to law enforcement and regulatory agencies, Optus says it has notified key financial institutions about the cyberattack but doesn’t yet believe any customers have experienced any harm from the data breach.
Nonetheless, the telco is warning customers to be vigilant for suspicious activity. To reduce the risk of fraud, Optus is pausing SIM swaps, replacements, and change of ownership transactions that can normally be done online, over the phone, or via messaging channels. Customers will temporarily need to head to an Optus retail outlet with the appropriate ID.
