Australian telecoms giant Optus has come under more fire from the government over its massive cyber breach, while an anonymous online account believed to belong to the hackers said it was deleting stolen data and withdrawing a $1m ransom demand.
Optus, the country’s No 2 mobile operator, said last week that data of up to 10 million customers including home addresses, drivers’ licenses and passport numbers had been compromised in one of Australia’s biggest data breaches.
Keep readinglist of 4 items
An account called “optusdata”, believed by cybersecurity experts to be that of the hackers, had threatened in an online forum to publish the data of 10,000 Optus customers per day unless they received $1m in cryptocurrency.
On Tuesday, however, the account holders posted they had deleted the data due to “too many eyes”, were withdrawing their ransom demand and were sorry for having already leaked data of 10,200 Australians.
Optus and the Australian Federal Police, who have been working with the US’s Federal Bureau of Investigation and other offshore law enforcement agencies to probe the cyberattack, declined to comment on whether they believed the “optusdata” account holders were behind the breach.
The Australian federal government has blamed Optus for the breach, suggested the company had “effectively left the window open” for hackers to steal data, and flagged an overhaul of privacy rules and higher fines.
Minister For Cyber Security Clare O’Neil said she was “incredibly concerned … about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom”, referring to the government’s health insurance scheme.
Optus Chief Executive Kelly Bayer Rosmarin said the incident had generated “a lot of misinformation” and the company took data protection seriously.
“Given we’re not allowed to say much because the police have asked us not to, what I can say … is that our data was encrypted and we had multiple players of protection,” Bayer Rosmarin told ABC Radio.
She added that most customers understand that “we are not the villains” and that the company had not deliberately done anything to put data at risk.
Jeremy Kirk, a cybersecurity researcher and writer who said he had been in contact with the purported hacker, tweeted that it was unclear why “optusdata” changed their mind but “this doesn’t change the risk for anyone exposed”.
“The Optus data has been stolen, and we can’t trust this person. No guard should be let down,” he wrote.