Australian police have announced an operation to safeguard the personal information of thousands of telecom customers following one of the biggest cyberattacks and data breaches in the country’s history.
Australian Federal Police (AFP) assistant commissioner for cyber command Justine Gough said authorities were working to identify and protect the affected customers after an unidentified person online claimed to have released personal data belonging to 10,000 Optus users.
Optus, Australia’s second-largest telecom, announced last week that the personal data of up to 9.8 million Australians had been compromised in a massive cyberattack, but authorities are particularly concerned about 10,000 customers whose details appear to have been offered for sale on the dark web.
A self-identified hacker earlier this week withdrew a $1m ransom demand while apologising for the crime and claiming that the stolen data had been destroyed.
“You can be assured that our very clever and dedicated cyber investigators are focused on delivering justice for those whose personal information has been compromised,” Gough said on Friday.
Gough said that police were concerned that fraudsters could use customers’ leaked details, which included passport and driver’s licence information, to carry out sensitive transactions.
“Customers affected by the breach will receive multijurisdictional and multilayered protection from identity crime and financial fraud,” she said.
While Gough did not comment on the ransom post, she said authorities around the world, including United States law enforcement, were pursuing multiple leads.
“Whoever is behind this attack has used obfuscation techniques,” she said.
Troy Hunt, a cybersecurity expert and Microsoft Regional Director in Australia, said authorities would be limited in their ability to protect affected customers despite their best efforts.
“They’re pretty much limited to rotating identity numbers and supporting identity theft services, there’s really not much more they can do on a per-individual basis,” Hunt told Al Jazeera.
“These actions do provide some protection, but to a limited extent. It’s not through lack of trying on the AFP’s behalf, rather a reflection of it just being very difficult to protect people in any absolute sense of the word. Even after identity numbers are rotated, victims will still be subject to phishing attacks on email and SMS, for example.”
Australia’s government has accused Optus of lax security, with the country’s cybersecurity ministry saying the telecom had “effectively left the window open for data of this nature to be stolen”.
Optus, which is owned by Singapore Telecommunications, has insisted it was targeted in a sophisticated hacking that got around multiple security protocols.
Prime Minister Anthony Albanese said on Friday Optus had agreed to pay to replace affected customers’ passports after he and several members of his government called on the company to cover the cost.
“I think that is entirely appropriate,” Albanese told reporters.