As Optus began contacting up to 10 million customers who could be victims of a data breach, the Australian Consumer and Competition Commission has warned all of the telco and phone retailer’s customers to protect their accounts and watch for scams. Describing one of Australia’s biggest cybersecurity breaches, Optus CEO Kelly Bayer Rosmarin said on Friday that an “offshore-based entity” had broken into the company’s database of customer information, accessing home addresse
Sign up to our free daily newsletter | Unlock 15 news articles per month
Already a subscriber?
sses, drivers licence and passport numbers of the equivalent to 40 per cent of the country’s population.
The Australian Federal Police, meanwhile, said it was monitoring the dark web to look for any evidence the stolen information was being offered for sale.
Rosmarin said that she was “angry and sorry” for the breach that she described as a “sophisticated” hack, but assured customers that no passwords or financial details have been compromised. Corporate customers are unaffected.
On Saturday morning, Optus said it had started the process of contacting affected customers, commencing with those whose ID document details may have been copied.
“All of [them] will be notified by today. We will notify customers who have had no impacts last,” the company said in a statement.
The hack appears to have been orchestrated from Europe. Optus is owned by Singapore telecom provider SingTel.
On Saturday, the Sydney Morning Herald reported that Optus was investigating a threat to sell customer information online unless the company paid $1 million in cryptocurrency to the hackers. An Australian Federal Police spokesperson told Reuters that police were aware of those reports.
Optus said as the attack was under police investigation it “cannot comment on certain aspects of the incident”.
On Monday, Optus advised that the Australian Cyber Security Centre has provided advice for current and former customers who have been impacted on their website, cyber.gov.au. The ACSC also has a 1300 CYBER1 hotline.
The telco also warned customers that no genuine Optus email or SMS notification will have hyperlinks. “If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click on any such links.”
Optus advised that while the AFP continues its investigation it has asked the company not to provide comment on certain aspects of the investigation, including verifying the authenticity of customer information published on the internet.
What to do if your information may have been stolen
ACCC Scamwatch has advised Optus customers to take “immediate steps” to secure all of their accounts, particularly their bank and financial accounts. “You should also monitor for unusual activity on your accounts and watch out for contact by scammers.”
The regulatory authority warned customers that their name, date of birth, phone number and email addresses may have been released. “For some customers, identity document numbers such as driver’s licence or passport numbers could be in the hands of criminals. It is important to be aware that you may be at risk of identity theft and take urgent action to prevent harm.
“Scammers may use your personal information to contact you by phone, text or email.”
ACCC Scamwatch advises the following:
Secure your devices and monitor for unusual activity.Change your online account passwords and enable multi-factor authentication for banking.Check your accounts for unusual activity such as items you haven’t purchased.Place limits on your accounts or ask you bank how you can secure your money.If you suspect fraud you can request a ban on your credit report.Never click on links or provide personal or financial information to someone who contacts you out of the blue.
More information about how to protect yourself is available on the OAIC website or from Scamwatch. Along with the Optus website, Moneysmart and ID Care are also providing assistance and information.