The Australian Federal Police (AFP) announced on Monday that they are actively collecting critical evidence and collaborating with international law enforcement agencies in response to the breach of telecom provider Optus. This initiative, designated as “Operation Hurricane,” aims to identify the perpetrators of the intrusion and protect Australian citizens from potential identity fraud.
In a recent statement, the AFP emphasized their commitment to uncovering the criminals involved in this significant breach. This development follows Optus’s public acknowledgment on September 22, 2022, of being the target of a cyberattack, prompting the company to immediately terminate the unauthorized access upon discovery.
The attackers behind the Optus breach released a portion of the compromised data, including 10,200 records, thereby increasing the risk of identity theft for those affected. Additionally, they have issued a ransom demand of $1 million, although the dataset has since been removed, and the perpetrator claims to have destroyed their only copy of the stolen information.
Owned by Singtel, Optus reportedly has a subscriber base exceeding 10 million as of December 2019. However, the company has not disclosed specific details regarding the timeframe of the incident. While the extent of the impact remains unclear, Optus has indicated that unauthorized access could have exposed sensitive personal information such as names, dates of birth, contact numbers, email addresses, and in some cases, residential addresses and identification document numbers, including driver’s licenses and passports.
In addition to active customers, data belonging to former customers has also allegedly been compromised, raising questions about the retention policies of telecom providers when it comes to personal data. Fortunately, payment details and account passwords appear to have remained secure throughout the incident.
Optus’s privacy policy mentions that while customers can request the deletion of their personal information, the company may not always fulfill such requests due to legal obligations. Specifically, they refer to the Telecommunications Interception and Access Act 1979, which may mandate the retention of certain data for designated timeframes.
Although specific details surrounding the execution of the attack remain undisclosed, cybersecurity experts believe it involved access through an unauthenticated API endpoint identified as “api.www.optus.com[.]au,” which may have been exposed to public access as early as January 2019. This aspect raises serious concerns about developers’ practices in ensuring secure access controls.
Optus urges its customers, particularly those in financial sectors, to adopt precautionary measures to secure their online accounts and to monitor them vigilantly for unusual activities. In a bid to alleviate risks related to identity theft, the company is offering free 12-month subscriptions to a credit monitoring and identity protection service to its most affected customers.
The Australian Competition and Consumer Commission (ACCC) has also warned individuals to be vigilant against potential scams. “Be cautious of unsolicited contacts via phone, text, or email, and refrain from clicking on links or sharing personal or financial information with unexpected communicators,” they caution.
