The second-largest wireless carrier in Australia, Optus, has confirmed cyber attack that may have resulted in the leaking of sensitive customer data.
The telco said on Thursday morning that the potentially exposed data included customer names, email addresses, phone numbers, and dates of birth.
For a limited subset of potentially affected customers, passport and driving licence numbers may also be in the hands of the hackers, Optus said.
It’s currently unclear if data was definitely accessed or stolen by the hackers involved in the incident. The wording in the statement released by Optus differed from that of the CEO’s direct quotes supplied to the press.
The statement alludes to a “possible unauthorised access of current and former customers’ information” while the CEO’s comments imply a more definitive conclusion.
“We are devastated to discover that we have been subject to a cyber attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it," said Kelly Bayer Rosmarin, CEO at Optus.
"As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.
“We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible."
The telco confirmed that its services such as its mobile network and home internet products were unaffected by the incident and neither SMS messages nor voice calls have been compromised either.
Optus also confirmed that it’s working with the Australian Cyber Security Centre, Australian Federal Police, the Office of the Australian Information Commissioner, key regulators, and financial institutions regarding the incident.
“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” said Rosmarin.
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
Customers believed to be at a “heightened risk” of becoming impacted by the incident may be offered third-party monitoring services, Optus said, and the company will be proactively notifying those affected.
When credentials and personally identifiable information are stolen from a company’s IT systems, the individuals affected are often more vulnerable to phishing attacks.
The more information made available to hackers that can be used to personalise attacks, and increase the perception of legitimacy, increases their effectiveness.
Stolen data may also be sold on the dark web, opening up impacted customers to fraud campaigns. The smaller subset of impacted customers who have had their identity documents such as passports and driving licences stolen may need to replace these as soon as possible.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Latitude Financial's data policies questioned after more than 14 million records stolenNews Some of the data is from at least 2005 and includes customers’ name, address, and date of birth
-
Latitude hack now under state investigation as customers struggle to protect their accountsNews The cyber attack has affected around 330,000 customers, although the company has said this is likely to increase
-
IDCARE: Meet the cyber security charity shaping Australia and New Zealand's data breach responseCase Studies IDCARE is recruiting a reserve army to turbocharge the fightback against cyber crime not just in the region, but in the interests of victims all over the world
-
Australia commits to establishing second national cyber security agencyNews The country is still aiming to be the most cyber-secure country in the world by 2030
-
Medibank bleeds $26 million in cyber costs following hackNews The company believes this figure could rise to $45 million for the 2023 financial year
-
TikTok's two new European data centres to address data protection concernsNews The company is under pressure to prove its user data isn’t being accessed by the Chinese state
-
Cyber attack on Australia’s TPG Telecom affects 15,000 customersNews It is the third cyber attack on a major Australian telco since October
-
Telstra blames IT blunder for leak of 130,000 customer recordsNews Australia’s biggest telco said that the error was due to a mismanagement of databases and not a cyber attack
