‘If you care, you will pay’: Optus hacker releases 10,000 customer records

Optus boss Kelly Bayer Rosmarin has vowed to stay on in her job after hackers overnight released alleged details of 10,000 customers on the dark web, and she has rejected the government’s accusations the company left itself open to a “quite basic” hack.

The data release, from the same user of a hacking forum that has previously published records that cyber experts viewed as genuine, appears to be an attempt to ratchet up pressure on Optus to pay a $US1 million ($1.55 million) ransom in cryptocurrency.

Optus’ chief executive has vowed to stay on to lead the response to the hack. Credit:Cole Bennetts

Optus chief executive Kelly Bayer Rosmarin said there was “misinformation” about her company’s cybersecurity but did not deny that personal customer information was accessed through an API — a common way for computers to exchange information — which appeared to spark cyber security minister Clare O’Neil’s condemnation.

"Our data was encrypted and we have multiple layers of protection," Bayer Rosmarin said on ABC Radio. "So it's not the case of having some completely exposed API sitting out there."

O'Neil said on Monday night that Optus had "effectively left the window open for data of this nature to be stolen", flagging bigger fines for data breaches, tougher laws on telecommunications companies and reforms to consumer information rules.

Bayer Rosmarin argued Optus should not be seen as the wrongdoer and was doing everything it could to help customers. “We are not the villains,” she said.

Asked whether Optus should face new laws to punish cyber offences with fines in the tens of millions, Bayer Rosmarin said: "I'm not sure that penalties benefit anybody."

“If something comes out of that that indicates that Optus has made an error or done something bad, we will of course take full responsibility for that.”

Asked whether she would take responsibility for the hack occurring on her watch and resign, Bayer Rosmarin said: "All we're focussed on is protecting our customers. So someone has to be accountable for doing that and that's exactly what I'm focussed on."

In a post shared widely on social media, authored by a purported hacker behind the breach, the extortionist warns that 10,000 records will be released each day over four days unless Optus pays $US1 million ($1.55 million).

The personal records of 10,000 Optus customers have been released, according to an apparent extortionist.

“If you care about customer, you will pay,” the note reads.

The post’s veracity has not been formally confirmed. Optus and the AFP have been contacted for comment.

However, Jeremy Kirk – the executive editor at Information Security Media Group, a computer security-focused publisher – says it appears legitimate.

He said it appeared Medicare numbers may have been exposed, with the word “Medicare” appearing 55 times across the records.

“There’s no winding this back, once that data is out there,” Kirk told the Nine Network. “You’re not going to sell your house because of a data breach.”

There is no guarantee that paying a ransom would in fact ensure that the data was returned or that it is entirely genuine. Optus has stressed that investigations are ongoing, as have the federal police.

A federal police investigation has been launched into the data breach. Operation Hurricane has been established by the AFP to identify the people behind the breach, as well as prevent identity fraud of those affected.

The recent hack has affected up to 9.8 million Australians, with 2.8 million having extensive data taken including personal document identification numbers. There also signs that Medicare numbers may have been taken.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

From our partners

Source: Read Full Article