Lakeside House, Quarry Lane, Chichester PO19 8NY

hello@lms.group

How a massive data breach has exposed Australia

Last week, Australian telecommunications giant Optus revealed about 10 million customers - about 40% of the population - had personal data stolen in what it calls a cyber-attack.

Some experts say it may be the worst data breach in Australia's history.

But this week has seen more dramatic and messy developments - including ransom threats, tense public exchanges and scrutiny over whether this constituted a "hack" at all.

It's also ignited critical questions about how Australia handles data and privacy.

The alarm was sounded last Thursday

Optus - a subsidiary of Singapore Telecommunications Ltd - went public with the data breach about 24 hours after it noticed suspicious activity on its network.

Australia's second biggest telecoms provider said current and former customers' data was stolen - including names, birthdates, home addresses, phone and email contacts, and passport and driving licence numbers. It stressed that payment details and account passwords were not compromised.

Those whose passport or licence numbers were taken - roughly 2.8 million people - are at a "quite significant" risk of identity theft and fraud, the government has since said.

Optus said it was investigating the data breach and had notified police, financial institutions, and government regulators. The data breach appears to have originated overseas, local media reported.

In an emotional apology, Optus chief executive Kelly Bayer Rosmarin called it a "sophisticated attack", saying the company has very strong cyber security.

Then a ransom threat was made

Early on Saturday, an internet user published data samples on an online forum and demanded a ransom of $1m (A$1.5m; £938,000) in cryptocurrency from Optus.

The company had a week to pay or the other stolen data would be sold off in batches, the person said.

Investigators are yet to verify the user's claims, but some experts quickly said the sample data - which contained about 100 records - appeared legitimate.

Sydney-based tech reporter Jeremy Kirk contacted the purported hacker and said the person gave him a detailed explanation of how they stole the data.

The user contradicted Optus's claims the data breach was "sophisticated", saying they pulled the data from a freely accessible software interface.

"No authenticate needed… All open to internet for any one to use," they said in a message, according to Kirk.

As data circulates, revelations of more stolen details

In another escalation on Tuesday, the person claiming to be the hacker released 10,000 customer records and reiterated the ransom deadline.

But just hours later, the user apologised - saying it had been a "mistake" - and deleted the previously posted data sets.

"Too many eyes. We will not sale [sic] data to anyone," they posted. "Deepest apology to Optus for this. Hope all goes well from this."

That sparked speculation about whether Optus had paid the ransom - which the company denies - or whether the user had been spooked by the police investigation.

Adding to the problem, others on the forum had copied the now-deleted data sets, and continued to distribute them.

It also emerged some customers' Medicare details - government identification numbers that could provide access to medical records - had also been stolen, something Optus did not previously disclose.

Late on Wednesday, the company said this had affected almost 37,000 Medicare cards.

'Possibly Australia's most serious breach'

Optus has been inundated with messages from angry customers since last week.

People have been warned to watch out for signs of identity theft and for opportunistic scammers, who are said to be already cashing in on the confusion.

A class-action lawsuit could soon be filed against the company. "This is potentially the most serious privacy data breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed," said Ben Zocco from Slater and Gordon Lawyers.

The government has called the data breach "unprecedented" and blamed Optus, saying it "effectively left the window open" for sensitive data to be stolen.

In an ABC television interview on Monday, Cyber Security Minister Clare O'Neil was asked: "You certainly don't seem to be buying the line from Optus that this was a sophisticated attack?"

"Well, it wasn't. So no," Ms O'Neil replied. The moment drew lots of attention online.

 If you have yet to secure your business from cyber criminals and need help from the experts to ensure there is a robust process in place, please call 0330 088 2565 or visit of contact us page.
Visit LMS Group HQ