Furious Optus customers have hit out at the telco after learning of a major cyber attack through the media rather than reporting it directly.
It has now emerged that Optus were aware of the breach on Wednesday, but did not release an official statement until Thursday afternoon. Australian already published an article about cyber attack.
Optus confirmed the data breach in a statement as of Thursday afternoon, the attack reportedly affected about nine million people.
“Information that may have been disclosed includes customer names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses, ID numbers such as driver’s license or passport numbers,” the telecommunications company said in a statement. .
“Payment and account passwords were not compromised.”
Optus CEO Kelly Bayer Rosemarin said on Friday morning that reports of 9.8 million records being hacked were the “absolute worst-case scenario”.
She described the situation as a “sophisticated attack,” saying she learned of the breach less than a day before the situation was made public.
“I found out about it less than 24 hours before we went live to the press,” Ms Bayer Rosmarin said.
“It wasn’t until late at night that we were able to determine that it was on a significant scale. I think it was a late call. And by 2 p.m. the next day, we notified everyone and tried to gather all our ducks in a row.”
Ms Bayer Rosmarin appeared emotional at the end of the press conference when asked how she felt about the data leak.
“Obviously, I’m angry that there are people who want to do this to our customers,” she said, looking on the verge of tears.
“I’m disappointed that this has undermined all the great work we’ve been doing to pioneer this industry as a true competitor, creating new and great experiences for our customers.”
Nearly 2.8 million customers had all of their data taken during the attack, with about seven million hackers taking information such as dates of birth, email addresses and phone numbers. Australian reported.
Talking to 2GB Ben FordhamOptus vice-president of regulatory and public affairs Andrew Sheridan said he wanted to “apologise directly” to affected customers.
“I think transparency in these situations is critical,” he said Friday morning.
Fordham then questioned why it took Optus so long to release a statement, and why they only did so after the story had already been published.
“I can absolutely confirm that the information did not come from Optus Australianbut in terms of using the media …,” Mr Sheridan said before being cut off by the radio presenter.
“But wait, that was known at Optus before Australian post your story online. You didn’t know it because you read it Australian newspaper,” he said.
“Definitely, Ben and I were preparing to issue a media release,” Mr Sheridan said, before Fordham intervened again to ask when Optus actually became aware of the breach.
“We knew about the breach, like, late Wednesday,” he replied.
“You knew about it on Wednesday. You didn’t disclose it Wednesday, you didn’t disclose it Thursday morning, you didn’t disclose it Thursday lunchtime,” Fordham said.
“It was only afterwards Australian The newspaper published information on its website that you made a statement. If you’re interested in protecting your customers, why didn’t you notify them the moment you became aware of a potential breach?”
Mr Sheridan argued that a “number of steps” needed to be taken in these situations, arguing that Optus had in fact acted “very, very quickly”.
“I’ve got to call you out Andrew, I don’t think you’ve acted very quickly,” Fordham said.
Host 2GB claimed that there have been many cases in the past where companies have immediately notified customers of potential breaches.
“You guys couldn’t do it,” he said.
When asked if Optus could guarantee that if this happened again they would immediately alert customers, Mr Sheridan said he could not promise that.
He said customers would be told “as soon as is reasonable” to ensure they were getting accurate information.
Furious customers took to social media to blast Optus for the way they handled the situation.
“Checking email. “Optus hasn’t told me anything about this,” Guardian editor Dave Earley wrote on Twitter.
“Horrible that customers are finding out through the media and not Optus,” said another Twitter user.
Another wrote: “This is disgusting, you didn’t tell anyone about this data breach, not a single email, only found it today from news sources, displeased!”
‘You can’t say anyone is safe’: a new warning
Delia Rickard, deputy chair of the Australian Competition and Consumer Commission (ACCC), has issued a fresh warning as the telco continues to reel from the attack.
Speaking to Nine’s todayshe warned that other telecommunications companies may also be vulnerable to similar security breaches.
“Cybercrime is huge in this day and age, and while most agencies spend huge amounts of money to protect themselves, you can’t say anyone is 100 percent safe,” Ms Rickard said.
The hack is believed to have been launched through a weakness in Optus’ firewall and is affecting both current and former customers.
Ms Rickard said there are a number of things people can do to protect themselves if they are concerned that their personal data may have been exposed.
Simple steps like enabling two-factor authentication at all banks and checking your accounts regularly to see if any unknown purchases have been made can help keep your details safe.
Ms Rickard also said people should monitor any contact with potential scammers.
“I think one of the really big things is when you’re contacted by someone you don’t expect, whether they say it’s the government, your bank, anyone at all, when you’re dealing with people remotely , you never know who you’re dealing with,” she said.
“Because scammers have so much data about you, they’ll know your name, they’ll know your age, they’ll be able to personalize the scam, and we know that if someone calls you and knows your name and a few details, you’re much more likely to trust them .
“So I think it’s also very skeptical.”
You can also get a free credit check every three months to see if anyone has applied for a loan in your name.
Ms Rickard said the whole situation was “very worrying”.
The hackers responsible for the attack are shrouded in mystery
While it is unclear who is responsible for the Optus attack, officials continue to search for the hackers involved.
Ms Bayer Rosmarin said Optus had not yet received any ransom demands and that the attack was the subject of a criminal prosecution.
“We keep it all open, it could be criminal, it could be public figures. We are working closely with all government agencies and the Australian Federal Police to look into this,” she said on Friday morning.
The former head of the Australian Cyber Security Center, Alastair McGibbon, believes that the source of the hack was most likely a criminal group.
“They take information and then monetize our personal data,” he told Nine’s Actual business.
“The fact that Optus came out so quickly is a huge advantage for us.
“That’s pretty fast in terms of cybercrime.”
Mr McGibbon said organizations sometimes spend a week investigating a breach before even notifying the government.
Ms Bayer Rosmarin said the telecommunications company immediately stopped any further action after learning of the attack and authorities were called in to help investigate the source.
“We are very sorry and we understand that customers will be concerned,” she said.
“Please be assured that we are making every effort and liaising with all relevant authorities and organizations to protect our customers as much as possible.
“Optus has also notified key financial institutions about this matter. While we are not aware of any harm to customers, we encourage customers to be more aware of their accounts, including keeping an eye out for unusual or fraudulent activity and any notifications that seem strange or suspicious.”
Optus said its services were not affected by the breach and remained safe to use, with messages and voice calls unaffected.
Optus said it will send “proactive personalized notifications” to customers it identifies as “high risk”, but says it will not send any links in emails or SMS messages.
The broadcaster advised customers to head to their website for information or contact them with any concerns.
On Thursday, the Australian Federal Police said it had been notified of the incident but could not comment further.
The federal government has been informed of the situation and the Australian Cyber Security Center is providing security advice and technical assistance.
– from NCA NewsWire
Originally published as Optus CEO delivers emotional apology after cyber attack