Millions of Australians have had their personal details compromised in a major cyberattack on Optus.
The telco confirmed the data breach in a statement on Thursday afternoon, after The Australian revealed some nine million Aussies could be affected.
“Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers,” the statement said.
“Payment detail and account passwords have not been compromised.”
Nearly 2.8 million customers had all of their details taken in the attack, which is thought to have been launched through a weakness in the telco’s firewall, The Australian reported.
About 7 million people had information like their dates of birth, email addresses and phone numbers taken by the hackers.
The breach affects current and former customers of Optus.
CEO Kelly Bayer Rosmarin said the telco acted immediately to stop any further action after learning of the attack, and authorities had been called in to assist in investigating the source.
“We are very sorry and understand customers will be concerned,” she said.
“Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.
“Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”
Optus has said its services were not affected in the breach and remain safe to use, with messages and voice calls not compromised.
Customers have taken to social media to say that the telco had not yet contacted them to make them aware of the breach.
“Checks emails. Nothing from Optus telling me about this,” Guardian audience editor Dave Earley said on Twitter.
“Terrible that customers are finding out via the media and not Optus,” another Twitter user said.
Optus said it would send “proactive personal notifications” to customers they identify as having “heightened risk”, but says it will not send any links in emails or SMS messages.
The telco told customers to head to their website for information or to contact them with any concerns.
The Australian Federal Police (AFP) have been notified of the incident but a referral is yet to be made.
“The AFP is aware of the incident but cannot comment further,” a spokesperson told NCA NewsWire.
The federal government has been made aware of the situation, with the Australian Cyber Security Centre providing security advice and technical assistance.
Optus-owned telcos don’t seem to be affected, with a spokesman from Amaysim telling NCA NewsWire the company has not experienced a breach.
Australian individuals and organisations are being targeted “through rapid exploitation of technical vulnerabilities by state actors and cyber criminals seeking to exploit weaknesses and steal sensitive data,”, the office for Cyber Security MP Clare O’Neill said.
“These very concerning reports represent one of the most serious cyber attacks ever suffered by an Australian business,” Opposition Minister for Cyber Security Senator James Paterson said on Twitter.
Internet goes after #Gladys
The words ‘Optus’ and ‘Gladys’ have shot to the top of Twitter’s trending list following the telco’s major security breach on Thursday.
Former NSW premier Gladys Berejiklian was appointed to optus’ “newly-created” Managing Director, Enterprise, Business and Institutional role in February, after resigning as premier in October 2021, and while still under investigation by the state’s corruption watchdog – ICAC.
Twitter users took to the site in droves, slamming Ms Berejiklian and Optus for the breach as customers desperately searched for answers.
There is no suggestion of wrongdoing on the part of Ms Berejiklian.
– with Jack Evans