The hacker claiming to be behind the cyber attack against Optus has released 10,000 customer records and threatened to leak more if the Australian telecommunication giant refuses to pay them US$1 million in cryptocurrency.
The user known as “OptusData” has stolen the personal records of 9.8 million Australians including details such as driver licence, passport numbers, home and email addresses, phone numbers, date of birth and Medicare numbers.
They claimed Optus only has four days until they sell the data to other cyber criminals.
“Only contact onsite! Optus if you wish to contact message onsite! We are businessmen 1.000.000$US is lot of money and will keep too our word. If you care about customer you will pay! Revenue 9B$ dollar, 1M$US small price to pay!” the user warned in a ransom note posted on an online data breach forum.
“If 1.000.000$US pay then data will be deleted from drive. Only 1 copy exist. Will not sale data too. Completely gone!”
“Since they not payed yet here is 10.000 record from address file. Will release 10.000 record every day for 3 day when they not pay.”
The suspected hacker also claimed to have obtained over 3.9 million forms of “identity document number” and 3.2 millions of driver licence number.
Optus CEO Kelly Bayer Rosmarin on Tuesday morning said the data breach is “not what it’s made out to be” because the data was “encrypted” and Optus has “multiple layers of protections.”
“We’re not allowed to say much because the police has asked us not to,” she told ABC (Australian Broadcasting Corporation) Radio.
“So, it is not the case of having some soft of completely exposed API sitting out there. We invest heavily in our cyber defences, and we really are doing everything we can to ensure that our environment is secure.”
The comment comes after Cyber Security Minister Clare O’Neil said responsibility for the data breach laid squarely at the foot of Optus and that the company should offer free credit monitoring to customers impacted.
“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” the minister told parliament on Monday.
Meanwhile, Optus will also potentially face a class action filed by law firm Slater and Gordon on behalf of customers affected by the cyber attack.
“This is potentially the most serious privacy breach in Australian history, both in terms of the number of people affected and the nature of the information disclosed,” class action senior associate Ben Zocco said.
“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.”