Note to Optus customers
POLICE are investigating a massive hacking attack against Optus that may have compromised millions of customers, but the company’s boss has only offered an apology and a few words of advice.
Passport and driver’s licence numbers were among the information allegedly stolen in the massive hacking incident.
Federal police have launched a probe after receiving a referral from Optus about the alleged “mass data breach”.
“The AFP will work with Optus to obtain the crucial information and evidence needed to conduct this complex, criminal investigation,” a statement on Friday read.
Optus chief executive Kelly Bayer-rosmarin apologised for the cyber intrusion in a conference call with reporters on Friday, saying “it should not have happened”.
“I’m disappointed that we couldn’t prevent it,” she said.
“It undermines all the great work we’ve been doing to be a pioneer in this industry, be a challenger, and create new and wonderful experiences for our customers. I’m really sorry.”
The cyber breach could have wide-reaching consequences for private and small business customers, Ms BayerRosmarin acknowledged.
In an “absolute worst-case scenario”, 9.8 million customers were affected.
Unconfirmed screen-grabs from a dark web hacker forum show cyber criminals claiming to have access to one million Optus phone numbers.
Ms Bayer-rosmarin urged customers to be on the watch for suspicious contacts, fearing bad actors who access the data could use it to place scam calls.
“What customers can do is just be vigilant,” she said.
“If somebody calls you and says they want to connect to your computer and says to give them your password or let them in, don’t allow it.”
She said passwords and financial details had not been compromised, however, other sensitive information had been pilfered.
“We do hold a reference to the identification information, whether it's the driver’s licence number or passport number. That’s the field that’s been compromised,” she said.
Police are urging everyone to harden their online security by strengthening passwords.
Brett Callow, threat analyst with the cyber security firm Emsisoft, said companies should do what they could to minimise the collection of personal data.
“Generally speaking, it’s good practice for companies to collect only information that they absolutely need to collect and to retain it for no longer that necessary – in fact, this is a legal requirement in Europe,” he said. “Why should companies hold on to information that they don’t need anyway?”
Ms Bayer-rosmarin said there was a simple explanation.
“We hold on to customer data for a period of time [because] it is the law,” she said. “We have to be able to go back into our records for six years.”
Customers who have been affected will be contacted by Optus in the coming days.
Customers who believe their data may have been compromised were asked to contact Optus through the My Optus App (the company said this is the safest way to interact with Optus), or by calling 133 937.
Optus said it would not send links in any emails or SMS messages.
Customers have also been advised to change their online account passwords; enable multifactor authentication for banking; and place limits on withdrawals for their banking.