A forum post from the person who breached Optus’s customer database was removed and replaced with an apology on Tuesday morning, mere hours after the user posted a file containing 10,000 user records.
“Too many eyes,” the updated post read. “We will not sale [sic] data to anyone.”
In a typo-riddled post, the user with the name 'optusdata’ apologised to Optus and to the 10,000 Australians whose data they leaked.
“Deepest apology to Optus for this. Hope all goes well,” they wrote.
The original post contained an extortion threat for US$1 million in the Monero cryptocurrency with warnings that if Optus didn’t pay within one week, the data on 9.8 million Australians – which contains driver’s licence, passport, and Medicare numbers – would go on sale.
At around 10am on Tuesday morning, the post mysteriously disappeared before being replaced by the apology in which ‘optusdata’ said no ransom had been paid and called their publication of the scraped data a “mistake”.
The bad actor left a note to Optus saying they “would have reported [the] exploit” if the telco had a bug bounty program or way to contact about security concerns.
Before it was taken down, the published data on 10,000 Optus customers – just a fraction of the 11 million the attacker claims to have scraped – shows the extent of the incident and raises questions about Optus’s claims to Information Age last week that “the information that was accessed was encrypted”.
The data, which appears to be in JSON format, contains numerous fields including ‘documentType’ and ‘documentNumber’ which holds details of passports, drivers licences, and Medicare numbers for certain customers.
Although there are fields for ‘hashedPhone’ and ‘hashedEmail’ – which contain long strings one would assume are cryptographic hashes of phone numbers and email addresses – the fields appear right next to the same data stored in plain text.
Bigger fines for data breaches
The government will consider imposing bigger fines for data breaches in the wake of Optus’s serious security intrusion which saw a bad actor gain access to personal information of 9.8 million Australians reportedly through an unauthenticated API.
Speaking to the ABC’s 7.30 program on Monday night, Home Affairs and Cyber Security Minister Clare O’Neil said Australia's currently regulatory landscape was “a decade behind” when it comes to privacy protections.
“In other countries around the world, a breach of this scale would result in hundreds of millions of dollars’ worth of fines against a company like Optus,” O’Neill said.
“[In Australia,] just over $2 million is the maximum fine under breaches of the Privacy Act – totally inappropriate.”
Europe’s General Data Protection Regulation (GDPR) is a world leader for data protection laws and imposes two tiers of fines.
Less severe infringements can be penalised up to €10 million ($15 million) or two per cent of the organisation’s global annual revenue, whichever is greater, while serious infringements can see penalties up to €20 million ($30 million) or four per cent of global annual revenue.
Speaking to ABC Radio on Tuesday morning, Optus CEO Kelly Bayer Rosmarin said she didn’t see the need for increased penalties.
“I'm not sure what penalties can benefit anybody,” Bayer Rosmarin said, adding that Optus “is doing absolutely everything possible to be transparent, to be on the front foot”.
Unsophisticated attack
Throughout the ordeal, Optus has maintained the breach was the result of a “sophisticated” attack on its systems.
Early reports suggested the data was scraped from an unauthenticated, internet-facing API – something the hacker has personally confirmed.
Indeed, O’Neil wasn’t buying the “sophisticated” line either, telling the ABC that a breach of data, which included driver’s licence or passport numbers for 2.8 million Australians, was unacceptable from a major telco.
“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” O’Neil said.
“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
Driver’s licence and passport numbers can be used as 100 points of ID, O’Neil added, meaning the “scope for identity theft and fraud is quite significant”.
Optus on Monday announced it would foot the bill for 12 months of identity protection services for the “most affected current and former customers”, following O’Neil’s suggestion.