Optus customers as far back as 2017 could be caught in the massive hack of the telco’s database, CEO Kelly Bayer Rosmarin has revealed.
Bayer Rosmarin told reporters on Friday that the company is still not sure exactly how many customers had their personal information compromised in the attack, but that 9.8 million was the “worst case scenario”.
“We have reason to believe that the number is actually less than that. But we are working to reconstruct exactly what the attackers received,” she said.
The personal information compromised in the attack included names, dates of birth, addresses, phone numbers and, in some cases, passport or driver’s license numbers.
The breach is believed to have occurred through the exploitation of an application programming interface (API) vulnerability, but Bayer Rosmarin would not confirm this, saying it was “the subject of criminal proceedings” and under investigation by the Australian Federal Police and the Australian Cyber Security Center.
Optus first became aware of the intrusion into its network on Wednesday and alerted the media less than 24 hours after first shutting down the unauthorized access and ensuring there were no other vulnerabilities, Bayer Rosmarin said.
“We have worked with Australian Government cyber experts, privacy officials and regulators, and proactively reached out to the major financial institutions, our competitors and other companies so that we could protect not only our own customers as much as possible, but everyone Australians,” she said.
Optus has relied on informing customers through the media, and has not yet informed individual customers directly because the company has not yet determined how many customers were affected.
Telcos are required by Australian law to verify their customers’ identities to prevent people from registering burner phones or from number porting – a growing method of attack to bypass two-factor authentication that uses SMS codes. The data goes back to 2017 because Optus is required to keep identity verification for six years.
Bayer Rosmarin said that once Optus determines which customers are affected, all customers, even those not directly affected, will hear from the company.
No ransom has been demanded and Optus has yet to determine whether it was a criminal or government attack on the company.
Bayer Rosmarin would not go into detail about how the attack took place, citing the criminal investigation.
The IP addresses of the attacker “came from different countries in Europe”, she said.
Brett Callow, a threat analyst, posted on Twitter that the names and email addresses of 1.1 million Optus customers had been for sale online since 17 September. Bayer Rosmarin could not say whether it was true.
“One of the challenges when you go public with that kind of information is that you can have a lot of people claiming a lot of things. So there’s nothing that’s been validated and for sale that we’re aware of, but teams are exploring all options.”
The CEO of the Singapore-owned telco said the entire country needed to respond to the attack together.
“We don’t yet know who these attackers are and what they will do with this information, which is why we really need a response from Australia,” Bayer Rosmarin said.
She fought back tears when asked what it meant that this attack happened on her watch.
“I’m angry that there are people out there who want to do this to our customers. I’m disappointed that we couldn’t have prevented it, and disappointed that it’s undermining all the great work we’ve done for being a pioneer in this industry.
“And I’m very sorry and I apologize.”