Peter A Clarke

The question of whether the hackers who stole personal information of almost 10 million current and former Optus customers were criminals motivated by money or state based operatives has been resolved.  It was criminals.  The hackers have released personal information of 10,000 individuals and have promised to release details of 10,000 more people each day for the next four days until the hackers demands have been met.  It is reported in the Australian at Details of 10,000 Optus customers released.  It provides:

The details of 10,000 Optus customers have been released following the telco’s massive data breach last week.

The alleged hackers behind the breach released the details, including passport and driving licence numbers, dates of birth and home addresses, and threatened to release the same number of records every day until a ransom of AUD$1.5 million was paid.

Cyber security researcher and writer Jeremy Kirk from ISMG Corp, who has been in contact with the alleged hacker, tweeted the “bad news” on Tuesday.

Optus admitted last week that up to 10 million customers had been impacted by the theft of data, a breach for which the government has said the telco is entirely to blame.

As class action lawyers consider a case against the telecommunications giant, Home Affairs Minister Clare O’Neil flagged “substantial reform”, highlighting the “hundreds of ­millions of dollars” in fines the company would have faced if the breach occurred in countries with stricter data security requirements. Australian companies responsible for failing to protect customers’ data currently face penalties of just $2.2m, while in the US, a credit agency was fined $US575m in 2019 over a major data breach.

The government is furious with Optus over its loss of 9.8m customer records, seeing the incident as a major corporate failure and an urgent warning sign that tougher penalties are required.

Optus chief executive Kelly Bayer Rosmarin on Tuesday defended the company’s actions in the wake of the breach, saying “we are not the villains.”

“We definitely know this is the work of some bad actors, and really they are the villains in this story,” Ms Rosmarin told ABC Radio on Tuesday.

“Of course we will investigate what happened… If something comes out that Optus has made an error or did something wrong, we will be accountable for that.”

Reports that the data was inadequately protected and open for the taking, reiterated in comments from cybersecurity minister Clare O’Neil on Monday, were inaccurate, Ms Rosmarin insisted.

“It is not what is being portrayed,” she said. “Our data was encrypted and we have multiple layers of protection.”

Ms Rosmarin could not confirm whether the stolen data was being held at ransom. It was reported on Monday that hackers have released the data of 10,000 customers in an attempt to get Optus to pay up.

“We have seen that there is a post like that (requesting a ransom payment) on the dark web, and the Australian Federal Police is all over that,” she said. “They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal.”

In response to questions regarding European privacy laws, which expose telcos to millions in fines for similar breaches, Ms Rosmarin said: “I’m not sure how penalties would benefit anybody.”

“The data that has been accessed was most likely out there already,” she added. “It’s a good reminder for people to be super vigilant.”

Ms Rosmarin continues to resist calls that she resign. She is staying on to ensure affected customers are looked after, she said.

Optus has contacted customers whose identifying information — including passport and licence numbers — was stolen. It is now contacting those who had other information