Optus customers dating as far back as 2017 could be caught up in the massive hack of the telecommunications company’s database, CEO Kelly Bayer Rosmarin has revealed.
Bayer Rosmarin told reporters on Friday that the company is still not sure exactly how many customers had their personal information compromised in the attack, but that 9.8 million was the “worst case scenario”.
“We have reason to believe that the number is actually smaller than that. But we are working through reconstructing exactly what the attackers have received,” she said.
The personal information compromised in the attack included names, dates of birth, addresses, phone numbers and in some cases passport or driver’s licence numbers.
The intrusion is believed to have occurred through an exploitation of a vulnerability in an application programming interface (API), but Bayer Rosmarin would not confirm this, saying it was “the subject of criminal proceedings” and under the investigation of the Australian federal police and the Australian Cyber Security Centre.
Optus first became aware of the intrusion into its network on Wednesday, and alerted the media less than 24 hours after first shutting down the unauthorised access and ensuring there weren’t any other vulnerabilities, Bayer Rosmarin said.
“We have been working with Australian government cyber experts, privacy officials and regulators, and proactively reached out to the major financial institutions, our competitors and other businesses so that we could protect not only our own customers as much as possible, but all Australians,” she said.
Optus has relied on informing customers through the media, and has not yet informed individual customers directly because the company is yet to determine how many customers were affected.
Telecommunications companies are required under Australian law to verify the identities of their customers to prevent people registering burner phones, or from number porting – a growing method of attack to bypass two-factor authentications that use SMS codes. The data goes back to 2017 because Optus is required to keep identity verification records for six years.
Bayer Rosmarin said once Optus determines which customers are affected, all customers, even those not directly affected, will hear from the company.
There have been no ransom demands made, and Optus has not yet determined whether it was a criminal or state-actor attack on the company.
Bayer Rosmarin wouldn’t go into detail about how the attack occurred, citing the criminal investigation.
The IP addresses of the attacker “came out of various countries in Europe”, she said.
Brett Callow, a threat analyst, posted on Twitter that names and email addresses for 1.1 million Optus customers had been for sale online since 17 September. Bayer Rosmarin could not say whether that was true.
“One of the challenges when you go public with this sort of information is you can have lots of people claiming lots of things. So there is nothing that’s been validated and for sale that we’re aware of, but the teams are looking into every possibility.”
The CEO of the Singapore-owned telecommunications company said the whole country needed to respond to the attack together.
“We don’t yet know who these attackers are and what they want to do with this information, which is why we really need a team Australia response,” Bayer Rosmarin said.
She fought back tears when asked what it meant for this attack to happen on her watch.
“I’m angry that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it, and disappointed it undermines all the great work we’ve been doing to be a pioneer in this industry.
“And I’m very sorry and apologetic.”