A Sydney man has been charged with allegedly trying to extort Optus customers in a text message scam using data that was compromised in the recent cyberattack.
The Australian Federal Police (AFP) this morning executed a search warrant at a house in Rockdale, south of Sydney, where they arrested a 19-year-old accused of having carried out the scam.
He is not suspected of being responsible for the original breach by Optus.
An AFP image of the 19-year-old man who was arrested in Rockdale. (AFP)
Police will allege the man accessed the 10,200 stolen records the original hacker posted online and then sent a scam text message to 93 customers.
The message demanded $2,000 from the recipient, threatening to release more information if the ransom was not paid.
None of the 93 customers who received the message are believed to have paid the ransom.
These two correspondences are also examples of scams circulating after the Optus hack. (Scamwatch)
AFP cyber command deputy commissioner Justine Gough said the man allegedly tried to profit financially from the stolen data which was released on an online forum.
“Last week, the AFP and our state and territory partners launched Operation Guardian to protect the most vulnerable customers affected by Optus’ breach and we were absolutely clear that there would be zero tolerance for the criminal use of ‘this stolen data,’ Gough said. .
“The warning is clear. Don’t test the ability or dedication of law enforcement.
“The AFP, our state partners and industry are relentlessly trawling forums and other online sites for criminal activity related to this breach.
“Just because there’s been one arrest doesn’t mean there won’t be more.”
Police will allege the man accessed the 10,200 stolen records the original hacker posted online and then sent a scam text message to 93 customers. (Eddie Jim)
The AFP traced a bank account used in the scam message as part of its investigation.
The Sydney man has since been charged with two offences: using a telecommunications network with intent to commit a serious crime and handling identity information, which carry a maximum sentence of 10 and seven years in prison.
He is scheduled to appear in Sydney’s Central Local Court at a later date.
Scam text from “mama” leads to Aussie bank account
The arrest comes as confusion reigns over Optus’ communications
Two days ago, Optus confirmed that at least 2.1 million personal identification numbers had been stolen as the telco announced an external review into the massive cyber attack.
Following investigations, Optus said that of the 9.8 million customers whose data was hacked, it believes 7.7 million do not need to replace documents.
The 2.1 million pieces of personally identifiable information include 150,000 passports and 50,000 Medicare numbers.
Optus has contacted customers affected by the hack with updates, but many reported being confused by multiple text messages from different numbers.
Optus customers reported being confused by mixed messages from the telco in the wake of the attack. (new)
Independent “forensic” review ordered
Optus has commissioned an independent forensic review into the cyber attack against the telco, which saw the personal information of thousands of customers leaked.
The review will be carried out by international services firm Deloitte and will look at the cyber attack itself, Optus’ security systems and its controls and processes.
“As part of the review, Deloitte will conduct a forensic assessment of the cyber attack and the circumstances surrounding it,” Optus said in a statement released on Monday.
Optus chief executive Kelly Bayer Rosmarin has ordered an independent review of the attack. (Dominic Lorrimer)
Optus said the review was recommended by CEO Kelly Bayer Rosmarin.
In the statement, Bayer Rosmarin said the company was determined to find out what went wrong.
“This review will help ensure we understand how it happened and how we can prevent it from happening again,” he said.
It is unclear when the investigation will begin.