Millions of Australians have seen their personal data compromised in a major cyber attack on Optus.
The telecommunications company confirmed the data breach in a statement on Thursday afternoon, after The Australian revealed that around nine million Australians could be affected.
“Information that may have been exposed includes customer names, dates of birth, phone numbers, email addresses and, for a subset of customers, addresses, ID numbers, such as now the driver’s license or passport,” the statement said.
“Payment details and account passwords have not been compromised.”
About 2.8 million customers had all their data taken in the attack, which is believed to have been launched due to a weakness in the telco’s firewall. The Australian reported
About 7 million people had information such as their dates of birth, email addresses and phone numbers taken by the hackers.
The breach affects current and former Optus customers.
CEO Kelly Bayer Rosmarin said the telco acted immediately to stop any further action after learning of the attack and that authorities had been called in to help investigate the source.
“We are very sorry and understand that customers will be concerned,” he said.
“Please be assured that we are working hard and collaborating with all relevant authorities and organizations to help protect our customers as much as possible.
“Optus has also notified key financial institutions about this matter. While we are not aware of any harm to customers, we encourage them to be more aware of their accounts, including looking for unusual or fraudulent activity and any notification that looks strange or suspicious.”
Optus has said its services were not affected by the breach and remain safe to use, with messages and voice calls not compromised.
Customers have reported on social media that the telco has yet to contact them to inform them of the breach.
“Check emails. Nothing from Optus has told me about this,” Guardian audience editor Dave Earley said on Twitter.
“Terrible that customers are finding out through the media and not Optus,” said another Twitter user.
Optus said it will send “proactive personal notifications” to customers it identifies as “increased risk”, but says it will not send any links in emails or SMS messages.
The telco told customers to go to its website for information or contact them with any questions.
The Australian Federal Police (AFP) has been notified of the incident, but a referral has not yet been made.
“The AFP is aware of the incident but cannot comment further,” a spokesperson told NCA NewsWire.
The federal government has been informed of the situation, with the Australian Cyber Security Center providing security advice and technical assistance.
Telecom companies owned by Optus do not appear to be affected, with an Amaysim spokesperson telling NCA NewsWire that the company has not experienced any breaches.
Australian individuals and organizations are being targeted “through the rapid exploitation of technical vulnerabilities by state actors and cybercriminals seeking to exploit weaknesses and steal sensitive data”, Cyber Security MP Clare’s office said O’Neill.
“These very worrying reports represent one of the most serious cyber attacks an Australian business has ever suffered,” opposition cyber security minister James Paterson said on Twitter.
The internet is behind #Gladys
The words “Optus” and “Gladys” have shot to the top of Twitter’s trending list following the telco’s major security breach on Thursday.
Former NSW Premier Gladys Berejiklian was appointed as Optus CEO, Corporate, Business and Institutional in February, after stepping down as Premier in October 2021 and while still under investigation by the State corruption control body – ICAC.
Twitter users took to the site in droves and blasted Ms Berejiklian and Optus for the breach as customers desperately sought answers.
There is no suggestion of embezzlement by Ms Berejiklian.
– with Jack Evans