Optus reveals extent of data breach, but stays mum on how it happened

Of the 9.8 million customers impacted by the data breach, 1.2 million have at least one form of identification number that is valid, says the Singtel-owned Australian operator, adding that it has brought in Deloitte to investigate the breach, including how it occurred.
Written by Eileen Yu, Senior Contributing Editor

Optus says its recent data breach impacted 1.2 million customers with at least one form of identification number that is valid and current. The Australian mobile operator also has brought in Deloitte to lead an investigation on the cybersecurity incident, including how it occurred and how it could have been prevented. 

Optus said in a statement Monday that Deloitte's "independent external review" of the breach would encompass the telco's security systems, controls, and processes. It added that the move was supported by the board of its parent company Singtel, which had been "closely monitoring" the situation. 

Elaborating on Deloitte's forensic assessment, Optus CEO Kelly Bayer Rosmarin said: "This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists."

In its statement, Optus added that it had worked with more than 20 government agencies to determine the extent of the data breach. 

Of its customer base of 9.8 million, the Australian operator said 1.2 million customers had at least one number from a current and valid form of personal identification information that was compromised in the breach. Optus said it had contacted these customers and recommended action they should take to change their identification documents. 

The data of another 900,000 customers had numbers associated with expired identification documents that were compromised in the breach, in addition to personal information. Optus said it was working with government agencies to identify further steps, if any, that should be taken for these customers. The telco added that it also informed these customers that their ID documents were leaked.

Compromised data of the remaining 7.7 million customers did not contain valid or current identification numbers, but had encompassed other personal details such as email addresses, birth dates, and phone numbers. These customers should "remain vigilant", Optus said. 

The telco said on Sunday that it had sent SMS or email messages to customers in six states, including New South Wales, whose driver licence and card numbers were compromised in the security breach, as well as customers whose Medicare card numbers were leaked. 

It still was working with the state governments of Victoria and Queensland to identify customers whose driver licence details were compromised. 

According to Optus, 14,900 Medicare identification numbers compromised in the breach were valid and had not expired. Another 22,000 customers had expired medicare card numbers. All of these customers had been notified. 

While the telco has yet to provide details on how the breach occurred or what systems were breached, various local reports point to an online API (application programming interface) that apparently did not require authentication or authorisation for customer data to be accessed. 

Australia's Minister for Home Affairs Clare O'Neil last week lashed out at Optus over the breach: "What happened at Optus wasn't a sophisticated attack. We should not have a telecommunications provider in this country that effectively left the window open for data of this nature to be stolen... They are to blame. The cyber hack undertaken here was not particularly technologically challenging."

Australian Prime Minister Anthony Albanese added that the data breach underscored the need to revise the country's cybersecurity laws. "We know that this breach should never have happened," Albanese said. "Clearly we need better national laws after a decade of inaction to manage the immense amount of data collected by companies about Australians, and clear consequences for when they do not manage it well."


Editorial standards