Optus security breach compromises customers' passport details

Australian operator says it is investigating "unauthorised access" of personal data belonging to its current and former customers, including dates of birth, phone numbers, and passport numbers.
Written by Eileen Yu, Senior Contributing Editor

Optus has suffered a security breach that it says may have compromised various customer data, including dates of birth, email addresses, and passport numbers. Information belonging to both current and former customers of the Australian mobile operator are impacted in the security incident. 

Optus said Thursday it was looking into "possible unauthorised access" of customer data following a cyber attack, but did not reveal details of what systems were affected, when the breach was discovered, or how many customers mights be impacted. 

Its CEO Kelly Bayer Rosmarin, though, said: "We have been subject to a cyberattack that has resulted in the disclosure of our customers' personal information to someone who shouldn't see it. As soon as we knew, we took action to block the attack and began an immediate investigation."

Rosmarin noted that while not all customers might be affected, investigations still were ongoing. 

According to Optus, the security breach could have compromised various customer data, including dates of birth, phone numbers, and email addresses, as well as additional information such as addresses and identification document details that included driver's licence and passport numbers for a specific group of customers. 

Financial details and account passwords were not affected by the breach, the Australian operator said. However, it said major financial institutions were notified about the breach. It also urged customers to keep watch on unusual or potential fraudulent activities.

In an FAQ posted on its website, Optus said hackers had targeted only its customer data, leaving its systems and services including mobile and home internet unaffected. It now was in the process of notifying customers directly impacted by the breach with details of which data of theirs had been compromised. 

The mobile carrier added that it had notified the relevant authorities, including the Australian Federal Police, and was working with the Australian Cyber Security Centre on the incident. 

Office of the Australian Information Commissioner (OAIC) confirmed it was notified of the data breach and was working with Optus to "ensure compliance" of the country's Notifiable Data Breaches rules. Under the regulation, organisations for which the Privacy Act 1988 applied must notify individuals and the OAIC "as quickly as possible" if a data breach had occurred that was likely to result in "serious harm" to individuals whose personal data was compromised. 

Under Australia's Privacy Act, organisations have obligations to protect against unauthorised access, unauthorised disclosure or loss of personal information. "When a breach occurs, an organisation should contain the breach and take remedial action," the Office noted.

A wholly-owned subsidiary of Singtel, Optus is Australia's second-largest telco. In 2019, it had some 10.2 million mobile subscribers

The carrier was involved in previous data privacy incidents, including a 2013 breach in which the operator accidentally published the names, addresses, and mobile phone numbers of 122,000 customers without their consent. In a 2008 incident, Optus left open the management ports of Netgear and Cisco Systems modems to facilitate remote access, leaving customers who did not change the default administrative passwords on the appliances vulnerable to potential hacks. 


Editorial standards