Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Australian Police Probe Purported Hacker’s Ransom Demand

Australian police were investigating a purported hacker’s release of the stolen personal data of 10,000 Optus customers and demand for a $1 million ransom in cryptocurrency, the telecommunications company’s chief executive said Tuesday.

Australian police were investigating a purported hacker’s release of the stolen personal data of 10,000 Optus customers and demand for a $1 million ransom in cryptocurrency, the telecommunications company’s chief executive said Tuesday.

The Australian government has blamed lax cybersecurity at the nation’s second-largest wireless carrier for the unprecedented breach last week of the personal data of 9.8 million current and former Optus customers.

Jeremy Kirk, a Sydney-based cybersecurity writer, said the purported hacker, who uses the online name Optusdata, had released 10,000 Optus customer records on the dark web and threatened to release another 10,000 every day for the next four days unless Optus paid the ransom.

Asked if the hacker had threatened to sell the remaining data if Optus did not pay the $1 million within a week, the company’s chief executive Kelly Bayer Rosmarin told Australian Broadcasting Corp.: “We have seen there is a post like that on the dark web.”

Australian Federal Police said Monday their investigators were working with overseas agencies, including the FBI, to determine who was behind the attack and to help shield the public from identity fraud. Police declined further comment Tuesday as the investigations were ongoing.

“They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal and verify if they a bona fide,” Bayer Rosmarin said.

Kirk wrote in his website Bank Info Security that Optusdata later deleted the post along with three samples of the stolen data.

Optusdata sent Kirk a link to the new post that withdrew the ransom demand, claimed the stolen data had been deleted and apologized to Optus as well as its customers.

Advertisement. Scroll to continue reading.

“Too many eyes. We will not sale (sic) data to anyone,” the post said, adding that Optus had not paid a ransom.

Kirk said he asked why Optusdata had changed their mind but received no response.

Australian Information and Privacy Commissioner Angelene Falk, the national data protection authority, said the latest post “indicates … this is a very fast-moving incident.”

“It’s a major incident of significant concern for the community. What we need to focus on here is ensuring that all steps are maintained to protect the community’s personal information from further risk of harm,” Falk said.

Earlier Tuesday, Kirk said the released personal data appeared to include health care numbers, a form of identification not previously revealed publicly to have been hacked.

Cybersecurity Minister Clare O’Neil urged Optus to give priority to informing customers of what information had been taken.

“I am incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom,” O’Neil said. “Medicare numbers were never advised to form part of compromised information from the breach,” she added.

O’Neil on Monday described the hack as an “unprecedented theft of consumer information in Australian history.”

Of the 9.8 million people affected, 2.8 million had “significant amounts of personal data,” including driver’s licenses and passport numbers, breached and are at significant risk of identity theft and fraud, she said.

Kirk said he used an online forum for criminals who trade in stolen data to ask Optusdata how the Optus information was accessed.

Optus appeared to have left an application programming interface, a piece of software known as an API that allows other systems to communicate and exchange data, open to the public, Kirk said.

“It looks like it was a failure to secure the software system, so anybody on the internet could find it,” Kirk said.

The Australian Financial Review said the theory that Optus “left open an API” had been widely reported.

Bayer Rosmarin rejected such explanations.

“Given we’re not allowed to say much because the police have asked us not to, what I can say — that hopefully will help people understand that it’s not as being portrayed — is that our data was encrypted and we have multiple layers of protection,” Bayer Rosmarin said.

“So it is not the case of having some sort of completely exposed API sitting out there,” she added.

O’Neil didn’t detail how the breach occurred, but described it as a “quite a basic hack.”

Optus had “effectively left the window open for data of this nature to be stolen,” O’Neil said.

Australia’s government is considering tougher cybersecurity rules for telecommunications companies as a result of the hack.

Current cyberprotection law doesn’t allow for Optus to be fined for the breach, though O’Neil noted fines of hundreds of millions of dollars would be possible if it had occurred in other countries.

O’Neil said a potential 2 million Australian dollar ($1.3 million) fine under privacy law was inadequate.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.