‘Angry’ Optus boss dodges questions about hack, reveals ‘worst case scenario’

Australia tracking down Optus hackers

Optus still doesn’t know whether hackers who stole the personal data of up to 9.8 million of its users were private criminals or state-sponsored.

And the telco giant is also still unsure how many customers have had their personal information – including emails, phone numbers and identifying documents like licences and passports – exposed to hackers.

But in a carefully managed media briefing on Friday, Optus CEO Kelly Bayer Rosmarin said she was “angry” about the hack, which is being described as the largest data breach in recent Australian history.

“I’m very sorry and apologetic, it shouldn’t have happened,” Ms Bayer Rosmarin said in response to a question approved by the telco’s team.

Optus is in its second day of damage control after revealing that it suffered a cyber attack on Wednesday. But Ms Bayer Rosmarin wouldn’t comment on how the hack occurred when asked on Friday.

“The exact mechanics are subject to a criminal investigation, and we won’t be divulging that – safe to say it’s a sophisticated attack,” she said.

In a briefing characterised more by what Optus doesn’t know about the hack than what it does, Ms Bayer Rosmarin also addressed reports claiming up to 9.8 million Optus customers had their data exposed.

She said that figure was the “absolute worst case scenario” and that there was “reason to believe the number is actually smaller than that”.

“We are working through reconstructing exactly what the attackers have received,” Ms Bayer Rosmarin said.

“Importantly, it’s a very small subset of data. It does not include any financial details.”

Ms Bayer Rosmarin said Optus first identified the hack on Wednesday, after someone noticed some “suspicious activity” – she was told about the cyber attack in a phone call from Optus’ chief information officer.

Optus has since temporarily disabled SIM card swaps and replacements through its online, phone and messaging services and will now require customers to visit a store and show their identification.

Ms Bayer Rosmarin confirmed Optus would contact each customer affected by the hack, but failed to answer questions about whether Optus will pay compensation to customers who’ve had their data stolen.

Customers dating back to 2017 may have been affected, because under law Optus must keep user records for six years, the company said.

“Our priority is going to start with the customers were the most fields [of data] may have been exposed,” Ms Bayer Rosmarin said.

“Over the next few days, all customers will know in what category they fall.”

In a follow-up statement sent to TND, Optus said it was “still finalising” the details around customer compensation following the cyber attack.

Ms Bayer Rosmarin said Optus had received no demands from the hackers about the stolen data, adding that the company and authorities were still investigating whether it was private criminals or state-sponsored.

“As critical infrastructure in the communications industry, we are obviously aware we are a consistent target for both government actors and criminals,” she said.

“This particular one [attack] is not similar to anything we’ve seen before.”

Regulators have warned Optus customers to be vigilant about scammers and identity theft in the wake of the data breach.

Australian Competition and Consumer Commission deputy commissioner Delia Rickard said on Friday that information stolen in the hack could be used to make a scam attempt “much more convincing”.

Liberal Senator James Paterson, former chair of the parliamentary committee overseeing intelligence and security, told the ABC on Friday that the Optus hack is the most significant in recent Australian memory.

“It is the nature of the information which appears to have been stolen which is particularly concerning,” he said.

“It’s personally identifiable, identifying information like people’s names, their phone numbers, their email addresses, their home addresses and in some cases even identification document numbers like passport[s].”

Ms Bayer Rosmarin called for a “team Australia” response to the hack.

“We don’t yet know who these attackers are and what they want to do with this information,” she said.

Stay informed, daily
A FREE subscription to The New Daily arrives every morning and evening.
The New Daily is a trusted source of national news and information and is provided free for all Australians. Read our editorial charter.
Copyright © 2024 The New Daily.
All rights reserved.