FBI will investigate the Optus hack
America’s Federal Bureau of Investigation has joined the Australian Federal Police in probing the case of the hacking of the Optus network.
Attorney-General Mark Dreyfus revealed the international cooperation as the group behind the breach scrapped its ransom demand and claimed to have deleted the 11 million customers’ records it scraped from the telco’s website.
The attempt to force Optus to pay $US1 million ($1.54 million) by Friday was dropped hours after the group released a batch of 10,000 Australian customers’ sensitive details on a data breach forum on the clear web.
The illegally obtained information includes passport, Medicare and driver’s licence numbers, dates of birth, home addresses and information about whether a person is renting or living with parents.
Several state governments have struck agreements with Optus to protect customers whose driver’s licences were compromised.
In Victoria and NSW, people can get replacement cards and Optus will cover the costs.
Affected customers in Queensland and South Australia can organise replacement licenses free of charge, while the ACT and other jurisdictions are still working through the issue.
The hackers said they would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty.
Mr Dreyfus told parliament a whole-of-government response had been launched, with the AFP not only working with government and industry but also the FBI.
The attorney-general also expressed concern Optus did not report the exposure of Medicare numbers in the breach.
Opposition defence spokesman Andrew Hastie described the government’s response to the hack as “lacklustre and slow”.
The opposition is calling for the government to waive fees and expedite the processing of new passports for Optus customers whose passport numbers had been compromised.
“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport,” shadow foreign affairs spokesman Simon Birmingham and shadow cyber security spokesman James Patterson said in a statement..
They said the Department of Foreign Affairs was advising on its website that “if you choose to replace your passport you’ll have to pay” as the department was not responsible for the data breach.
Optus says it has sent email or SMS messages to customers whose details were compromised and apologised for the concern it has caused.
But it insists payment details and account passwords were not compromised as a result of the attack.
The privacy commissioner has urged Optus customers to be vigilant and not click on any links in text messages.
-with AAP