SYDNEY - Australian telecoms giant Optus came under more fire from the government on Tuesday for a massive cyber breach, while an anonymous online account believed to be that of the hackers said they were deleting stolen data and withdrawing a US$1 million (S$1.4 million) ransom demand.
Singtel-owned Optus, the country’s No. 2 mobile operator, said last week that data of up to 10 million customers, including home addresses, drivers’ licences and passport numbers, had been compromised in one of Australia’s biggest data breaches.
An account called "optusdata" in an online forum, believed by cyber security experts to be that of the hackers, had threatened to publish the data of 10,000 Optus customers per day unless they received US$1 million in cryptocurrency.
On Tuesday, however, the account holders posted that they had deleted the data due to “too many eyes”, were withdrawing their ransom demand, and were sorry for having already leaked the data of 10,200 Australians.
Optus and the Australian Federal Police, which have been working with the Federal Bureau of Investigation and other offshore law enforcement agencies to probe the cyber attack, declined to comment on whether they believed the optusdata account holders were behind the breach.
The Australian federal government has blamed Optus for the breach, flagged an overhaul of privacy rules and higher fines, and suggested the company had “effectively left the window open” for hackers to steal data.
Minister for Cyber Security Clare O’Neil said she was “incredibly concerned... about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom”, referring to the government’s health insurance scheme.
Optus chief executive Kelly Bayer Rosmarin said the incident had generated “a lot of misinformation” and the company took data protection seriously.
“Given we’re not allowed to say much because the police have asked us not to, what I can say... is that our data was encrypted and we had multiple layers of protection,” she told ABC Radio.
She added that most customers understand that “we are not the villains” and that the company had not done anything deliberate to put data at risk.
Mr Jeremy Kirk, a cyber security researcher and writer who said he had been in contact with the purported hackers, tweeted that it was unclear why they changed their mind but “this doesn’t change the risk for anyone exposed”.
“The Optus data has been stolen, and we can’t trust this person. No guard should be let down,” he wrote. REUTERS