Optus has been called out for failing to tell close to 10 million customers their personal details had potentially been stolen by hackers for a day.
The massive cyber breach allowed hackers to access personal details, such as passport and driver’s licence numbers, email and home addresses, dates of birth and telephone numbers, of around 10 million Australians.
Optus Regulatory and Public Affairs Vice President Andrew Sheridan said the company learnt of the breach late on Wednesday.
He was forced to defend the telco when 2GB host Ben Fordham questioned why they had waited until Thursday at 2pm to issue a press release.
Optus has been called out for waiting nearly 24 hours to tell close to 10 million customers their personal details had potentially been stolen by hackers
Fordham said The Australian newspaper had first broken the news about the breach at 1pm on Thursday, only for Optus to publish a release an hour later.
‘You knew about it on Wednesday … it was only after The Australian newspaper splashed the story on their website (on Thursday) that you put out a statement,’ Fordham said on his radio breakfast program on Friday.
‘If you’re interested in protecting your customers why didn’t you alert them the moment you were aware of this potential breach?’
Mr Sheridan said that there was a ‘number of steps’ that had to be taken in cyber incidents.
‘I think if you look at incidents like this we’ve acted very, very quickly,’ he said.
He was then cut off by Fordham who said he didn’t think the telco had acted fast enough.
‘I’ve got to call you out on that Andrew, I don’t think you’ve acted quickly at all,’ he said.
Optus Regulatory and Public Affairs Vice President Andrew Sheridan said the company learnt of the breach late on Wednesday. A press release was not issued by Optus until Thursday
‘We’ve seen many of these cases in the past where companies have said ”we don’t know if there’s been a breach, there’s been a potential breach, we want to alert you straight away” – you guys didn’t do that, you failed to do that.’
Mr Sheridan wouldn’t confirm the number of customers who’d been affected but said the investigation was ongoing.
He added Optus had to confirm the details of the breach and secure their network before they were able to alert customers.
The millions of customers impacted are being contacted by the telco.
Optus said users’ payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.
Australian Federal Police, the Office of the Australian Information Regulator and other key regulators have also been notified.
Alastair MacGibbon, who is chief strategy officer at cyber-security firm CberCX and a former advisor to the prime minister, said Optus customers should watch out for criminals impersonating them online.
‘They should be looking for whether criminals are mimicking them, or stealing their identity, trying to obtain credit in their name … etc,’ he told the ABC.
He said Optus could guard the interests of their customers is by paying for credit monitoring.
‘That way you will be monitored by credit monitoring services if someone has been using your name and other details to obtain credit,’ Mr MacGibbon said.
It remains unclear what the hackers were after at this stage with authorities and the telco still investigating.
Optus said users’ payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers
Optus chief executive Kelly Rosmarin said the company was working with the Australian Federal Police to investigate the attack.
‘We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,’ she said in a statement.
‘As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.
‘We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.’
She said customers’ payment details had not been compromised, but advised them to check their bank accounts for suspicious activity.
‘Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.’
Mobile and home internet, along with messages and voice calls have not been affected.
Both past and present Optus customers have been impacted.
How to improve your cyber-security
Keep your devices up-to-date with security upgrades.
Use strong passwords that contain one lowercase letter, one uppercase letter, one number, and four symbols but not the following &%#@_
Don’t reuse the same password on multiple devices
Reset your password around once a year
Add a second layer of protection to a password by using two-factor or multi-factor authentication – such as a password and a number sent by text to your phone