Optus $US1 million ransom threat investigated

Authorities are investigating the authenticity of a threat to allegedly sell millions of customers’ personal information online unless telecommunications company Optus pays $US1 million ($1.53 million) in cryptocurrency to the hackers.

The post,made on a hacking forum where stolen data is advertised for sale,gives Optus one week to comply before the alleged data will be put up for sale for $US300,000 to other criminals.The Age andThe Sydney Morning Heraldhave chosen not to publicise the hacking forum by naming it.

Optus said it had shut down the cyberattack and is working with authorities to mitigate customer risk and find the culprit.

Optus said it had shut down the cyberattack and is working with authorities to mitigate customer risk and find the culprit.

Federal police are aware of reports of the alleged threats and have warned Australians that it is illegal to buy stolen data online,with penalties of up to 10 years in jail.

Optus has not confirmed if the poster actually possesses stolen company data.The company revealed on Thursday it had been hit with a massive cyberattack during the week that could have affected up to 9.8 million customers.

An Optus spokesman said of the online threat:“Optus is investigating the legitimacy of this.

“We also cannot comment on matters that maybe under investigation by the AFP,” the spokesman said.

“Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings,” an Optus statement said.

An Australian Federal Police spokeswoman said it was aware of reports alleging stolen Optus customer data and credentials may have been offered for sale through a number of forums,including on the dark web.

“The AFP is using specialist capability to monitor the dark web and other technologies,and will not hesitate to take action against those who are breaking the law,” the spokeswoman said,citing the 10 years’ jail maximum penalty for buying stolen data online.

The author of the forum post put up a sample of data,claiming it was stolen from Optus. There are some signs that the data is genuine,but it could have been compiled from other sources,such as previous cyberattacks on other companies. Another possibility is that the post is an attempt to con Optus or a criminal group into paying for false information.

Optus CEO Kelly Bayer Rosmarin has said the telco knew of the cyber security a day before telling customers,which it decided to do via the media.

The Sydney Morning Herald andThe Age spoke to several people,on condition of anonymity,whose data appeared on the sample.

They confirmed that at least some of the information published was accurate,although in one case a person on the list did not think they had previously been an Optus customer.

The information included names,addresses,phone numbers,email addresses,driver’s licence details and even individuals’ preferred pronouns.

Jeremy Kirk,executive editor at Information Security Media Group,a computer security-focused publisher,said he had attempted to check the veracity of one item of data after he saw an address in the sample file that was close to his home in NSW.

“I thought rather than emailing or calling to see if it’s genuine – because a lot of times people don’t answer or reply – I thought it’s a Saturday morning,it’s not raining,it’s nice outside,I’ll go around,” Kirk said.

He said he spoke to a woman at the residence,who requested to remain anonymous,but confirmed she had been an Optus customer until 2018,which is within the breach timeframe that dates back to 2017.

“I handed her her data,and said ‘Is this you?’ and she said ‘Yeah that’s me’.”

Kirk offered to put the woman in touch with Optus to see whether there was special assistance the company could give her,given the exposure of her information.

He emphasised that it was possible that the data,even if genuine,could have been taken from other sources.

Several emails in the sample do not appear in Have I Been Pwned?,a site run by Australian cybersecurity consultant Troy Hunt that allows users to check if they have been caught up in a data breach. That suggests the data in the sample could have been newly obtained from Optus,could be fake,or merely from another hack not catalogued by the site.

The alleged ransom post claims the data is in two files,with similar information. It claims about 4 million in both have an identity document number,as well as other personal information.

A spokesman for the Australian Cyber Security Centre,which is helping to investigate the breach,declined to comment.

The identity of the hackers is not known. Optus chief executive Kelly Bayer Rosmarin said on Friday thatthey used European internet addresses to hide their true location.

Robert Potter,co-founder of cybersecurity firm Internet 2.0,said it was common for hackers to sell stolen information on breach forums.

“It looks like real Australian data,” Potter said. “But we are still waiting for Optus to confirm it comes from their systems.”

The Business Briefing newsletter delivers major stories,exclusive coverage and expert opinion.Sign up to get it every weekday morning.

Nick Bonyhady is a technology writer for the Australian Financial Review,based in Sydney. He is a former technology editor,industrial relations and politics reporter at the Sydney Morning Herald and Age.

Ben Cubby is an investigative reporter for The Sydney Morning Herald.

Most Viewed in Technology