Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
The chief executive of Optus, Kelly Bayer Rosmarin, says federal police are “all over” a post on an online forum which purported to have released 10,000 customer records from the recent data breach and threatened to release more until a $1m ransom is paid.
The post was later deleted, along with a claim the writer had deleted the data and would not sell it to anyone.
Rosmarin also told ABC radio the company’s massive security breach was “not as being portrayed”, after the minister for home affairs accused the company of leaving the “window open” for the data to be stolen.
On Monday night, the purported attacker released a text file of 10,000 records, promising to leak 10,000 each day for the next four days unless Optus pays them $1m.
The released records include email addresses from the Department of Defence and the Office of the Prime Minister and Cabinet.
On Tuesday morning, the purported attacker deleted the original post with the links to the data and apologised for attempting to sell the data. They claimed to have deleted their copy of the data.
“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” they said.
“Sorry too [sic] 10,200 Australian whos[sic] data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.”
They apologised to Optus and said they would have reported the exploit if Optus had made it possible to report. They said no ransom had been paid.
Optus declined to comment, citing the AFP investigation.
The Optus attack has affected up to 10 million customers, including 2.8 million people who had their driving licence or passport number leaked.
The purported attacker said they had obtained the data through an opening Optus had left accessible in its network, and the company had not yet contacted them.
The Australian federal police has launched Operation Hurricane to work with overseas law enforcement authorities to determine who had obtained the data and was attempting to sell it.
Guardian Australia has verified the file contains records with people’s names, dates of birth, email addresses, phone numbers, postal addresses, and in some cases, licence numbers, passport numbers and Medicare card numbers.
The home affairs minister, Clare O’Neil, said on Tuesday she was “incredibly concerned” about Medicare numbers being included in the data.
“Medicare numbers were never advised to form part of compromised information from the breach,” she said.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.”
There are approximately 20 state and federal government emails listed in the dump, including four from the Department of Defence, and one from the Department of the Prime Minister and Cabinet.
Asked about the claim, Rosmarin said the company had “seen that there is a post like that on the dark web and the Australian federal police is all over that”.
“They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal and verify [the claim].”
Sign up to receive an email with the top stories from Guardian Australia every morning
O’Neil told ABC’s 7.30 program on Monday evening: “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
O’Neil described the hack as “basic”, contradicting Rosmarin’s description earlier last week as a “sophisticated attack”.
Asked about O’Neil’s comments on ABC radio Tuesday morning, Rosmarin thanked reporter Peter Ryan “for letting me address that misinformation”.
Rosmarin said O’Neil’s interview with the ABC occurred before Optus’s briefing with the minister.
Guardian Australia understands that O’Neil’s view that it was not a sophisticated cyber-attack has not changed.
Rosmarin said the breach was “not what it’s made out to be” because the data was encrypted and there were “multiple levels” of protection.
She said it was not the case of having an “exposed API [address] sitting out there”.
“We have had the Australian centre for cybersecurity scan our perimeter … we want to make sure the environment is secure,” Rosmarin said.
The ABC asked Rosmarin if the company could be sure the breach wasn’t the result of human error.
“We know this is the work of some bad actors and really, they are the villains in this story.”
However she said if anything from the investigations “indicates Optus has made an error, we will take full accountability for that”.
Pressed on the harsher penalties that exist for companies in Europe, Rosmarin said: “I’m not sure what penalties benefit anybody. Optus is doing everything possible to be transparent and on the front foot. Our customers understand we are not the villains.”
She emphasised that much of the “data accessed is data already out there”.
Rosmarin indicated she will not be stepping down. “All we’re focused on is protecting our customers. Someone has to be accountable for doing that.”