Optus under further fire for cyber breach, purported hacker claims data deleted

By Renju Jose and Byron Kaye

SYDNEY (Reuters) -Australian telecoms giant Optus came under more fire from the government on Tuesday for a massive cyber breach, while an anonymous online account believed to be that of the hackers said it was deleting stolen data and withdrawing a $1 million ransom demand.

Singapore Telecoms-owned Optus, the country’s No. 2 mobile operator, said last week that data of up to 10 million customers including home addresses, drivers’ licenses and passport numbers had been compromised in one of Australia’s biggest data breaches.

An account called ‘optusdata’ in an online forum, believed by cybersecurity experts to be that of the hackers, had threatened to publish the data of 10,000 Optus customers per day unless they received $1 million in cryptocurrency.

On Tuesday, however, the account holders posted they had deleted the data due to “too many eyes”, were withdrawing their ransom demand and were sorry for having already leaked data of 10,200 Australians.

Optus and the Australian Federal Police, which have been working with the Federal Bureau of Investigation and other offshore law enforcement agencies to probe the cyberattack, declined to comment on whether they believed the ‘optusdata’ account holders were behind the breach.

The Australian federal government has blamed Optus for the breach, flagged an overhaul of privacy rules and higher fines, and suggested the company had “effectively left the window open” for hackers to steal data.

Minister For Cyber Security Clare O’Neil said she was “incredibly concerned … about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom”, referring to the government’s health insurance scheme.

Optus Chief Executive Kelly Bayer Rosmarin said the incident had generated “a lot of misinformation” and the company took data protection seriously.

“Given we’re not allowed to say much because the police have asked us not to, what I can say … is that our data was encrypted and we had multiple players of protection,” Bayer Rosmarin told ABC Radio.

She added that most customers understand that “we are not the villains” and that the company had not done anything deliberate to put data at risk.

Jeremy Kirk, a cybersecurity researcher and writer who said he had been in contact with the purported hacker, tweeted that it was unclear why they changed their mind but “this doesn’t change the risk for anyone exposed”.

“The Optus data has been stolen, and we can’t trust this person. No guard should be let down,” he wrote.

(Reporting by Renju Jose, Lewis Jackson and Byron Kaye; Editing by Gerry Doyle and Edwina Gibbs)