Optus under further fire for cyber breach, purported hacker claims data deleted

A woman uses her mobile phone as she walks past an Optus store in Sydney, Australia, on February 8, 2018. REUTERS/Daniel Munoz

SYDNEY, Sept 27 (Reuters) – Australian telecoms giant Optus came under further government fire on Tuesday over a massive cyber breach, while an anonymous online account believed to be the hacker said it was wipe stolen data and withdraw one million dollars ransom demand.

Optus, owned by Singapore Telecoms (STEL.SI), the country’s second-biggest mobile operator, said last week data of up to 10 million customers, including home addresses, driver’s licenses and passport numbers, had been compromised in one of Australia’s biggest data breaches.

An account called “optusdata” on an online forum that cybersecurity experts believe is the hackers’ had threatened to release the data of 10,000 Optus customers a day unless they receive $1 million in cryptocurrency.

However, on Tuesday, the account holders said they deleted the data because of “too many eyes”, withdrew their ransom note and regretted having already leaked data on 10,200 Australians.

Optus and the Australian Federal Police, who have been working with the Federal Bureau of Investigation and other offshore law enforcement agencies to investigate the cyberattack, declined to comment on whether they believe “optusdata” account holders were behind stick to the violation.

Australia’s federal government has blamed Optus for the breach, announced an overhaul of privacy rules and increased fines, and claimed the company “effectively left the window open” for hackers to steal data.

Cybersecurity Secretary Clare O’Neil said she was “incredibly concerned … by reports that personal data from the Optus data breach, including Medicare numbers, is now being offered for free and for a ransom,” referring to that Government Health Insurance Scheme.

Optus chief executive Kelly Bayer Rosemary said the incident generated “a lot of misinformation” and that the company takes privacy seriously.

“Given that we’re not allowed to say much because the police told us to, all I can say is … our data was encrypted and we had multiple protectors,” Bayer Rosemary told ABC Radio.

She added that most customers understand that “we’re not the bad guys” and that the company hasn’t done anything intentionally to compromise data.

Jeremy Kirk, a cybersecurity researcher and author who said he was in contact with the alleged hacker, tweeted that it’s unclear why they changed their minds, but “that doesn’t change the risk to anyone who is exposed.”

“The Optus data was stolen and we cannot trust this person. No Guardian should be abandoned,” he wrote.

Reporting by Renju Jose, Lewis Jackson and Byron Kaye; Adaptation by Gerry Doyle and Edwina Gibbs

Our standards: The Thomson Reuters Trust Principles.