Federal police are monitoring the dark web amid reports hackers are trying to sell millions of Australians' personal information following the Optus data breach.
Optus has admitted it is likely that criminals will make claims capitalising financially on the leak, after the company announced it was a victim of a major cyberattack, but says it won't comment on the veracity of the claims its customer data is being sold online.
Up to 10 million customers are at risk of having their user names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers or addresses compromised in what’s been billed as one of the biggest data breaches in the country, on Thursday.
On the online forum BreachForums, a user claimed to be selling 11.2 million Optus users’ data, including emails, dates of birth, full names, mobile numbers and drivers licence numbers.
“Optus announced database leak. Here we have the leaked data,” the post read, including a link to 100 samples.
The account then appears to threaten Optus with an extortion attempt, saying it would give back the data for 1 million in cryptocurrency within one week.
Optus said it had been advised its announcement of the attack would trigger claims and scams from criminals seeking to benefit financially, including by offering “illegitimate customer details for sale”.
“Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings,” it said in a statement.
The Australian Federal Police, which is investigating the cyberattack, said it was aware of the reports.
“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” an AFP spokesperson told SBS News in a statement.
“It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment.”
Optus needs to verify data being sold online is real: expert
While some tech journalists have claimed to have verified the data being sold online, cyber security experts say it's difficult to do so without Optus's confirmation.
"It's difficult to tell whether the leak is real and the claim is real without verification from Optus at this point," PwC Australia's Cybersecurity leader Rob Di Pietro told SBS News.
"I think what's been reported is that some of the records appear real, and that's based on those records showing up in previous data breaches, which is certainly a possibility," he added.
"And there there seems to be some records that also haven't been in previous data breaches, which could be an indication they're part of the more recent breach.
"But as I said, to know whether it's real data from the breach from the last couple of days, I think we'll only know that for sure once Optus have confirmed and validated that's the case."
Optus contacting affected customers first
Optus on Saturday said it was contacting all customers to notify them of the impact of the leak on their data.
Those whose ID documents may have been compromised will be contacted first, and those the telco believes have not been impacted will be last.
“No passwords or financial details have been compromised,” it said in a statement.
“We are not sending links in SMS or emails. If customers receive an email or SMS with a link claiming to be from Optus … please do not click on any links.”
