Key Points
- Optus has been hit by a cyber attack.
- Millions of customers' information is now at risk.
Investigations are continuing after which enabled cybercriminals to access the personal data of millions of current and past customers.
On Tuesday morning, the group behind the attack reportedly released the personal information of 10,000 customers on a data breach forum, and threatened to continue releasing data unless Optus paid a ransom.
Later that day, an account claiming to be a hacker posted on the forum saying they had dropped the ransom demand, and had deleted the 11 million customers' records it scraped from the telco's website.
While the United States FBI has joined the Australian Federal Police in probing the incident, questions are now being raised over cyber security, the dark web, and what we can do to protect ourselves.
Here's what you need to know.
What happened in the Optus data breach?
On Thursday, Optus confirmed users' names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers or addresses could all have been accessed in a major breach.
According to the telco, up to 9.8 million customers - anybody who has been with the company since 2017 - could have been impacted.
Optus said users' payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.
On Monday, the telco announced it will be providing the most affected current and former customers with a free 12-month credit monitoring subscription to Equifax Protect.
On Tuesday morning, cyber security researcher and writer Jeremy Kirk from cybersecurity intelligence and education company ISMG Corp and threatened to continue releasing batches every day if Optus did not give in to an extortion demand.
Customers also reportedly demanding payments of $2000 in exchange for the hackers not selling their data.
FBI joins investigation as hacker reportedly withdraws demand
On Tuesday, it was revealed the FBI had joined the AFP's investigation.
Attorney-General Mark Dreyfus revealed the international cooperation as the group behind the breach dropped its ransom demand and claimed to have deleted the 11 million customers' records it scraped from the telco's website.
Mr Dreyfus told parliament a whole-of-government response had been launched, with the AFP not only working with government and industry but also the FBI.
The attorney-general also expressed concern Optus did not report the exposure of Medicare numbers in the breach.
Various state governments have now announced victims whose licence details have been exposed can have their licences replaced.
An ongoing privacy review will be completed this year.
Who was behind the attack, and why is it concerning?
Optus chief Kelly Bayer Rosmarin said the telco does not know who was behind the hack or their motivations.
"This particular [cyber attack] is not similar to anything we've seen before and unfortunately it was successful," she said.
"It is too early to rule out any possibilities. So we're keeping it all open - it could be criminal and it could be state-based actors."
Optus says up to 9.8 million customers may have been compromised in the data breach. Source: AAP
He told SBS News there was not yet enough information available to give any indication of how the attack may have happened.
"We also really haven't seen any technical details, so we haven't seen any details about what it was that went wrong, how it was able to go wrong, and that makes it very difficult for us to draw any conclusions about whether this was negligence on Optus' behalf or whether they were just very sophisticated hackers," he said.
How can you protect your data?
When it comes to protecting your digital privacy and personal data, the recommends setting up secure passwords and setting up multi-step authentication whenever possible.
It also suggests regularly updating apps and systems to ensure you are up to date with security upgrades, and backing up files to external devices in case your accounts are ever compromised.
Using browsers with hardened security settings and turning off browsing history and cookies can also be beneficial.
Mr Hunt also recommends using services such as identity theft protection, with service providers able to monitor whether somebody is attempting to impersonate you to apply for things like financial loans.
ACCC deputy chair Delia Rickard said the cyber attack was extremely worrying due to the large amount of personal information fraudsters might be able to access.
"These are all the things that you need for identity theft and also all the things you need to personalise a scam and make it much more convincing," she told Nine's Today program on Friday.
Ms Rickard said any Optus customers who suspected they were victims of fraud should request a ban on their credit records and be highly skeptical of unexpected calls from people purporting to represent banks or government agencies.
The ACCC's Scamwatch has also advised affected customers to place limits on bank accounts and monitor for any unusual activity.
What do cyber criminals do with your data?
In addition to identity theft or attempts to access finances, Mr Hunt says this type of data breach can also lead to targeted phishing scams.
A phishing scam is a type of attack where the perpetrator masquerades as a trusted person or business in order to trick a victim into clicking a malicious link or revealing sensitive information.
"The finance one is kind of the obvious one, and even though people say they don't have any money, everyone has a point at which some degree of financial compromise will hit it them and it will be painful," he said.
"The whole invasion of privacy is another big part of it as well - how would you feel if someone was reading your email, if they're reading your private message to your loved ones, how would you feel if it was your children's data, which was publicly accessible to other people?
"The thing about privacy is, it's enormously personal, we all have different tolerances there, and it's very difficult to get it back once it starts to be eroded through the rights of data breaches."
How do you know if your data has been breached?
There are several signs to look out for and ways you can check whether your data has been breached.
Mr Hunt says his website is just the "tip of the iceberg" of ways to monitor whether your personal information may have been compromised online.
"We want to look for any requests for money, any requests from parties that you either may not recognise or parties you may know, but are communicating in an odd way," he said.
"And being conscious that whether it's the Optus data breach or the thousands of other data breaches that are out there, a huge amount of our personal data has been leaked through security breaches ... but a huge amount of our personal data has been also been leaked deliberately by us via things like social media."
