Australian Federal Police are investigating after the data of millions of Optus customers exposed in a recent hack was allegedly put up for sale online.
On Saturday morning, a message appeared on a data market from a user claiming to be in possession of the information obtained from the breach with a demand for $1 million in Monero cryptocurrency.
The user posted a sample of the data. Cybersecurity researcher Jeremy Kirk said the sample appeared to match real-world addresses and people, suggesting the message was genuine.
“Someone claims to have stolen the Optus account data of 11.2 million users,” he said online. “They want $1 million in Monero cryptocurrency from Optus so they don’t sell the data to other people. Otherwise they say they will sell it by package.
Even if Optus were to pay the ransom, there is no guarantee that the user would honor an agreement not to sell the data elsewhere.
Kirk said he verified some of the information by talking to a neighbor whose name and address was in the sample.
“I found the person in the dataset. She was working in her front yard. She wishes to remain anonymous, but has confirmed that she is a former Optus customer and that her data is accurate. We still need confirmation from Optus on the data, but it all lines up,” he said.
“I explained to her who I was and handed her a copy of her data (as an aside, kind of a weird experiment – shoe leather journalism meets cyberspace). She said it was kinda scary She had not yet been contacted by Optus.
This information could not immediately be verified, but an AFP spokesperson said the agency was aware of allegations that the data had been put up for sale.
“AFP is aware of reports alleging stolen Optus customer data and credentials could be sold through a number of forums, including the dark web,” they said.
“AFP uses specialized capabilities to monitor the dark web and other technologies, and will not hesitate to take action against those who break the law.”
The spokesperson warned it was an offense to buy stolen credentials, with those found guilty facing a maximum sentence of 10 years in prison.
A spokesman for the Attorney General, Mark Dreyfus, said his office was seeking an “urgent” meeting with Optus to “check out the proactive steps they are taking to minimize harm to Australians who have lost data”.
“The Attorney General has also had several briefings on the Optus hack and the threat it poses to the private data of Australians from the Privacy Commissioner,” the spokesperson said. speech.
Optus announced on Thursday that it had suffered a massive cyberattack, with the personal information of up to 9.7 million customers stolen, including names, dates of birth, addresses and contact details.
Many customers reported nervous waiting before being contacted by Optus or having to take matters into their own hands and call the company to find out if they had been exposed to the attack.
In a new statement during the attack, Optus said it was cooperating with authorities while continuing to contact customers whose data may have been stolen.
The company said that since announcing the attack, it became aware that cybercriminals might start targeting Optus customers with phishing scams.
He warned customers to be wary of links sent in text messages or emails.
“We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals seeking to make a financial profit,” the statement said.
“If customers receive an email or text message with a link claiming to be from Optus, they are advised that it is not a communication from Optus. Please do not click on any links.”
The Department of Foreign Affairs and Trade, which oversees the Passport Office, did not immediately respond to questions about whether it would automatically reissue the passports of those affected.
A spokesperson instead referred to statements released on Friday that sought to clarify that there had been no breach of passport systems.
In an FAQ, under a section titled “Why do I have to pay to replace my passport when it was not my fault”, the answer read: “We were not responsible for the data breach.”
The persons concerned are informed that it is their responsibility to apply for a new passport.
Passport replacement applications cost $308.