The hacker behind Optus’ last week’s data breach has now released the information of 10,000 customers and plans to release 10,000 more every day for the four days that Optus has to reply to the hackers. The attacker had demanded a ransom of $1,000,000 and given Optus a week to make its decision.
The leaked data is also on sale, albeit reserved for a week for Optus to reply. Hackers behind the attack have priced the data at $150,000 for user data and $200,000 for the US addresses with an exclusive data sale coming in at the same price as Optus’ ransom.
While Optus tries to reach out to the 2.8 million customers whose sensitive information has been leaked, the company is facing mounting pressure from the government and customers alike accusing the company of communicating poorly and not having adequate security measures in place.
Clare O’Neil, Australia’s minister for Home Affairs and Cybersecurity also disputed Optus’ claim that the attack was rather advanced, calling the incident “quite a basic hack” instead. She also went on to state that the data taken effectively amounts to 100 points of ID check, putting the 2.8 million users whose sensitive data was leaked significantly vulnerable to identity theft and fraud.
Nearly 9.8 million Australians’ basic personal information has been exposed in this attack, including the 2.8 million whose exclusive personal data like driving license and passport numbers have also been leaked.
The company’s claims of the attack being quite advanced have also been heavily disputed. Journalist Jeremy Kirk spoke with the alleged hacker behind the incident and found that the attacker gained access using an unauthenticated API endpoint. Kirk was also contacted by a second, separate source claiming that the hacker’s version of events is approximately correct.
As a general security practice, APIs aren’t exposed to the public internet, let alone left unauthenticated. If what the attacker claims is true, it indicates extremely careless behaviour on Optus’ part.
In the News: Cloudflare is launching a ‘zero-trust’ eSIM