The federal government’s response to the Optus cyberattack all but confirms that the alleged hacker who tried to extort the company is the real deal — and that’s bad news for those affected.
Before the anonymous “Optusdata” user deleted its extortion threat off a popular hacking forum yesterday, the account posted a sample of what it claimed were 10,000 Optus customers’ details. This sample included dozens of Medicare numbers, a piece of personally identifiable information that Optus had not included in its disclosures about the cyberattack.
Optus would not comment on whether Medicare numbers were compromised. Albanese government ministers, on the other hand, were quick to voice their concerns.
Home Affairs and Cyber Security Minister Clare O’Neil released a statement yesterday saying she was troubled by reports about Medicare numbers being leaked: “Medicare numbers were never advised to form part of compromised information from the breach.”
Attorney-General Mark Dreyfus and Health Minister Mark Butler reiterated concerns about Medicare details being made public, the latter saying the government was considering allowing people to get new Medicare numbers.
The reaction by senior ministers suggests that the Optusdata account is being treated by the government as belonging to those responsible for the cyberattack, and not an opportunistic scammer trying to extort the company.
O’Neil has been briefed by security agencies and Optus. Her criticism of the telecommunication company only makes sense if she believed that the anonymous extortionist was releasing real information obtained from Optus.
Hacker’s apology is not the end of the matter
Despite some celebrating the hacker’s apology and promise to delete the data, co-founder of cyber firm Internet 2.0 Robert Potter warned against taking it at its word.
“I would treat any commentary from an anonymous hacker with a grain of salt until it’s verified by law enforcement,” he said.
So far, little is known about the Optusdata account. It claimed there was a pair of them behind the attack, that it wanted US$1 million to “retire” and wrote in a way that suggested that English wasn’t the user’s first language. All that information is based on a handful of posts made by the user without any corroborating evidence.
There is no guarantee for users that the hacker has deleted their data, that they won’t pop up again with a new extortion or use the data in another way.
Potter said the millions of Australian caught up in the data breach will need to be vigilant about the use of their data from now on: “People should assume that the documentation is gone for good once it’s taken.”
Crikey please inform us as to why Optus even needed Medicare numbers in the first place. Of course telecommunications should never have been privatised in the first place, being critical infrastructure that needed to remain in government hands with accountability for its sound governance through the ballot box. Time to bring it back into public ownership.
I can help you with that. Optus shouldn’t need to store them these days. They can pass them to the Australian Government’s Document Verification Service and just store the answer from the DVS. However, prior to the DVS, practice could be to store document numbers and lookup results.
Thank you Stephen Darragh. The DVS is such a recent phenomenon that many consumers/customers would have signed up before DVS came into widespread availability.
By the way SD, are you suggesting that Optus and other credit providers should quickly change their records to utilise DVS (or what ever comes next) as soon as possible?
Thank you. That is exactly what I was wondering. As for ‘I’ve deleted the data’, it’s one of the Great Lies, such as ‘it’s in the mail’, ‘an operator will be with you shortly, and what’s politely known as ‘I’ll respect you in the morning’.
And why would Optus need drivers licence details? The only company I am aware of that has sought details of my drivers licence is the one with which I have car insurance. Otherwise my most likely use of my drivers licence is to identify myself at the PO when I go to collect a parcel.
I am genuinely quite puzzled by this. What use are the details of my drivers licence to any hacker?
The drivers licence shows your date of birth.
Thanks. I did not think of that.
My d-o-b is not something I think of as highly confidential information. My son, ex-husband, siblings, nieces and nephews, contemporaries I went to school with, plus friends, colleagues and neighbours who have been invited to celebrations of significant birthdays could all know those numbers.
Also on FB?
You may wish to reconsider what someone could do with some basic information that ‘only you would know’. Not all hacks are technical, a lot of them are people convincing others, under false pretence, to open all the doors for them.
Combined with multiple other documents, a drivers license is also part of the way you identify yourself to banks, service providers and many other business let alone the old GPO.
Dear everyone (media, commentators, bloggers, etc): stop asking why this sort of data is retained! This data is collected because payment of a phone/internet service is treated as a financial product (apologies for my inaccurate wordage) being “credit”.
Therefore, because the service is provided on a credit arrangement, then the Proof of Identity requirements are even more rigorous.
Believe the word of a thief? Nor would I believe what line the Optus CEO is currently running.
Why did Optus’s Chief Security Information Officer leave the company approximately a month ago? Disenchanted, perhaps…
Probably because he told them what they needed to do to fix problem,& they wouldn’t listen. It cost too much !
I think one of the questions that will need to be asked is why private businesses are requiring and and then hoarding things like medicare and drivers licence numbers – just so we can use a phone? The phone box (if you can find one now) looks a lot more secure.
“Productivity”? “Executive remuneration”? “Accountability”?
Optus executives repeatedly opposed changes to those advocating they adopt privacy and security measures, throwing up their own “significant hurdles and costs” to those that wanted those sort of measures introduced :- so how “productive” have those executive decisions proved?
Will that effect their “productivity packages”?
I think we can assume anything provided to establish identity has been compromised. Why would a data thief stop at only two types of identification, unless the other ID was stored separately, which is unlikely.
I want to know how drivers licence issuing bodies are going to establish that it’s the licence holder seeking a new licence, and not the data thief, or someone to whom they’ve given/sold the data.