The sensitive details of 10,000 Australian customers have been released by the group behind the massive Optus data breach.
The illegally obtained information includes passport, Medicare and driver licence numbers, dates of birth, home addresses and information about whether a person is renting or living with parents.
A Canberra man contacted by AAP on Tuesday confirmed his data was in the file posted online, including a misspelled street name and specific email he uses for Optus.
He took out a new SIM with the telco in 2021 – in part to avoid using his primary number for WeChat.
“I don’t feel vengeful – Optus isn’t really going to face that great of a consequence,” he told AAP.
“It’s the kind of mistake that as soon as it’s made once, you can’t undo it. It’s the permanent stuff that you can’t really change: date of birth, full name, driver licence number.
“We’ll find out how easy a mistake it was to make and to not make but c’mon, guys. Really?”
A check of 12 random email addresses against records held by Have I Been Pwned found nine had not previously been exposed in breaches.
The information was exposed on a data breach site on the clear web after the group behind the theft said Optus had not met its extortion demand.
It claimed it would release 10,000 records each day until Friday if Optus doesn’t pay $1.5 million.
Government Services Minister Bill Shorten said Optus hadn’t done enough to protect customers and its response “needs to be much more diligent.”
“It’s time for … a big overhaul of how our data is kept by big corporations,” he told the Nine Network’s Today.
“We’re doing everything we can to apprehend the hackers but there is no doubt the defences of the company were, as I’ve been informed, inadequate.”
Optus says it was the victim of a sophisticated attack – a characterisation dismissed by Home Affairs Minister Clare O’Neil.
A federal police investigation has been launched into the data breach, which has affected 9.8 million Australians.
It will be complex and involve working with the Australian Signals Directorate, overseas police and Optus, said Assistant Commissioner of Cyber Command Justine Gough.
Opposition cyber security spokesman James Paterson told Sky News the government bore some responsibility and criticised its response to the hack as “slow”.
Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit on behalf of former and current customers.
Senior associate Ben Zocco said the leaked information posed a risk to vulnerable people, including domestic violence survivors and victims of stalking.
Ms O’Neil launched a scathing attack on Optus in parliament on Monday.
She said responsibility laid squarely at the feet of the telco giant and that the government was looking at ways to mitigate the fallout.
The minister called on Optus to provide free credit monitoring to former and present customers who had their data stolen.
Optus says it will offer “the most affected” customers the chance to take up a one-year subscription to credit monitoring service Equifax Protect at no cost.
“Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams,” a statement said.
Payment details and account passwords have not been compromised.