Optus has begun contacting millions of customers affected by a massive data breach, more than 24 hours after alerting the media to the cyber attack.
Victims were emailed on Friday afternoon and told some combination of their personal details including names, birth dates, phone numbers and driver’s licence or passport numbers may have been accessed.
Optus also explained why they may have learned of the breach via the news before hearing from the company.
“You would have seen we announced this first in the media,” the telco wrote.
“We did this as it was the quickest and most effective way to alert you and all our customers, while also communicating the severity of the situation through trusted media sources.”
Optus vice president of regulatory and public affairs Andrew Sheridan confirmed on Friday some 9.8 million customers had been impacted by the attack.
“There are some … where the information exposed is their name, date of birth and phone number,” he told Melbourne’s 3AW.
“Then for a subset, a smaller number, there is a government ID number such as a driver’s licence number or passport number.”
Customers with the company since 2017 may be affected, however no payment details or Optus account passwords had been accessed.
Mr Sheridan also ruled out human error as responsible for allowing the breach.
“It’s been a very sophisticated cyber attack on Optus,” he said.
“We’ve got very strong cyber security systems within our organisation and … therefore it has been a very sophisticated compromise of those protections.”
Optus chief executive Kelly Bayer Rosmarin on Friday apologised and said she felt terrible the attack happened on her watch.
“Obviously, I am angry there are people out there that want to do this to our customers. I’m disappointed we couldn’t have prevented it,” she said.
While criminals or so-called state-based actors could be behind the hack, Optus doesn’t know who is responsible or their motivations.
Ms Bayer Rosmarin said the public had been notified less than 24 hours after discovering the breach and the company was working closely with government authorities and federal police.
“It is too early to rule out any possibilities,” she said.
“So we’re keeping it all open – it could be criminal and it could be state-based actors.”
Optus has not identified where the hackers were located as their IP addresses kept moving between different countries in Europe.
There have been no ransomware demands, meaning they have not asked for payment to return the data.
Opposition Leader Peter Dutton called on cyber security minister Clare O’Neil to tell Australians about the scale of the breach and whether ongoing threats were posed.
“This may well be the biggest data breach in Australia’s history at nine or 10 million people … we don’t know much more detail than that because the minister Clare O’Neil is missing in action,” he told reporters.
Liberal MP Karen Andrews will introduce a private member’s bill on Monday designed to strengthen jail penalties for cyber extortion.
Australian Consumer and Competition Commission deputy chair Delia Rickard said the attack was extremely worrying due to the large amount of personal information fraudsters might be able to access.
“These are all the things that you need for identity theft and also all the things you need to personalise a scam and make it much more convincing,” she told Nine’s Today program.
She said any Optus customers who suspected they were victims of fraud should request a ban on their credit records and be wary of calls from people purporting to represent banks or government agencies.
Scamwatch advised Optus customers to change online account passwords and enable multi-factor authentication for banking.
By Rachael Ward and Phoebe Loomes in Melbourne
Get the latest news, sport, entertainment, lifestyle, competitions and more delivered straight to your inbox with the Canberra Daily Daily Newsletter. Sign up here.