“It is with great disappointment that I'm writing to let you know that Optus has been a victim of a cyberattack.”
That was the opening line from an email sent to Optus customers over the weekend, a grovelling and delayed move to stem the flow of blood out of a PR and Commercial disaster facing the Australian telco in the wake of a real big fuck up of unimaginable proportions.
You might’ve heard about it by now – for some reason the only story in Australian media currently, and also one of the most irritatingly important but also shockingly boring things going – but here is the run sheet:
Last week, Optus confirmed it had been the victim of a cyber attack that impacted almost 10 million current (and former!) customers. Depending on what you chose to believe, that data was being raffled off like the world’s most expensive meat tray for the princely sum of $1 million USD.
“Importantly,” wrote CEO Kelly Bayer Rosmarin, “no financial information or passwords have been accessed.”
And then: “The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers license or passport number.”
Well, fuck me gently with a chainsaw. If it’s only those things then I’ll sleep easy.
There’s a lot about this story that is clearly important. Particularly if you are an Optus customer, or have ever been one, and happen to value your privacy. But I’m also very aware that this shit sucks. You wanna be informed, but reading about data privacy is sometimes like reading about state politics: you mean well, and you care, but my God…
So here is where we’re at, in a way I hope is at least some part digestible.
Last week everyone found out about the hack.
Optus says it went to the media first in an act of wild transparency, desperate to ensure all of its customers would get the news. A true act of noble courage.
It is believed that the data was reached by accessing an Optus API (tech term you can read about here).
Basically, someone forgot to – or never did – set up access to customer data with a requirement that you log in first, presumably with an account and username and password and all the shit that even idiots like me would consider rudimentary to implementing if I was put in charge of the personal data of, I don’t know, 10 million people.
A bunch of journalists and others found an account on a popular hacking forum claiming to be The Hacker(s).
There was a whole essay of shit, but it boiled down to “give me $1 million or I will sell off all of your data!”
The supposed cybercriminal used an anime avatar, which I find funny. For what it’s worth, my data has also been breached by this shit, but you gotta find the light in the darkness.
As a sort of let-me-prove-I’m-serious Diehard villain play, they also released about 100 records that included the works, from email addresses to driver’s licence numbers.
Optus insisted the hack did not happen because of “human error.”
Someone inside Optus told the ABC anonymously that the breach occurred because of human error. Not super surprising, humans make errors all the time. It’s kind of our thing.
Optus then said that was all “completely inaccurate.”
People spent the weekend trying to change their information, see what data had been breached, and generally get a handle on things.
Mixed results, few positive stories. Shit’s still fucked.
Lawyers sniff blood and announce potential class-action.
Lawyers love three things: justice, money, and coke. Not really sure about that last one, but all of my understanding of the profession is based on ‘90s movies usually starring Tommy Lee Jones.
On Monday, law firm Slater and Gordon announced it was “assessing possible legal options for affected customers”, which was expected and therefore not too surprising. Could Slater and Gordon (either / or) please make sure to send me a cheque as well when this is all over.
The hacker(s) behind the attack announce they will be releasing the data of 10,000 Optus customers and then they do exactly that.
Tuesday morning, 10,000 unlucky Optus customers were facing the reality the remaining 9,990,000 might soon face: their data out there for the world to see. This included the information of people from the Department of Defence and the office of Prime Minister and Cabinet.
The threat here also included the lovely message that four more days would go by with similar leaks. “4 more days to decide, Optus.”
The AFP got involved.
As they probably should?
The FBI got involved.
The hacker(s) say they are very sorry, for some reason definitely not related to AFP and FBI involvement.
I don’t know about this one but it’s also funny to read. The same user who posted all of the threats etc. over the last week about $1 million USD and data releases posted again on Tuesday morning, shortly after releasing the initial 10,000 addresses, with a fairly grovelling apology.
“Deepest apology to Optus for this,” it read. “Hope all goes well from this.”
"Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message.
"Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place."
Adjacent scams begin to pop up, like someone sending text messages asking for $2,000 (don’t do it).
All I’m saying about this one is if you’re trying to scam people, maybe don’t link out to the BSB and Account Number of a local bank account.
Clare O’Neil (Minister or Cyber Security) then responds to reports that Medicare numbers were also part of the breach.
Why Optus had all of this information I’m not super sure. Could it be something to do with overreaching data privacy laws that have been created, quietly, over the last few years? I don’t know! The point is: Optus had the information, and now other people might as well.
On Wednesday, state governments from NSW, Queensland, Victoria, and South Australia began work to make it easier for anyone impacted by the cyberattack to change their driver’s licence (and other ID) numbers.
It looks like Optus will be dolling out the cash to cover this, but nothing is 100% confirmed just yet. In NSW, you will need to pay the replacement fee ($29) but Optus will reimburse you. In Victoria, it’ll be free. A damaging couple of weeks ahead for the folks at Optus – both financially and commercially!
Minister for foreign affairs, Penny Wong, writes to Optus telling them cough up the cash.
However many people decide to apply for a new passport, Wong wrote to the Optus CEO in a kind of “i’m telling you not asking you” way.
Then, Optus confirms (awkward!) that almost 37,000 Medicare details were compromised.
Prime Minister Anthony Albanese said in parliament that Optus “should pay” for new passports.
Personally, as someone impacted by this, I agree! But also it just makes sense.
That’s it for now. Government officials are calling for a full, official timeline of events, and the company itself says it’s still in the process of alerting all customers who were impacted. Very cool.
Optus is currently looking to hire a full-time senior manager in IT and cyber risk, though. If you’re interested.
Read more from VICE Australia.