Optus CEO breaks down as she issues grovelling apology to 10 million Aussie customers after their personal details were leaked in one of the biggest cyber attacks in country’s history
- Nearly 10 million Optus customers had personal details taken in cyber attack
- CEO Kelly Rosmarin admitted she felt ‘terrible’ it happened under her watch
- She gave emotional apology to customers and said ‘it shouldn’t have happened’
- Optus knew about breach on Wednesday but didn’t alert customers until Thurs
- Ben Fordham called out telco for ‘not acting quickly enough’ after the breach
- Optus is advising customers to check bank accounts for suspicious activity
The Optus CEO has issued an emotional apology after the personal details of nearly 10 million customers were potentially stolen by overseas hackers.
The massive cyber breach allowed hackers to access the personal details of the telco’s customers including passport and driver’s licence numbers, email and home addresses, dates of birth and telephone numbers.
The company’s boss Kelly Bayer Rosmarin confirmed payment details and account passwords had not been compromised but admitted she felt ‘terrible’ the breach had happened under her watch.
‘I think it’s a mix of a lot of different emotions,’ she said looking downcast.
‘Obviously I am angry that there are people out there that want to do this to our customers, I’m disappointed we couldn’t have prevented it.
The telco’s boss Kelly Rosmarin confirmed payment details and account passwords had not been compromised but admitted she felt ‘terrible’ the breach had happened under her watch
‘I’m very sorry and apologetic. It should not have happened.’
Ms Bayer Rosmarin also revealed that the IP addresses linked to the hackers had moved around various European countries, and that it was a ‘sophisticated’ breach.
She added it was too soon to tell if it was a criminal organisation or another state was responsible for the attack.
The data that was potentially stolen has been dated back to 2017.
Ms Bayer Rosmarin said the reported figure of 9.8million people had had their data breached was the ‘worst case scenario’, and Optus expected the number to be much fewer.
‘It’s a small subset of data, it does not include any financial details, it does not include passwords,’ she said.
It comes after Optus was called out for failing to tell close to millions of customers their personal details had potentially been stolen for almost 24 hours.
Optus Regulatory and Public Affairs Vice President Andrew Sheridan said the company learnt of the breach late on Wednesday.
He was forced to defend the telco when 2GB host Ben Fordham questioned why they had waited until Thursday at 2pm to issue a press release.
Optus has been called out for waiting nearly 24 hours to tell close to 10 million customers their personal details had potentially been stolen by hackers
Fordham said The Australian newspaper had first broken the news about the breach at 1pm on Thursday, only for Optus to publish a release an hour later.
‘You knew about it on Wednesday … it was only after The Australian newspaper splashed the story on their website (on Thursday) that you put out a statement,’ Fordham said on his radio breakfast program on Friday.
‘If you’re interested in protecting your customers why didn’t you alert them the moment you were aware of this potential breach?’
Mr Sheridan said that there was a ‘number of steps’ that had to be taken in cyber incidents.
‘I think if you look at incidents like this we’ve acted very, very quickly,’ he said.
He was then cut off by Fordham who said he didn’t think the telco had acted fast enough.
‘I’ve got to call you out on that Andrew, I don’t think you’ve acted quickly at all,’ he said.
Optus Regulatory and Public Affairs Vice President Andrew Sheridan said the company learnt of the breach late on Wednesday. A press release was not issued by Optus until Thursday
‘We’ve seen many of these cases in the past where companies have said ”we don’t know if there’s been a breach, there’s been a potential breach, we want to alert you straight away” – you guys didn’t do that, you failed to do that.’
Mr Sheridan wouldn’t confirm the number of customers who’d been affected but said the investigation was ongoing.
He added Optus had to confirm the details of the breach and secure their network before they were able to alert customers.
The millions of customers impacted are being contacted by the telco.
Customers have been told not to click on any links sent in a message appearing to be from Optus.
Optus said users’ payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.
Australian Federal Police, the Office of the Australian Information Regulator and other key regulators have also been notified.
Optus said users’ payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers
What Optus has said about the breach:
How did this happen?
Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
Has the attack been stopped?
Yes. Upon discovering this, Optus immediately shut down the attack.
We are now working with the Australian Cyber Security Centre to mitigate any risks to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.
Why did we go to the media first instead of our customers?
The security of our customers and their data is paramount to us. We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly.
What information of mine may have been exposed?
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Customers affected will be notified directly of the specific information compromised.
Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payments details, and account passwords have not been compromised.
What should I do to protect myself if I suspect I am a victim of fraudulent activity?
We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
How do I contact Optus if I believe my account has been compromised?
If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.
If you are a business customer, contact us on 133 343 or your account manager.
How do I know if I have been impacted?
We are in the process of contacting customers who have been directly impacted.
Alastair MacGibbon, who is chief strategy officer at cyber-security firm CberCX and a former advisor to the prime minister, said Optus customers should watch out for criminals impersonating them online.
‘They should be looking for whether criminals are mimicking them, or stealing their identity, trying to obtain credit in their name … etc,’ he told the ABC.
He said Optus could guard the interests of their customers is by paying for credit monitoring.
‘That way you will be monitored by credit monitoring services if someone has been using your name and other details to obtain credit,’ Mr MacGibbon said.
It remains unclear what the hackers were after at this stage with authorities and the telco still investigating.
Mobile and home internet, along with messages and voice calls have not been affected.
Both past and present Optus customers have been impacted.
How to improve your cyber-security
Keep your devices up-to-date with security upgrades.
Use strong passwords that contain one lowercase letter, one uppercase letter, one number, and four symbols but not the following &%#@_
Don’t reuse the same password on multiple devices
Reset your password around once a year
Add a second layer of protection to a password by using two-factor or multi-factor authentication – such as a password and a number sent by text to your phone