Around 10,000 Optus users have had their information leaked after the telco was hacked last Thursday.
Up to 10 million Optus customers may have had their personal details compromised after the major data breach.
And now, the sensitive details of 10,000 Australian customers have reportedly been released by the hackers.
The illegally obtained information includes passport and driver's licence numbers, dates of birth and home addresses, according to cyber security researcher Jeremy Kirk from Information Security Media Group.
Kirk has also claimed to have been in contact with the hackers and said they were threatening to release a further 10,000 records every day until a $1.5 million ransom is paid.
"Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand," he tweeted.
Optus said it has been working with the Australian Cyber Security Centre to limit any risk to current and former customers.
The Australian Federal Police, the Office of the Australian Information Regulator and other key regulators have also been notified.
Hi, we are working closely with the Australian Cyber Security Centre, key regulators and authorities to mitigate any risks to customers. We also notified the Australian Federal Police and financial institutions.(1/3)
— Optus (@Optus) September 22, 2022
Optus CEO Kelly Bayer Rosmarin said the company is aware of the threat from the hackers.
"We've seen that there is a post on the dark web and the Australian Federal Police is all over that," she told ABC's AM program.
"They are looking into every possibility, and they are using the time available to see if they can track down the particular criminal and verify if they are bona fide."
Federal Government Services Minister Bill Shorten said Optus needed to do better.
"Based on what I've been told, Optus hasn't done enough ... to protect their customers and their follow-up needs to be much more diligent," he told the Nine Network.
"I think it's time for ... a big overhaul of how our data is kept by big corporations.
"We're doing everything we can to apprehend the hackers but there is no doubt the defences of the company were, as I've been informed, inadequate."
Shorten said the hack raised questions about how much of people's data big companies should keep and for how long.
Home Affairs Minister Clare O'Neil told the ABC on Monday the attack was not "sophisticated".
Class action looms
Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.
Class actions senior associate Ben Zocco said the leaked information posed a risk to vulnerable people, including domestic violence survivors and victims of stalking.
“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” Zocco said.
“Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’s advice to be on the lookout for scam emails and text messages.
“Very real risks are created by the disclosure of their personally identifiable information, such as addresses and phone numbers.”
Optus’ ‘poor’ response
Optus announced it will be providing the most affected current and former customers with a free 12-month credit monitoring subscription to Equifax Protect.
Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft.
Optus also reiterated that no passwords or financial details were compromised in the breach.
The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost.
However, not all customers are pleased with how the telco has responded to the incident.
Taking to Twitter one angry customer expressed his disappointment with still being reminded about bills while his information had been stolen.
Poor form that I continued to receive bill reminders, but it was crickets for days before I was contacted about the data breach.
— George (@george_hyde) September 26, 2022
“Poor form that I continued to receive bill reminders, but it was crickets for days before I was contacted about the data breach,” the Twitter user said.
Another user suggested that anyone with Optus should move to a different telco.
After discussions with @Optus this morning and basically told there is nothing the can do at this stage I say if you are with them or considering going to them don’t bother I’ve been with them a long time and not happy at all with this response. #disappointed #nocareatall
— jimmmmyyyyyyyyy (@Trevor12371105) September 26, 2022
“After discussions with @Optus this morning and basically told there is nothing they can do at this stage, I say if you are with them or considering going to them don’t bother I’ve been with them a long time and not happy at all with this response,” the user said.