The hackers allegedly behind the Optus data breach that has affected more than 10 million Australians claim they have now deleted the data and will not sell it to anyone.
However, the claim was made after details were revealed of a further 10,000 people, on top of a sample of 200 that was released in an initial post over the weekend on a public-facing breach forum.
“Too many eyes. We will not sale [sic] data to anyone. We cant if we even want to: personally deleted data from drive (only copy),” the alleged hacker’s post said.
“Sorry too 10.200 Australian whos data was leaked. Australia will see no gain in fraud, this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.”
Cybersecurity experts believe the released data could be genuine. The Australian Financial Review has seen a sample of the apparent breach data. It cross-referenced some of the alleged data with breaches listed on HaveIBeenPwned.com, a site that helps users check if their data has been part of a breach that has been made public.
Of the handful of email addresses from the sample tested by the Financial Review, most appeared to have been part of a previous, unrelated data breach collated on the website. However, some had not, indicating that the data could be legitimate because they were newly exposed addresses. The Financial Review cannot verify whether the data posted is real.
The account that posted the apology on Tuesday is the same one that posted the original ransom threat. However, the alleged data of 10,200 Australians that was made public has already appeared in new posts by different users.
“I like the saying of trying to remove data from the internet is like trying to remove pee from a pool,” said Troy Hunt, Microsoft executive and creator of HaveIBeenPwnded.com.
Criminal investigation
“You would certainly be working on the assumption there is an ongoing risk to those individuals.”
There is no guarantee the poster’s claim to have the data in the first place was real. And if it was real, there is no way to guarantee the promise of deleting the data has been carried through. The links the poster provided to access the data are a malicious software (malware) risk.
“Optus was never going to pay that ransom. It’s one thing to ransom a company when it’s quiet … but to come out and demand that after it’s a massive news story and the data has already been obtained by another party, that’s another story,” Mr Hunt said.
Late on Monday, the Australian Federal Police announced a criminal investigation – Operation Hurricane – working with Optus, the Australian Signals Directorate and overseas law enforcement.
“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” said Justine Gough, AFP assistant commissioner, Cyber Command.
“A key focus, which we have had success in the past, is to identify those criminals.
“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment. Our presence and focus extends outside Australian borders, and AFP specialised cyber investigators are permanently based in the United Kingdom, United States, Europe and Africa.”
Mr Hunt said hackers in this type of attack, which has been reported to be unsophisticated, were often found to be children or young adults.
“We’re all speculating here, the fact we hadn’t seen this individual before … the way they presented this … we see this last message, and you can imagine it being some kid going, ‘Oh this is getting out of control’. It’s very likely they’re not in Australia,” Mr Hunt said.
Home Affairs Minister Clare O’Neil said on Monday night that Optus had left the door open to a “basic” hack.
She told ABC’s 7.30 that Optus “left the window open for data of this nature to be stolen”, and signalled that the government would significantly increase the fines for such breaches.
Optus chief executive Kelly Bayer Rosmarin rejected the minister’s claim on Tuesday morning and repeated that the attack, in which millions of driver’s licences and passport numbers were stolen, was “sophisticated”, but said she was unable to go into details as police investigations were continuing.