“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” the spokeswoman said, citing the 10 years’ jail maximum penalty for buying stolen data online.
The author of the forum post put up a sample of data, claiming it was stolen from Optus. There are some signs that the data is genuine, but it could have been compiled from other sources, such as previous cyberattacks on other companies. Another possibility is that the post is an attempt to con Optus or a criminal group into paying for false information.
The Sydney Morning Herald and The Age spoke to several people, on condition of anonymity, whose data appeared on the sample.
They confirmed that at least some of the information published was accurate, although in one case a person on the list did not think they had previously been an Optus customer.
The information included names, addresses, phone numbers, email addresses, driver’s licence details and even individuals’ preferred pronouns.
Jeremy Kirk, executive editor at Information Security Media Group, a computer security-focused publisher, said he had attempted to check the veracity of one item of data after he saw an address in the sample file that was close to his home in NSW.
“I thought rather than emailing or calling to see if it’s genuine – because a lot of times people don’t answer or reply – I thought it’s a Saturday morning, it’s not raining, it’s nice outside, I’ll go around,” Kirk said.
He said he spoke to a woman at the residence, who requested to remain anonymous, but confirmed she had been an Optus customer until 2018, which is within the breach timeframe that dates back to 2017.
“I handed her her data, and said ‘Is this you?’ and she said ‘Yeah that’s me’.”
Kirk offered to put the woman in touch with Optus to see whether there was special assistance the company could give her, given the exposure of her information.
He emphasised that it was possible that the data, even if genuine, could have been taken from other sources.
Several emails in the sample do not appear in Have I Been Pwned?, a site run by Australian cybersecurity consultant Troy Hunt that allows users to check if they have been caught up in a data breach. That suggests the data in the sample could have been newly obtained from Optus, could be fake, or merely from another hack not catalogued by the site.
Loading
The alleged ransom post claims the data is in two files, with similar information. It claims about 4 million in both have an identity document number, as well as other personal information.
A spokesman for the Australian Cyber Security Centre, which is helping to investigate the breach, declined to comment.
The identity of the hackers is not known. Optus chief executive Kelly Bayer Rosmarin said on Friday that they used European internet addresses to hide their true location.
Robert Potter, co-founder of cybersecurity firm Internet 2.0, said it was common for hackers to sell stolen information on breach forums.
“It looks like real Australian data,” Potter said. “But we are still waiting for Optus to confirm it comes from their systems.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.