“I can categorically confirm that that is not the case,” Sheridan said on Melbourne radio, without going into details.
Loading
Retired major general Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said hacking groups were known to try to hide their identity and location by using multiple addresses.
He said Optus had responded quickly in disclosing the breach, which underscored the risks to all other major Australian organisations.
“There’ll be plenty of CEOs and boards looking and saying, ‘There but by the grace of God go I,’ ” said Thompson, now a strategic adviser with cybersecurity firm Paraflare among other corporate roles. “This could have happened to anyone.”
The 9.8 million figure is an “absolute worst case” and the company expects the true number affected to be smaller, with reports that about a third of Optus’ customer database was copied. A spokesman for the company said the data was encrypted and secured but had still been accessed.
She emphasised that the company had gone public with the breach quickly so that customers could be alert to scams or fraudulent requests and was continuing to investigate in conjunction with the Australian Cyber Security Centre, the government agency that responds to major digital incidents.
In a statement, the Australian Federal Police confirmed it had received a referral from Optus on Friday and said its cyber command division would pursue the “complex, criminal investigation”.
“No passwords or bank details were taken,” Bayer Rosmarin said. “So, there isn’t a simple message like update your passwords or talk to your financial institution.”
She declined to say how Optus would contact affected customers but said it would tell all customers “over the next few days” how much, if any, of their data had been stolen.
Small business customers may have been caught up in the breach but Optus has confirmed that its enterprise wing and other brands on its network, such as Coles Mobile and Amaysim, have not been affected.
A spokesman for Cybersecurity Minister Clare O’Neil declined a request to interview the minister, deferring to Optus on the breach. Her office has previously confirmed the cybersecurity centre is involved and pointed to rising online attacks against Australian businesses.
Loading
But Opposition Leader Peter Dutton questioned the government’s silence, saying O’Neil was “missing in action”. “There are a lot of people who are very concerned, particularly older Australians, about what has happened here,” Dutton said in Canberra.
On September 17, a pseudonymous user on an online hacking forum purported to offer more than 1 million Optus phone numbers for sale. But other users have cast doubt on whether that database is related to the hack, suggesting it could have been compiled from other sources.
“We are still working to validate that that information is relevant and is even Optus data,” Bayer Rosmarin said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.