The 2022 Optus Data Breach

The 2022 Optus data breach was a significant incident that occurred in September 2022, affecting the Australian telecommunications company Optus. Here are some key details about the breach:

  • Discovery and Notification: On September 20, Optus’s technical team detected suspicious activity on their network and initiated an investigation. The following day, it was confirmed that Optus had experienced a data breach, and regulators were promptly informed. On September 22, Optus publicly announced the breach, informing news agencies about the incident. While Optus urged customers to remain vigilant for fraudulent activity, they were uncertain about the potential harm caused by the breach and the exact number of affected customers.
  • Nature of the Breach: Optus denied claims made by an insider suggesting that the breach resulted from an accidental exposure of their API on a test network. Instead, they maintained that a sophisticated breach had occurred and emphasized the strength of their cybersecurity system. Optus disclosed that the intrusion involved scraping a portion of their consumer database, with only one-third of the total data being copied and extracted.
  • Criminal Investigation and Ransom Note: Optus, in collaboration with the Australian Federal Police (AFP), initiated a criminal investigation into the breach. On September 24, reports emerged that data obtained from the breach was being sold online, prompting monitoring of the dark web. Additionally, a ransom note demanding a payment of $1,000,000 (AUD $1,500,000) in Monero cryptocurrency was posted on BreachForums. The legitimacy of the ransom note was acknowledged by some cybersecurity experts.

The breach potentially impacted up to 9.7 million current and former Optus customers. Illegally obtained information included personal details such as names, birthdates, home addresses, phone numbers, email contacts, as well as passport and driving license numbers. Optus took immediate action upon discovering the breach, involving regulators, denying claims of an accidental exposure, and initiating a criminal investigation in collaboration with the AFP.

Disclosure : 24 September

Impact :

On the day that the breach was announced, Optus set up a “war room” to deal with the breach at its headquarters in Macquarie Park. This involved around 150 employees, and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew SheridanThe purpose of the war room was to coordinate and streamline the response efforts, allowing for swift decision-making and effective communication. With a breach of this magnitude, having a central command center helps ensure a focused and organized response. The team likely included experts from various departments, such as IT security, legal, communications, and customer support, working collaboratively to assess the impact, mitigate risks, communicate with affected customers, and implement measures to prevent future breaches.

On October 6, Dennis Su, a 19-year-old man from Sydney, was arrested by the Australian Federal Police (AFP) at his residence in Rockdale. He was charged with blackmailing 93 Optus customers who were affected by the data breach. Su allegedly threatened to commit financial crimes using the customers’ personal data unless they paid him a sum of $2000 AUD. However, none of the customers complied with his demands.

Following his arrest, Su was charged with two offenses. The first charge was related to using a telecommunication network with the intention to commit a serious offense. The second charge was for dealing with identification information with the intent to commit an offense. If convicted, Su could face a combined maximum penalty of seventeen years in jail.

The arrest and charging of Dennis Su demonstrate law enforcement’s commitment to taking swift action against individuals involved in cybercrimes and protecting the victims of such breaches. By apprehending and prosecuting the alleged blackmailer, authorities aim to send a strong message that such activities will not be tolerated and that those responsible will be held accountable for their actions.


Disclaimer : The information provided herein is on “as is” basis, without warranty of any kind.