The hacker who claimed to have breached Optus and stolen the data of 11 million customers has withdrawn their extortion demands after facing increased attention by law enforcement. The threat actor also apologized to 10,200 people whose personal data was already leaked on a hacking forum.
Optus, Australia’s second-largest mobile operator, first disclosed the security breach on September 22, 2022, saying that an attacker might have gained access to customers’ personal information.
This information includes a customer’s name, dates of birth, phone numbers, email addresses, physical addresses, driver’s licenses, and passport numbers, but no account passwords or financial information.
On September 23, 2022, a hacker using the alias “optusdata” published a small sample of the stolen data on the Breached hacking forum and demanded that the firm pay a $1,000,000 (USD) ransom or the data for 11,000,000 customers would be publicly leaked.
Optus didn’t give in to the extortion demands and instead engaged with law enforcement authorities to investigate the incident.
The hacker told reporter Jeremy Kirk that they used an unsecured API endpoint to steal the data rather than breaching the company’s internal systems.
After not receiving a ransom demand, the threat actor released a larger sample of stolen data for 10,000 Optus customers for free on the same hacking forum, allowing threat actors to download and abuse it for their own campaigns.
Today, reports from victims of the data breach have started to receive messages demanding the payment of AUD 2,000 ($1,300) within two days, or their data would be sold to other hackers.
The threat actor listed a Commonwealth Bank of Australia (CBA) account to receive the money, which the financial institution has since blocked.
While the texts include the name ‘OptusData’ used by the original hacker, it is unclear if they are behind the SMS texts or another threat actor who downloaded the leaked data sample.
Giving up on the extortion
Today, the alleged Optus hacker posted a new message on Breached stating that the stolen data will no longer be sold or leaked to anyone due to increased scrutiny on the data breach.
The threat actor also claimed that the stolen data had been deleted from their device that held the only copy and apologized to both the exposed Optus customers and the company.
“Too many eyes. We will not sale data to anyone. We can’t if we even want to: personally deleted data from drive (only copy),” claims the threat actor.
It’s worth noting that the particular user was never officially confirmed as the person or group responsible for the Optus breach.
However, the decision to stop extorting the company likely comes in response to the Australian Federal Police (AFP) announcing yesterday that they launched “Operation Hurricane” to identify the threat actors behind the breach and extortion demands.
“We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities,” announced the AFP.
“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them.”
As part of this operation, the AFP is working closely with overseas law enforcement to identify and apprehend those behind the attack.
Should AFP identify the person(s) responsible for the Optus breach, they will face penalties of up to ten years in prison.
Optus continues to update its customers on the situation via a dedicated portal on its website. In addition, yesterday, it offered all impacted individuals a 12-month subscription to credit monitoring and identity protection service through Equifax.
The driver’s licenses that the attackers have stolen will be invalidated, as threat actors could use them to forge fake documents that match entries in the state’s system.
Finally, Cyber Security Minister Clare O’Neil told ABC during an interview that Australia’s current regulatory framework isn’t strict enough, and companies need to ramp up their effort to protect customer data as it happens in Europe with GDPR.
The official criticized Optus’s security stance, saying it “left the window open” for the hackers, so this incident might spark regulatory changes in the country.