Optus has suffered a cyber attack and data breach involving the details of potentially millions of customers, with “a subset” having their identity documentation exposed.
The Australian reported Thursday that “about 2.8 million” customers had personal details exposed in the attack, though Optus has not put any numbers out publicly on the impacted cohort.
Early on Friday, Emsisoft threat analyst Brett Callow posted a screenshot on Twitter that purported to show a database of 1.1 million Optus customers' details, comprising names, email addresses and mobile numbers.
It had been offered for sale since September 17.
An Optus spokesperson declined to confirm the number to iTnews, saying an investigation is still underway.
The telco did not say when the attack and breach took place, nor offer any information on how it was detected.
A spokesperson told iTnews that Optus "went out with the media statement within 24 hours of establishing that customers' information had been compromised."
'Devastated'
CEO Kelly Bayer Rosmarin said the telco was “devastated to discover” the attack, which “has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it.”
"As soon as we knew, we took action to block the attack and began an immediate investigation,” she said.
“While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.
“We are very sorry and understand customers will be concerned.”
The telco said it is in the process of contacting impacted customers directly.
It added that data that “may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers.”
It said account passwords and payment details “have not been compromised.”
Optus also said that its telecommunications services “remain safe to use and operate as per normal.”
More details emerge
Optus posted an FAQ late on Thursday evening that provided scant additional detail on the incident.
The telco did say that in response to the attack and data breach that it has "temporarily stopping SIM swaps and replacements, as well as change of ownership [activities]" by its "online, phone and messaging support teams".
"To protect our customers, these requests can be completed in any of our Optus Retail locations with relevant ID," it said.
Optus also confirmed that Amaysim, which is now owned by Optus, is not impacted.
It added that it has called in "the Australian Cyber Security Centre to mitigate any risks to customers" and "notified the Australian Federal Police, the Office of the Australian Information Commissioner (OAIC), and key regulators."
OAIC said in a statement of its own that it would "engage with Optus to ensure compliance with the requirements of the notifiable data breaches (NDB) scheme in accordance with our usual process."