Shortly after Australian telecommunications company Optus announced that the identity data of millions of customers had been stolen, an individual who claimed to be the hacker announced that they would be removing the data for US$1 million.
When Optus failed to pay, the alleged hacker published 10,000 stolen records and threatened to release 10,000 more every day until the ransom deadline. These leaked records contain identity information such as driver’s license, passport, and Medicare numbers, as well as: parliamentary and defense contact details.
A few hours after the data drop, the alleged hacker unexpected apologies and claimed to have deleted the data due to “too many eyes”, suggesting fear of getting caught. Optus confirms that they did not pay the ransom.
They Said They Deleted The Data – Now What? It is over?
Communications from the person claiming to be the hacker and the release of 10,200 records have all taken place on a website dedicated to buying and selling stolen data.
The data they released is now readily available and appears to be legitimate data stolen from Optus (its legitimacy has not been verified by Optus or the Australian Federal Police; the FBI in the United States has now been called in to aid the investigation).
The question then is, why would the hacker apologize and claim to delete the data?
Unfortunately, although the alleged hacker appeared to possess the legitimate data, there is no way to verify the removal. We have to ask: what would the hacker gain if he claimed to remove them?
It is likely that a copy remains, and it is even possible that the post is a trick to convince victims not to worry about their security – to increase the chances of successful attacks using the data. There is also no guarantee that the data has not already been sold to a third party.
Whatever the motives of the person claiming to be the hacker, their actions suggest that we should continue to expect all records stolen from Optus to remain in malicious hands.
Despite the developments, recommendations still stand – you still need to take proactive action to protect yourself. These actions are good cyber hygiene practices regardless of the circumstances.
However, it is unclear at this early stage whether free options to modify these documents will be offered to all victims of data breaches, or just a subset of victims.
Can I find out if my data was part of the 10,200 leaked records?
Reports from people approached by scammers suggest they are already in use.
Troy Hunt, the Australian cybersecurity professional who maintains HaveIBeenPwned – a website where you can check if your data is part of a known breach – has announced that this will happen do not add the leaked data to the site in this stadium. So this method will not be available.
The best course of action in this case is to assume that your data may have been released until: Optus will notify people in the coming week.
Are the released data already being used?
The least technically advanced method of targeting Optus customers is to use the data to contact them directly and make ransom demands. There are reports that are blackmailers already targets victims of breaches via SMS, claims to have the data and threatens to post it on the dark web unless the victim pays.
The data has already been leaked and claims about the deletion of the data are untrue. Paying anyone who makes these claims will not increase the security of your information.
Data recovery scams – where scammers target victims who offer help to delete their data from the dark web or recover lost money for a fee – have also become prominent. Instead of helping, they steal money or obtain more information from the victim. Anyone who claims to be able to scrub the data from the dark web is claiming to put toothpaste back in the tube. It is not possible.
The data may also be used to identify family members in order toHi mum” or family impersonation scams more convincing. These are scammers who pose as a family member or friend from a new phone number, often via WhatsApp, and urgently need financial help. Anyone who receives these types of text messages should make every effort to contact their relative or friend in a different way.
What else can my data be used for?
The scams associated with this data will only increase in the coming days and weeks and may not be limited to the digital world.
Other possible uses include activities such as trying to take over valuable online accounts or your SIM card, or setting up new financial services and SIM cards in your name. The advice we gave in our previous article applicable to this.
In addition, anyone with reason to be concerned about physical safety if their location is known (for example, survivors of domestic violence) should consider the possibility that their names, phone numbers, and address may have been leaked or in the future.