Optus has been given an ultimatum of one week from its alleged hacker, who is demanding a ransom of US$1 million in cryptocurrency Monero, else threatening to sell customer data on the internet.
In a post on a notorious data leak forum, the hacker claims to have records for about 11.2 million Optus customers, including their names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses and ID document numbers such as driver’s licence or passport numbers.
The post adds: “Optus if you are reading! price for us to not sale data is US$1.000.000. We give you 1 week to decide”
The alleged hacker has tried to confirm the authenticity of these claims by releasing 200 sample records from the two datasets that are available for sale.
However, payment details and account passwords were not compromised in the attack.
Hacker's forum post
AFP investigating
Commenting on the hacker’s threats, Australian Federal Police spokesperson said: “The AFP is aware of reports alleging stolen Optus customer data and credentials may be being sold through a number of forums, including the dark web.
“The AFP is using specialist capability to monitor the dark web and other technologies and will not hesitate to take action against those who are breaking the law."
The spokesperson warned that it was an offence to buy stolen credentials with those convicted facing a maximum penalty of 10 years in jail.
What's up for sale?
The data breached at Optus is categorised into two files by the hacker namely:
- Users data: 11.2 million records
- Addresses data: 10 million records.
Together, the files are priced at US$300,000
The two sets of data samples that have been made public include about 100 records and data fields like name, email address, physical address, passport number, licence number, birth date, whether or not a person is a homeowner, and more.
Furthermore, current and previous Optus subscribers are also included in the data.