The Australian federal police is investigating after the data of millions of Optus customers exposed during a recent hack was allegedly put up for sale online.
On Saturday morning a post appeared on a data market from a user claiming to be in possession of the information obtained from the breach with a demand for $1m in Monero cryptocurrency.
The user posted a sample of the data. The cybersecurity researcher Jeremy Kirk said the sample appeared to correspond to real-world addresses and people, which suggested the post was genuine.
“Someone is claiming to have stolen Optus account data for 11.2 million users,” he said online. “They want $1m in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels.”
Even if Optus was to pay the ransom, there is no guarantee the user would stick to an agreement not to sell the data elsewhere.
Kirk said he had verified some of the information by speaking to a neighbour whose name and address was contained in the sample.
“I found the person in the dataset. She was working in her front yard. She wants to stay unnamed but confirmed she is a former Optus customer and that her data is accurate. We still need a confirm from Optus on the data but this is all lining up,” he said.
“I explained who I was and handed her a printout of her data (as an aside, kind of a weird experience – shoe leather journalism meets cyberspace). She said it was kind of scary. She hadn’t been contacted by Optus yet.”
This information could not be immediately verified but a spokesperson for the AFP said the agency was aware of claims the data had been put up for sale.
“The AFP is aware of reports alleging stolen Optus customer data and credentials may be being sold through a number of forums, including the dark web,” they said.
“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law.”
The spokesperson warned that it was an offence to buy stolen credentials with those convicted facing a maximum penalty of 10 years in jail.
A spokesperson for the attorney general, Mark Dreyfus, said his office was seeking an “urgent” meeting with Optus to “ascertain the proactive steps they are taking to minimise harm to Australians who’ve lost data”.
“The attorney general has also had several briefings about the Optus hack and the threat it poses to Australians’ private data from the privacy commissioner,” the spokesperson said.
Optus on Thursday announced it had suffered a massive cyber-attack, with the personal information of up to 9.7 million customers stolen, including names, dates of birth, addresses and contact details.
Many customers have reported a nervous wait to be contacted by Optus or having to take matters into their own hands and call the company to find out whether they had been exposed in the attack.
In a new statement on the attack, Optus said it was cooperating with authorities while it was continuing to contact customers who may have had their data stolen.
The company said that since it announced the attack, it had become aware that cybercriminals may begin targeting Optus customers with phishing scams.
It warned customers to be wary of links sent in SMS texts or emails.
“We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals seeking to benefit financially,” the statement said.
“If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click any links.”
The Department of Foreign Affairs and Trade, which overseas the Passport Office, did not immediately respond to questions about whether it would automatically reissue passports of those affected.
A spokesperson instead referred to statements published on Friday which sought to make clear there had been no breach of passport systems.
In one FAQ, under a section titled “Why do I have to pay to replace my passport when this wasn’t my fault”, the answer said: “We weren’t responsible for the data breach.”
Those who are affected are advised that it is up to the individual to apply for a new passport.
Applications to replace a passport cost $308.