No Optus customer suffered financial harm as a result of the hack on the telecommunications provider, CEO Kelly Bayer Rosmarin says.
While Optus initially flagged 9.8 million customers could be “potentially impacted” in the September data breach, the details of 10,200 customers were actually exposed publicly, Bayer Rosmarin told the Australian Financial Review Business Summit in Sydney on Wednesday.
“And more importantly, not a single customer has suffered any financial loss or fallen victim to a crime through misuse of this data,” she said.
Most of the customer details in the 20 terabytes of stolen data weren’t particularly sensitive—of the type that people regularly publish on their Facebook pages—but did include driver’s licence numbers that could be combined with other data for use in phishing attacks, she said.
The most likely scenario was the hacker wanted to use the data for SIM card swaps or phishing attacks, “which we shut down by going public so quickly and putting the whole nation on alert”, Bayer Rosmarin said.
The data breach was the first of a wave of hacks last September and October that hit major Australian corporations, including Medibank Private, EnergyAustralia and Woolworths.
Bayer Rosmarin said Optus had done “serious soul searching” in the wake of the data breach and was “truly sorry” about it.
She said it might be reassuring for others to think Optus was an easy target or had under-invested in security, but that wasn’t what happened.
“We can confirm that this attack was premeditated and that it was undertaken by motivated, skilled cybercriminals who crafted the attack just for Optus,” Bayer Rosmarin said.
She said she could not elaborate because the hack was under active criminal investigation.
The hacker posted the details of the 10,200 Optus customers on the dark web when the company declined to pay a $1 million ransom.
“Everybody has a policy of not paying a ransom and as we know, a lot of companies do,” she said.
“Practising, rehearsing, whatever you want to do is not the same as being in the moment when you’re trying to do the right thing.
“So I think it is very absolutist to say never (pay a ransom).”
Ms Bayer Rosmarin said in this case, Optus didn’t pay one.
The CEO also faulted press coverage of the hack, saying it became “very clear” to her the media wasn’t always focused on providing “accurate, good reporting that was actually helping the public make sense of and responding to this incident”.
Some reports focused instead on “where I happened to be on a particular day or the name of my dog”, she said.