Breach Notification , Cybercrime , Cybercrime as-a-service

Australian Telco Optus Warns of 'Significant' Data Breach

Current and Former Customers' Contact Details Exposed, But No Financial Information
Australian Telco Optus Warns of 'Significant' Data Breach
Photo: Optus

Australian telecommunications firm Optus is warning current and former customers that their personal details were exposed after it suffered a major data breach.

See Also: Check Kiting In The Digital Age

"Information which may have been exposed includes customers' names, dates of birth, phone numbers, email addresses and for a subset of customers, addresses, ID document numbers such as driver's license or passport numbers," the company says in a data breach notification issued Thursday. "Payment detail and account passwords have not been compromised."

Optus has more than 10.2 million customers, accordingly to publicly available data, and is Australia's second-largest telecommunications company, providing landlines, mobile connectivity, internet and cable access, leased lines and more. It is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group.

The company's data breach notification doesn't detail when the breach began, when it was discovered and how, if there are any indications of who might have perpetrated the attack or how many current and former customers were affected. Optus didn't immediately respond to a request for comment.

But when asked Thursday how many current and former customers might be affected, Optus CEO Kelly Bayer Rosmarin told Australian broadcaster ABC: "It's just too early for us to give specific numbers. It is a significant number and we want to be absolutely sure when we come out and say how many."

Optus Alert: Beware Fraud

Rosmarin says in a statement that the company is issuing the breach notification now to alert customers to watch for signs of fraud (see: Data Breach Notifications: What's Optimal Timing?).

"While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance," she says. "We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organizations."

The company says it's being assisted by the Australian Cyber Security Center and has notified the Australian Federal Police, the Office of the Australian Information Commissioner and regulators about the breach. Banks have also been notified, it says, so they can watch for suspicious activity. "While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious," it says.

The company says that "for customers believed to have heightened risk," it plans to offer "proactive personal notifications" as well as "expert third-party monitoring services." It gave no timeline for when it expects to determine who is at heightened risk or when it might offer notifications and services.

Optus says none of its services - including mobile and consumer internet - were disrupted by the data breach and that attackers do not appear to have compromised either landline or mobile calls.

But given the risk posed by phishing attacks to individuals whose names, email addresses and phone numbers were exposed, the company is warning all current and former customers: "Optus will not be sending links in any emails or SMS messages."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.