The hacker who claims to be behind the Optus cyberattack has apologised for leaking customer data and walked back threats to release more unless they’re paid $1 million USD ($1.5 million AUD) in the next four days.
The hacker known as Optusdata posted on Tuesday morning there were “too many eyes” on them and they had made the decision not to attempt to sell or leak any more data.
The hacker also offered their “deepest apology” to Optus and said they “hope all goes well from this”.
“Optus if your (sic) reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message,” the message read.
“Ransom not paid but we don’t care any more.”
Hacker deleted the Optus Data? pic.twitter.com/7DQarun7Fb
— Arak (@arak_au) September 27, 2022
This update came after they said late on Monday they had released 10,000 customers’ data already and would release a new batch of data every day until their ransom demands were met.
The hacker said today it was a “mistake” to publish that data in the first place.
Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn’t give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec pic.twitter.com/NuGe7Pup8l
— Jeremy Kirk (@Jeremy_Kirk) September 26, 2022
Reports also emerged on Tuesday that customers had received scam text messages that included their personal information and demanded payment in exchange for keeping it private.
One anonymous Optus customer told news.com.au he received a text on Monday night with his personal details including his name, address and employment history that demanded he pay “or we sell all”.
“This is OPTUS, We give datails (sic) yours to every1. Now you pay us or we sell all,” the message read.
It then listed the man’s home address and a former employer, before another text was sent that read: “Just fucking with you.”
Nine News reporter Chris O’Keefe also posted a screenshot of a text message on Twitter sent to a cyberattack victim demanding they pay $2000 to a Commonwealth Bank account.
“Hello, Optus has left security measures allowing us to access the personal information of their customers including name, email, phone number, date of birth, address and license number,” the text read.
“Optus has since not responded to our demand of paying the 1M$USD ransom as such your information will be sold and used for fraudulent activity within 2 days or until a payment of $2,000AUD is made then the confidential information will be erased off our systems.”
The message requested “bank transfer $2000” to an account named OptusData.
Victims of Optus data hack are now receiving text messages from hackers demanding $2000AUD be paid into a CBA bank account, with threats their data will be sold for “fraudulent activity within 2 days.” @9NewsAUS pic.twitter.com/J57inlyyut
— Chris O’Keefe (@cokeefe9) September 27, 2022
The hacker said in their message on Monday night $1 million was a “small price to pay” if Optus really cared about its customers, compared to its multi-billion-dollar annual revenue. The telco reported a $7.8 billion revenue in the 2021/22 financial year.
They claimed to have the data of about 11.2 million Optus customers, including names, dates of birth, contact details, addresses and ID numbers such as driver’s licence and medicare.
The message said Optus had four days to pay before they leaked the lot.
Before the hacker posted an apology Optus CEO Kelly Bayer Rosmarin told ABC Radio on Tuesday morning the Australian Federal Police were investigating the ransom demands.
“We have seen that there is a post like that on the dark web and the Australian Federal Police is all over that,” she said.
Home Affairs Minister Clare O’Neil said at the weekend steps needed to be taken to ensure such cyberattacks didn’t happen again. She said we can expect several changes to company regulations would be announced by the Federal Government in the coming days.
Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.
— Clare O’Neil MP (@ClareONeilMP) September 24, 2022
In the meantime, if you’re an Optus customer and you’re worried about your data, there are some steps you can take to protect yourself.