No Optus customers suffered financial damage as a result of the attack on the telecommunications provider, says CEO Kelly Bayer Rosmarin.
While Optus initially noted that 9.8 million customers could be “potentially affected” by the September data breach, details of 10,200 customers were actually exposed publicly, Ms Bayer Rosmarin said at the Financial Review Business Summit. Australian in Sydney on Wednesday.
“And most importantly, no customer has suffered any financial loss or been the victim of crime due to the misuse of this data,” he said.
Most of the customer details in the 20 terabytes of stolen data were not particularly sensitive, the kind people regularly post on their Facebook pages, but included driver’s license numbers that could be combined with other data to be used in attacks. of phishing, he said. saying.
The most likely scenario was that the hacker wanted to use the data for SIM card swapping or phishing attacks, “which we shut down by going public so quickly and putting the whole nation on alert,” Bayer Rosmarin said.
The data breach was the first in a wave of attacks last September and October that hit major Australian corporations including Medibank Private, EnergyAustralia and Woolworths.
Ms Bayer Rosmarin said Optus had done “serious soul-searching” in the wake of the data breach and was “really sorry.”
She said it might be reassuring for others to think Optus was an easy target or hadn’t invested enough in security, but that’s not what happened.
“We can confirm that this attack was premeditated and that it was carried out by motivated and trained cybercriminals who designed the attack just for Optus,” said Ms. Bayer Rosmarin.
She said she couldn’t provide further details because the hack was under active criminal investigation.
The hacker posted the details of Optus’ 10,200 customers on the dark web when the company refused to pay a $1 million ransom.
“Everyone has a policy of not paying a ransom and as we know many companies do,” Bayer Rosmarin said.
“Practicing, rehearsing, whatever you want to do is not the same as being in the moment where you are trying to do the right thing.
“So I think it’s very absolutist to say never (pay a ransom).”
Ms. Bayer Rosmarin said that in this case, Optus did not pay for one.
The chief executive also criticized the press coverage of the hack, saying it was “very clear” to her that the media was not always focused on providing “good, accurate reporting that would really help the public understand and respond to this incident.”
Some reports focused instead on “where I was on a particular day or my dog’s name,” he said.