Australian telecoms giant Optus confirmed on Monday that nearly 2.1 million of its current and former customers suffered a leak of their personal information and at least one form of identification number as a result of a data breach late last month.
The company also said it has engaged the services of Deloitte to conduct an external forensic review of the attack to “understand how it happened and how we can prevent it from happening again.”
Optus is wholly owned by Singaporean telecommunications conglomerate Singtel, which also has a significant stake in Bharti Airtel, the second largest carrier in India.
“Approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised,” Singtel said in an announcement on its website.
It also said the breach affected expired IDs and personal information of about 900,000 additional customers. It further emphasized that the exposed data did not contain valid or current document ID numbers for around 7.7 million customers.
The leaked data is said to include email addresses, phone numbers and dates of birth, making it necessary for customers to remain wary of potential phishing and smishing attacks.
The company also said it has notified users whose current identification documents had been compromised in the attack. This includes driver’s license numbers, card numbers and Medicare ID numbers.
Of the 9.8 million customer records exposed, 14,900 valid Medicare IDs and 22,000 expired Medicare card numbers are estimated to have been exposed, Optus previously revealed on September 28.
The security incident, which became known on 22 September, involved a malicious actor gaining unauthorized access to customer information. It is not immediately clear how and when the actual break-in took place.
The attacker, using the alias “optusdata”, then published a small sample of the stolen data belonging to 10,200 users and demanded that Optus pay a $1 million ransom to avoid further leaks.
The self-identified hacker has since retracted the blackmail claim while apologizing for the crime and claiming that the “sole copy” of the stolen data had been destroyed, citing increased public attention.
While it is not known if “optusdata” is the person/group responsible for the breach, the Australian Federal Police (AFP) have launched twin operations to identify the perpetrators behind the attack and the “supercharge protection” of the 10,200 customers.
The latter, called Operation Guardian, offers “multi-jurisdictional and multi-layered protection against identity crime and financial fraud,” with the agency saying the affected users had 100 points of identification released online.
“There are reports of sophisticated fraudsters contacting Optus customers via phone, email and text to obtain further personal information from victims of the breach,” AFP warned last week.