On September 22, 2022, Australian telecoms firm Optus revealed Optus Data Breach a security issue. Since then, a lot has transpired.

The majority of it reads like a screenplay.


According to a hacker using the alias “optusdata,” 10 million Optus subscribers’ personal information was obtained. Home addresses, licence numbers, Medicare numbers, and passport numbers were among the details. No financial information or passwords have been stolen.

On a specific webpage on its website, Optus announced the incident. Kelly Bayer Rosmarin, CEO of Optus, said:

We were shocked to learn that we had been the target of a cyberattack that had exposed our customers’ private information to unauthorised parties.

Although we are still unsure of exactly what occurred, there are several intriguing hypotheses out there.

Customers whose identifying document numbers, such as those on their driver’s licence or passport, were stolen as a result of the cyberattack, according to Optus, have all received emails or SMS messages.


Optusdata threatened to reveal 10,000 Optus customers’ data every day on an online forum if they didn’t get $1 million in cryptocurrencies. They started by publishing data from 10,200 clients.

The victims of the data breach have also begun to get texts warning them to pay AUD 2,000 ($1,300) within two days or their data will be sold on for “fraudulent activities,” which is unquestionably linked but most likely not by the same threat actor. Although the moniker “OptusData” appears in the messages, it is likely not the same individual and more likely someone who has just acquired access to the fragment of the dataset that the initial threat actor exposed.

Too much attention

Operation Hurricane, led by the Australian Federal Police in collaboration with the FBI and other law enforcement agencies, is an investigation into the data leak.

The AFP is keeping an eye on the dark web using a variety of specialised tools because there have been allegations of stolen data being sold there. Although thieves can’t see us because of anonymizing software and pseudonyms, I can assure you that we can see them.

Evidently, the threat actor was unable to handle the heat anymore. They wrote the following in a post on a forum where they announced the hack:

“Too many eyes. We won’t sell data to anyone, and if we did, we couldn’t even if we wanted to: personally wiped data from drive (Only copy)

Sorry too 10.200 Australian whos data was leaked.

Fraud will not benefit Australia; this may be observed. Perhaps for 10.200 Australians, but not for the majority of people. I’m truly sorry.

Optus is sincerely apologised to for this. I hope this leads to good things.

If Optus were reading this, please know that we would have contacted you about the vulnerability. There are no bug bounties, security mail, or way too messages.

We no longer care if the ransom was not paid. Scraping and publishing data in the first place was a mistake.

Note: I didn’t fix the mistakes because an expert might be able to deduce the writers’ native tongue from them.

Happy end?

Start with the positive news.

The Optus hack victims in Australia will be able to receive replacement cards and modify their licence numbers. The governments of New South Wales, Victoria, Queensland, and South Australia have begun removing administrative obstacles for anyone who can substantiate they were hacked victims. The switchover is likely to cost Optus several million dollars.

A class action lawsuit is also on the table.

Customers have the choice to sign up for a 12-month subscription to a credit monitoring and identity protection service through Optus.

The Commonwealth Bank acknowledged that it had located and blocked the SMS extortionist’s account.

Optus will get in touch with every customer whose Medicare card is still valid. 22,000 more expired Medicare card numbers were also disclosed, and those cardholders would also be contacted immediately. Optus claims that accessing personal information with simply a Medicare number is not possible.

Uncertainty is, of course, the bad news. When the threat actor says they have deleted the data, can we truly believe them? Why should we accept their word for it when they have been shown to be a criminal? Even the assumption that the poster of that statement is the true owner of the data is not one we can make with absolute certainty.

Therefore, practise safety and keep an eye out for phishing campaigns that will definitely attempt to capitalise on these occurrences.