Shortly after Australian telecoms company Optus announced that the identity data of millions of customers had been stolen, a person posing as a hacker announced that they would wipe the data for $1 million.
When Optus didn’t pay, the alleged hacker released 10,000 stolen records and threatened to release tens of thousands more every day until the ransom deadline. These leaked records contained identity information such as driver’s license, passport, and Medicare numbers as well parliamentary and defense contact information.
A few hours after the data drop, the alleged hacker unexpectedly excused and claimed to have deleted the data because of “too many eyes,” suggesting fear of being caught. Optus confirms them did not pay the ransom.
You said you deleted the data – now what? It is over?
The communications from the person claiming to be the hacker and the release of 10,200 recordings were all on a website dedicated to buying and selling stolen data.
The data they released is now readily available and appears to be legitimate data stolen by Optus (its legitimacy has not been verified by Optus or the Australian Federal Police, the FBI in the United States was called now to assist in the investigation).
The question then is – why would the hacker express remorse and claim to erase the data?
Unfortunately, although the alleged hacker apparently possessed the legitimate data, there is no way to verify the deletion. We have to ask ourselves: what would the hacker gain by claiming to delete them?
It’s likely that one copy remains, and it’s even possible that the post is a ploy to convince victims not to worry about their security – to increase the likelihood of successful attacks using the data raise. There is also no guarantee that the data has not already been sold to third parties.
Regardless of the motivations of the person claiming to be the hacker, their actions suggest that we should continue to expect any recordings stolen from Optus to remain in malicious hands.
Despite the developments, the recommendations remain – you should continue to take proactive measures to protect yourself. These measures are good cyber hygiene practices regardless of the circumstances.
Read more: What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide
However, at this early stage, it is unclear whether all data breach victims, or just a subset of victims, will be given free options to modify these documents.
Can I find out if my data was part of the 10,200 leaked records?
reports from People contacted by scammers suspect that they are already in use.
Troy Hunt, the Australian cybersecurity expert who entertains Have Pwned – a website where you can check if your data is part of a known breach – has announced it will Do not add the leaked data to the website in this stadium. So this method will not be available.
In this case, it’s best to assume that your data may have been released by Optus will notify people in the coming week.
Is the shared data already in use?
The least technically sophisticated way to target Optus customers is to use the details to make direct contact and demand a ransom. There are reports that are blackmailers already victims of security breaches via text message claiming to have the data and threatening to publish it on the dark web unless the victim pays.
The data has already been leaked and claims about the data deletion are not true. Paying someone to make these claims does not increase the security of your information.
Data recovery scams – where scammers target victims offering help to remove their data from the dark web or recover lost money for a fee – have also become prominent. Instead of helping, they steal money or get more information from the victim. Whoever claims to be able to scrub the data off the dark web claims to be putting toothpaste back in the tube. It is not possible.
The data could also be used to identify family members in order to “Hello mum” or family identity fraud more convincing. These are scammers who use a new phone number to pose as a family member or friend, often use WhatsApp and are in dire need of financial help. Anyone who receives such a text message should try to contact their family member or friend by other means.
What else can my data be used for?
The scams involving this data will only increase in the coming days and weeks and may not be limited to the digital world.
Other potential uses include activities such as trying to take over valuable online accounts or your SIM card, or setting up new financial services and SIM cards on your behalf. For these, the advice we gave in our previous article applies.
Additionally, anyone who has cause for concern about physical safety if their whereabouts are known (e.g., survivors of domestic violence) should consider the possibility that their names, phone numbers, and addresses may have been leaked or may be in the future could have leaked.