The purported hacker who stole personal information from up to 9.8 million Optus users has apologised for their actions and claims to have deleted the stolen data.
In a sensational twist, the hackers – who hours earlier began leaking stolen information in a bid to draw Optus into a US$1 million ($1.53 million) ransom – now say there are “too many eyes” and that the data won’t be sold.
“We will not sale [sic] data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” a user claiming to be the hackers said.
The revelations were detailed in an online forum that the hacker has used to drip-feed information stolen from Optus last Wednesday.
Available evidence suggests the data is legitimate, though neither Optus or the Australian Federal Police have confirmed it.
Earlier on Tuesday morning, the same account published reams of email addresses, phone numbers, licence numbers, and Medicare numbers that they claimed (and testing indicates) were from Optus customers.
But in a possible change of heart, the account then deleted earlier forum posts and apologised to Optus and those whose data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you,” they said.
“Deepest apology to Optus for this. Hope all goes well from this.”
The user also took another stab at the telco (after earlier claiming they gained access to Optus’ data due to “bad access control”) saying that they would have reported the exploit if Optus “had a method to contact”.
“Optus if your [sic] reading we would have reported exploit if you had method to contact. No security mail, no bug bountys [sic], no way too [sic] message,” the user wrote.
“Ransom not payed but we don’t care any more. Was mistake to scrape publish data in first place.”
It’s impossible to know whether the purported hackers actually deleted Optus’ user data, but the revelations suggest the account will cease drip-feeding stolen information that journalists have been able to verify.
Troy Hunt, an Australian information security consultant, said he believed the user behind the apology was the same one who earlier leaked the Optus data.
Mr Hunt maintains a database of compromised personal information used by governments including Australia and the Britain, and which has been used to verify the authenticity of data leaked by the Optus hacker.
“They’ve removed the data and effectively apologised. But the data they’ve already put out there [10,000 people’s] has already been reposted to the forums,” Mr Hunt said.
“That’s already out there. You can’t get that genie back in the bottle.”
“It was getting a huge amount of attention and there was a lot of mention of three-letter acronym agencies which may have shaken up [their] day.”
Optus under fire
It all comes as Optus faces growing pressure over the hack, which was revealed by the telco last week and affects up to 10 million users.
Optus first said personal information including names, emails, phone numbers, emails, licences and passport numbers were all exposed.
But among data released by the purported hackers on Tuesday were Medicare numbers, data Optus did not include in earlier statements.
Optus declined to comment when asked about this on Tuesday, citing an ongoing AFP investigation.
“Optus is working directly with the AFP and other government agencies to resolve this matter,” a spokesperson for the telco said.
“At the AFP’s request we can’t comment any further so as not to prejudice their investigational lines of enquiry.”
Home Affairs Minister Clare O’Neil said she was “incredibly concerned” at reports that personal data from the Optus hack has now been leaked.
“Medicare numbers were never advised to form part of compromised information from the breach,” Ms O’Neil said on Tuesday morning.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them.”
The comments came after Ms O’Neil delivered a scathing assessment of Optus’ cyber security practices on Monday, flagging a crackdown.
Optus’ chief executive Kelly Bayer Rosmarin told reporters last Friday that the hack was “sophisticated”, while refusing to divulge any details.
But Ms O’Neill says that the cyber attack was actually a “basic hack”.
“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” Ms O’Neil told the ABC’s 7:30 on Tuesday night.