Enter your email to read this article
Read news on any topic, in one place, from publishers like The Economist, FT, Bloomberg and more.

‘Deepest apology’: Alleged Optus hacker claims stolen data has been deleted

Accused Optus hacker releases 10,000 stolen records 10 News First – Disclaimer

The purported hacker who stole personal information from up to 9.8 million Optus users has apologised for their actions and claims to have deleted the stolen data.

In a sensational twist, the hackers – who hours earlier began leaking  stolen information in a bid to draw Optus into a US$1 million ($1.53 million) ransom – now say there are “too many eyes” and that the data won’t be sold.

“We will not sale [sic] data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” a user claiming to be the hackers said.

The revelations were detailed in an online forum that the hacker has used to drip-feed information stolen from Optus last Wednesday.

Available evidence suggests the data is legitimate, though neither Optus or the Australian Federal Police have confirmed it.

Earlier on Tuesday morning, the same account published reams of email addresses, phone numbers, licence numbers, and Medicare numbers that they claimed (and testing indicates) were from Optus customers.

But in a possible change of heart, the account then deleted earlier forum posts and apologised to Optus and those whose data was leaked.

“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you,” they said.

“Deepest apology to Optus for this. Hope all goes well from this.”

A forum post written by the purported hackers on Tuesday apologising for the hack and claiming to have deleted the data. (click to enlarge). 

The user also took another stab at the telco (after earlier claiming they gained access to Optus’ data due to “bad access control”)  saying that they would have reported the exploit if Optus “had a method to contact”.

“Optus if your [sic] reading we would have reported exploit if you had method to contact. No security mail, no bug bountys [sic], no way too [sic] message,” the user wrote.

“Ransom not payed but we don’t care any more. Was mistake to scrape publish data in first place.”

It’s impossible to know whether the purported hackers actually deleted Optus’ user data, but the revelations suggest the account will cease drip-feeding stolen information that journalists have been able to verify.

Troy Hunt, an Australian information security consultant, said he believed the user behind the apology was the same one who earlier leaked the Optus data.

Mr Hunt maintains a database of compromised personal information used by governments including Australia and the Britain, and which has been used to verify the authenticity of data leaked by the Optus hacker.

“They’ve removed the data and effectively apologised. But the data they’ve already put out there [10,000 people’s] has already been reposted to the forums,” Mr Hunt said.

“That’s already out there. You can’t get that genie back in the bottle.”

“It was getting a huge amount of attention and there was a lot of mention of three-letter acronym agencies which may have shaken up [their] day.”

Optus under fire

It all comes as Optus faces growing pressure over the hack, which was revealed by the telco last week and affects up to 10 million users.

Optus first said personal information including names, emails, phone numbers, emails, licences and passport numbers were all exposed.

But among data released by the purported hackers on Tuesday were Medicare numbers, data Optus did not include in earlier statements.

Optus declined to comment when asked about this on Tuesday, citing an ongoing AFP investigation.

“Optus is working directly with the AFP and other government agencies to resolve this matter,” a spokesperson for the telco said.

“At the AFP’s request we can’t comment any further so as not to prejudice their investigational lines of enquiry.”

Home Affairs Minister Clare O’Neil said she was “incredibly concerned” at reports that personal data from the Optus hack has now been leaked.

“Medicare numbers were never advised to form part of compromised information from the breach,” Ms O’Neil said on Tuesday morning.

“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them.”

The comments came after Ms O’Neil delivered a scathing assessment of Optus’ cyber security practices on Monday, flagging a crackdown.

Optus’ chief executive Kelly Bayer Rosmarin told reporters last Friday that the hack was “sophisticated”, while refusing to divulge any details.

But Ms O’Neill says that the cyber attack was actually a “basic hack”.

“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” Ms O’Neil told the ABC’s 7:30 on Tuesday night.

Related Stories
Alleged Optus hacker deletes extortion threat and apologises after releasing more personal data
An account claiming to have hacked Optus has deleted its extortion threat and apologised, not long after releasing a data set it claimed belonged to 10,000 customers.
From analysis to the latest developments in health, read the most diverse news in one place.
The 'Optus hacker' claims they've deleted the data. Here's what experts want you to know
Shortly after Australian telecommunications company Optus announced the identity data of millions of customers had been stolen, a person claiming to be the hacker announced they would delete the data for US$1 million.
Optus under further fire for cyber breach, purported hacker claims data deleted
Australian telecoms giant Optus came under more fire from the government on Tuesday for a massive cyber breach, while an anonymous online account believed to be that of the hackers said it was deleting stolen data and withdrawing a $1 million ransom demand.
What's happening with the Optus data breach? What we know about the alleged hacker's ransom, data release and apology
What we know after a forum user claiming to have the details of Optus customers threatened to release 10,000 records unless a ransom is paid, only to then claim "we don't care anymore".
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach
One place to find news on any topic, from hundreds of sites.
Child’s play? Damning verdict on ‘trivial’ Optus hack
Optus is under fire for lacklustre cyber security and failing to disclose key details about the hack to consumers.