Enter your email to read this article
Read news on any topic, in one place, from publishers like The Economist, FT, Bloomberg and more.

Teen charged with attempting to blackmail Optus customers using stolen data

Front of Optus store with sign saying 'We're deeply sorry'
The Australian federal police have charged a man who allegedly threatened to sell Optus customers’ details if they did not pay $2,000. Photograph: Brendon Thorne/Getty Images

A 19-year-old Sydney man has been arrested and charged over allegedly attempting to blackmail Optus customers through an SMS scam.

It comes as the Albanese government has said it will amend regulations so telcos can temporarily share details of identification documents, such as Medicare and passport numbers, with financial institutions after a data breach to help banks better protect their customers.

Last week, after an alleged attacker posted the records of 10,200 records of Optus customers on a data breach forum, some customers reported receiving a text message demanding payment of $2,000 into a bank account or their credentials would be “sold and used for fraudulent activity”.

The text provided direct bank account details, and was quickly shut down by the Commonwealth Bank of Australia when notified.

On Thursday, Australian federal police assistant commissioner Justine Gough said a Rockdale man had been charged with using a telecommunications network with the intent to commit a serious offence, and dealing with ID information contrary to the Crimes Act of NSW.

If convicted, he faces up to 10 years in prison.

The AFP said the bank account used in the scam is in the name of a juvenile, and the AFP allege it was being used by the man.

Gough said the text message went out to 93 Optus customers as the man allegedly made his way through the list of customer records that had been released, but none of those contacted paid money into the account.

The investigation was conducted by the AFP’s Operation Guardian, which is seeking to protect the thousands who had their records posted online last week.

“We made it absolutely clear that there would be no tolerance for the criminal use of this stolen data,” Gough said.

“We understand how worried some members of the community are and I wanted to give the community reassurance that the AFP and our partners are working around the clock to help protect your personal information.”

She said it was the first arrest related to Operation Guardian. Despite the original poster of the data deleting the records after dropping their ransom threat against Optus, Gough said AFP officers continue to scour online forums and attempt to identify others who are attempting to gain access to the records and to commit identity fraud.

Gough said she did not believe it would be the last arrest arising from the operation.

Earlier on Thursday, the communications minister, Michelle Rowland, said current regulations governing telcos had prevented Optus from quickly sharing the details of data breach victims with banks.

Changing regulations to make data sharing easier has raised the eyebrows of some privacy experts, but Rowland said the government had “carefully balanced their privacy concerns” with the need to keep Australians safe from identity theft.

“This is a large job and I think, ultimately, this is about getting the balance right between what those sectors actually need and how consumers are protected,” Rowland said.

The treasurer, Jim Chalmers, said only institutions governed by the Australian Prudential Regulation Authority would be eligible to receive the data, which would not include personal information such as names or addresses. Foreign bank branches would not be eligible.

Banks would only be allowed to use the data for the purpose of preventing or responding to fraud and would have to delete the data once it was no longer required, Chalmers said.

The changes were being made in addition to other data collection reforms and updates to the Privacy Act, Rowland said. She added that telcos had “very specific reasons” to collect certain data on an ongoing basis, such as prepaid mobile phones being used to commit crimes.

Privacy consultant Anna Johnston, from Salinger Privacy, said it was “counterintuitive” to introduce more data-sharing practices after a breach.

“Why should we believe all those institutions would be any better at storing or handling that data than Optus was?” she said.

Related Stories
Sydney teenager charged after allegedly blackmailing 93 Optus customers affected by data breach
A 19-year-old Sydney man is charged after allegedly using information obtained during last month’s Optus data breach to blackmail people.
From analysis to the latest developments in health, read the most diverse news in one place.
A Sydney Teenager Has Been Arrested Over An Alleged Text Scam Using Leaked Optus Customer Data
A 19-year-old man from Sydney has been arrested and charged over alleged scam texts sent to Optus customers whose data was leaked.
Optus data breach live updates: AFP holds press conference after arresting man for alleged scam — as it happened
The AFP has arrested a man who allegedly tried to scam victims of the Optus data leak after accessing their details online — as it happened.
Government announces law changes in response to Optus data breach
The federal government has announced its response to record Optus data breach, with changes to the telecommunications laws.
New telco regulations to help prevent ID theft after Optus breach
Telecommunications companies would be able to temporarily share identifiers with banks and government agencies to help prevent ID theft and scams in the wake of data breaches under new regulation proposed by the federal government. Treasurer Jim Chalmers and Communications minister Michelle Rowland revealed the amendments to the Telecommunications Regulations…
One place to find news on any topic, from hundreds of sites.
Optus data breach: regulatory changes announced, but legislative reform still needed
In response to Australia’s biggest ever data breach, the federal government will temporarily suspend regulations that stop telcos sharing customer information with third parties.