A 19-year-old Sydney man has been arrested and charged over allegedly attempting to blackmail Optus customers through an SMS scam.
It comes as the Albanese government has said it will amend regulations so telcos can temporarily share details of identification documents, such as Medicare and passport numbers, with financial institutions after a data breach to help banks better protect their customers.
Last week, after an alleged attacker posted the records of 10,200 records of Optus customers on a data breach forum, some customers reported receiving a text message demanding payment of $2,000 into a bank account or their credentials would be “sold and used for fraudulent activity”.
The text provided direct bank account details, and was quickly shut down by the Commonwealth Bank of Australia when notified.
On Thursday, Australian federal police assistant commissioner Justine Gough said a Rockdale man had been charged with using a telecommunications network with the intent to commit a serious offence, and dealing with ID information contrary to the Crimes Act of NSW.
If convicted, he faces up to 10 years in prison.
The AFP said the bank account used in the scam is in the name of a juvenile, and the AFP allege it was being used by the man.
Gough said the text message went out to 93 Optus customers as the man allegedly made his way through the list of customer records that had been released, but none of those contacted paid money into the account.
The investigation was conducted by the AFP’s Operation Guardian, which is seeking to protect the thousands who had their records posted online last week.
“We made it absolutely clear that there would be no tolerance for the criminal use of this stolen data,” Gough said.
“We understand how worried some members of the community are and I wanted to give the community reassurance that the AFP and our partners are working around the clock to help protect your personal information.”
She said it was the first arrest related to Operation Guardian. Despite the original poster of the data deleting the records after dropping their ransom threat against Optus, Gough said AFP officers continue to scour online forums and attempt to identify others who are attempting to gain access to the records and to commit identity fraud.
Gough said she did not believe it would be the last arrest arising from the operation.
Earlier on Thursday, the communications minister, Michelle Rowland, said current regulations governing telcos had prevented Optus from quickly sharing the details of data breach victims with banks.
Changing regulations to make data sharing easier has raised the eyebrows of some privacy experts, but Rowland said the government had “carefully balanced their privacy concerns” with the need to keep Australians safe from identity theft.
“This is a large job and I think, ultimately, this is about getting the balance right between what those sectors actually need and how consumers are protected,” Rowland said.
The treasurer, Jim Chalmers, said only institutions governed by the Australian Prudential Regulation Authority would be eligible to receive the data, which would not include personal information such as names or addresses. Foreign bank branches would not be eligible.
Banks would only be allowed to use the data for the purpose of preventing or responding to fraud and would have to delete the data once it was no longer required, Chalmers said.
The changes were being made in addition to other data collection reforms and updates to the Privacy Act, Rowland said. She added that telcos had “very specific reasons” to collect certain data on an ongoing basis, such as prepaid mobile phones being used to commit crimes.
Privacy consultant Anna Johnston, from Salinger Privacy, said it was “counterintuitive” to introduce more data-sharing practices after a breach.
“Why should we believe all those institutions would be any better at storing or handling that data than Optus was?” she said.
