Australian Internet Provider 'Optus' Exposed Customer Data via API: Includes 4.2M Users' Passport and Driver’s License Numbers
A "senior figure" inside Optus said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
The Australian Government requires internet providers to collect personal information of all users.
In total, 11.2 million sensitive customer records were compromised.
Early Saturday, a person going by the nickname "Optusdata" published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."