Australian Internet Provider 'Optus' Exposed Customer Data via API: Includes 4.2M Users' Passport and Driver’s License Numbers

A "senior figure" inside Optus said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."

Australian Internet Provider 'Optus' Exposed Customer Data via API: Includes 4.2M Users' Passport and Driver’s License Numbers
  • The Australian Government requires internet providers to collect personal information of all users.
  • In total, 11.2 million sensitive customer records were compromised.
  • Early Saturday, a person going by the nickname "Optusdata" published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
  • Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
  • The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
  • The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
  • Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."

https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142
archive: https://archive.ph/A6S6I