Australian Internet Provider 'Optus' Exposed Customer Data via API: Includes 4.2M Users' Passport and Driver’s License Numbers
A "senior figure" inside Optus said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
- The Australian Government requires internet providers to collect personal information of all users.
- In total, 11.2 million sensitive customer records were compromised.
- Early Saturday, a person going by the nickname "Optusdata" published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
- Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
- The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
- The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
- Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."