³Ô¹ÏÍøÕ¾

‘Optus hacker’ claims they’ve deleted data

The Conversation

Shortly after Australian telecommunications company Optus announced the identity data of millions of customers had been stolen, a person claiming to be the hacker announced they would delete the data for US$1 million.

Authors


  • Jennifer J. Williams

    PhD Candidate, Macquarie University


  • Jeffrey Foster

    Associate Professor in Cyber Security Studies, Macquarie University


  • Tamara Watson

    Associate Professor in Psychological Science, Western Sydney University

When Optus didn’t pay, the purported hacker published 10,000 stolen records and threatened to release ten thousand more every day until the ransom deadline. These leaked records contained identity information such as driver’s license, passport and Medicare numbers, as well as .

A few hours after the data drop, the purported hacker and claimed to have deleted the data due to “too many eyes”, suggesting fear of being caught. Optus confirms they .

They’ve said they deleted the data – now what? Is it over?

Communication from the person claiming to be the hacker and the release of 10,200 records have all occurred on a website dedicated to buying and selling stolen data.

The data they released are now easily available and appear to be legitimate data stolen from Optus (their legitimacy has not been verified by Optus or the Australian Federal Police; the FBI in the United States to help the investigation).

The question then is – why would the hacker express remorse and claim to delete the data?

Unfortunately, while the purported hacker did appear to possess the legitimate data, there is no way to verify the deletion. We have to ask: what would the hacker gain from claiming to delete them?

It is likely a copy still remains, and it’s even possible the post is a ploy to convince victims not to worry about their security – to increase the likelihood of successful attacks using the data. There is also no guarantee the data were not already sold to a third party.

What next?

Whatever the motivations of the person claiming to be the hacker, their actions suggest we should continue to expect all records stolen from Optus do remain in malicious hands.

Despite the developments, – you should still be taking proactive action to protect yourself. These actions are good cyber hygiene practices no matter the circumstances.

An extra measure offered recently is , and .

However it is unclear at this early stage whether free options to change these documents will be made to all data breach victims, or only a subset of victims.

Can I find out whether my data were part of the 10,200 leaked records?

Reports of suggest they are already being used.

Troy Hunt, the Australian cyber security professional who maintains – a website you can use to check whether your data are part of a known breach – has announced he will at this stage. So this method will not be available.

The best course of action in this case is to assume your data may have been released until .

Are the released data already being used?

The least technically sophisticated method of targeting Optus customers is to use the details to make direct contact and ask for a ransom. There are reports blackmailers are via text message, claiming to have the data and threatening to post it on the dark web unless the victim pays.

The data have already leaked and claims about deleting the data are untrue. Paying anyone who makes these claims will not increase the security of your information.

Data recovery scams – where scammers target victims offering help to remove their data from the dark web or recover any money lost for a fee – . Instead of helping, they steal money or obtain more information from the victim. Anyone who claims to be able to scrub the data from the dark web is claiming to put toothpaste back in the tube. It isn’t possible.

The data could also be used to identify family members to make the “” or family impersonation scam more convincing. This involves scammers posing as a family member or friend from a new phone number, often using WhatsApp, in need of urgent financial help. Anyone receiving this kind of text message should make every effort to contact their family member or friend by other means.

What else can my data be used for?

The scams involved with these data will only grow in the coming days and weeks and may not be confined to the digital world.

Other possible uses involve activities like attempting to take over valuable online accounts or your SIM card, or setting up new financial services and SIM cards in your name. The advice we provided in applies to these.

Additionally, anyone with reason to be concerned about physical safety if their location is known (for example domestic abuse survivors) should consider the possibility that their names, telephone numbers and address may have leaked or may in the future.

If you have been the victim of fraud or identity theft as a result of this breach or any others, you can contact for additional aid and to report the crime.

The Conversation

The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.

/Courtesy of The Conversation. View in full .