Optus data breach, CEO Kelly Bayer Rosmarin says she takes responsibility.
The CEO of Optus says she’ll take full accountability for the data hack that’s left more than 9 million customers exposed. The sophisticated attack has been traced in part to Europe, but the hunt for whoever is responsible is still far from over. “Safe to say it comes out of various countries in Europe.”
“Without saying too much, the IP address kept moving it’s a sophisticated attack,” she said.
She said it is too early for Optus to know whether the attack was launched by a state based actor or cyber criminals, but confirmed that the Australian Federal Police is investigating.
In response to criticism that customers have not yet had direct contact, she explained that after learning of the breach on Wednesday, it was decided “to put a call out to all of our customers to be on alert in the best way that we can” via media organisations.
Breached customer data could date back as far as 2017.
However, Bayer Rosmarin said Optus has reason to believe the attack affected far less than 9.8 million customers. Emsisoft threat analyst Brett Callow posted on twitter that he had seen 1.1 million records purportedly from Optus offered for sale way back on September 17th.
“I want to make it clear that 9.8 million is the absolute worst case scenario,” she said.
“We have reason to believe that the number is actually smaller than that”.
“But we are working through reconstructing exactly what the attackers have received.”
Bayer Rosmarin would not confirm the accuracy or otherwise of Callow’s tweet: “We are still working to validate that that information is relevant and is even Optus data,” she said.
“One of the challenges when you go public with this sort of information is you can have lots of people claiming lots of things “there is nothing that’s been validated and for sale that we’re aware of, but the teams are looking into every possibility.”
Optus said it would prioritise contact with customers that had the largest amount of data exposed.
“Over the next few days, all customers will know in what category they fall.”