Optus Hack: ASIC Warns Market Intermediaries against Possible 'Fraud'
- Personal details of up to 10 million Optus customers were stolen.
- Interestingly, the hacker assured deletion of the compromised data.
The Australian Securities & Investments Commission (ASIC) sent a warning email to the Aussie financial market intermediaries, including brokers, against the risks of possible “identity theft and fraud” amid the Optus data breach.
A copy of the email seen by Finance Magnates asked the market intermediaries to be “extra vigilant in verifying and managing customers’ personal information.”
Finance Magnates also reached out to multiple brokers to know about their preparedness with the ASIC warning, however, at least one broker confirmed that it did not receive ASIC’s email.
A Massive Data Breach
Optus is the second largest telecom service provider in Australia. The company created a stir in the country earlier this week after revealing that the personal data of up to 10 million customers were compromised, which include home addresses, drivers' licenses and passport numbers.
It was the largest data breach by scale in Australia.
This wasn’t a 'hack'. Optus literally left the door wide open. The perp simply used a connection that wasn’t password protected to download the data.
— 𝗝𝗮𝘀𝗼𝗻 𝗝𝗼𝗿𝗱𝗮𝗻 (@jasonjordan) September 27, 2022
THAT’S a bigger story than a hack.
Optus are culpable because the data was exposed and unprotected.
It wasn’t hacked.
The hacker initially asked for $1 million as ransom from the company and threatened to publish 10,000 Optus customers every day until the money is received. However, an anonymous online account claiming to be the hacker dropped the ransom demand recently and has assured the deleting of the compromised data.
“At this stage, it appears that the data breach is limited to retail customers (and potentially small businesses) while enterprise accounts do not appear to be impacted,” ASIC’s email stated.
“The email from ASIC ASIC The Australian Securities and Investments Commission (ASIC) is the prime regulator in Australia for corporate, markets, financial services, and consumer credit. It is empowered under the financial service laws to facilitate, regulate, and enforce Australian financial laws. The Australian Commission was set up and is administered under the Australian Securities and Investment Commission Act of 2001. ASIC was initially the Australian Securities Commission based on the 1989 ASC Act. Initially, the The Australian Securities and Investments Commission (ASIC) is the prime regulator in Australia for corporate, markets, financial services, and consumer credit. It is empowered under the financial service laws to facilitate, regulate, and enforce Australian financial laws. The Australian Commission was set up and is administered under the Australian Securities and Investment Commission Act of 2001. ASIC was initially the Australian Securities Commission based on the 1989 ASC Act. Initially, the Read this Term is very prudent given the scale of the Optus data breach,” Sophie Gerber, the Founder and Co-CEO of TRAction told Finance Magnates. “Although it has been sent to a subset of AFSL holders, really it applies equally to all businesses that deal with Australians regardless of whether they are in financial services.”
“Although it has been claimed that the hacked data has now been deleted, there is no doubt a level of skepticism given the nature of the party involved.”
Indeed, Optus also agreed to bear the multimillion-dollar cost of changing the driver’s license number of Australians affected by the data breach.
Earlier, ASIC clarified that it expects all regulated market participants to “address cyber risk as part of their AFS license obligations Obligations In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you Read this Term.” However, the regulator does not recommend any technical standards or expert guidance as a part of the Australia Financial Services license requirements.
“ASIC has issued quite a number of media releases about cybersecurity and combined with the RI Advice, they show the level of scrutiny being applied to these issues. AFSL holders should be taking active steps to actively manage their cybersecurity and identity verification processes, staying on top of all developments and adapting accordingly,” Gerber added.
The Australian Securities & Investments Commission (ASIC) sent a warning email to the Aussie financial market intermediaries, including brokers, against the risks of possible “identity theft and fraud” amid the Optus data breach.
A copy of the email seen by Finance Magnates asked the market intermediaries to be “extra vigilant in verifying and managing customers’ personal information.”
Finance Magnates also reached out to multiple brokers to know about their preparedness with the ASIC warning, however, at least one broker confirmed that it did not receive ASIC’s email.
A Massive Data Breach
Optus is the second largest telecom service provider in Australia. The company created a stir in the country earlier this week after revealing that the personal data of up to 10 million customers were compromised, which include home addresses, drivers' licenses and passport numbers.
It was the largest data breach by scale in Australia.
This wasn’t a 'hack'. Optus literally left the door wide open. The perp simply used a connection that wasn’t password protected to download the data.
— 𝗝𝗮𝘀𝗼𝗻 𝗝𝗼𝗿𝗱𝗮𝗻 (@jasonjordan) September 27, 2022
THAT’S a bigger story than a hack.
Optus are culpable because the data was exposed and unprotected.
It wasn’t hacked.
The hacker initially asked for $1 million as ransom from the company and threatened to publish 10,000 Optus customers every day until the money is received. However, an anonymous online account claiming to be the hacker dropped the ransom demand recently and has assured the deleting of the compromised data.
“At this stage, it appears that the data breach is limited to retail customers (and potentially small businesses) while enterprise accounts do not appear to be impacted,” ASIC’s email stated.
“The email from ASIC ASIC The Australian Securities and Investments Commission (ASIC) is the prime regulator in Australia for corporate, markets, financial services, and consumer credit. It is empowered under the financial service laws to facilitate, regulate, and enforce Australian financial laws. The Australian Commission was set up and is administered under the Australian Securities and Investment Commission Act of 2001. ASIC was initially the Australian Securities Commission based on the 1989 ASC Act. Initially, the The Australian Securities and Investments Commission (ASIC) is the prime regulator in Australia for corporate, markets, financial services, and consumer credit. It is empowered under the financial service laws to facilitate, regulate, and enforce Australian financial laws. The Australian Commission was set up and is administered under the Australian Securities and Investment Commission Act of 2001. ASIC was initially the Australian Securities Commission based on the 1989 ASC Act. Initially, the Read this Term is very prudent given the scale of the Optus data breach,” Sophie Gerber, the Founder and Co-CEO of TRAction told Finance Magnates. “Although it has been sent to a subset of AFSL holders, really it applies equally to all businesses that deal with Australians regardless of whether they are in financial services.”
“Although it has been claimed that the hacked data has now been deleted, there is no doubt a level of skepticism given the nature of the party involved.”
Indeed, Optus also agreed to bear the multimillion-dollar cost of changing the driver’s license number of Australians affected by the data breach.
Earlier, ASIC clarified that it expects all regulated market participants to “address cyber risk as part of their AFS license obligations Obligations In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you Read this Term.” However, the regulator does not recommend any technical standards or expert guidance as a part of the Australia Financial Services license requirements.
“ASIC has issued quite a number of media releases about cybersecurity and combined with the RI Advice, they show the level of scrutiny being applied to these issues. AFSL holders should be taking active steps to actively manage their cybersecurity and identity verification processes, staying on top of all developments and adapting accordingly,” Gerber added.