Emsisoft security researcher Brett Callow pointed out in a tweet that the account stated, "No sale will be made for 1 week until Optus reply".
He said this implied it could be a case of attempted extortion. iTWire has sought a reaction from Optus about this. The Optus breach was made public on Thursday.
A second account is now selling what's claimed to be #Optus data, and has linked to a paste with 100 sample records. The account states, "No sale will be made for 1 week until Optus reply" implying that this a case of attempted extortion. pic.twitter.com/pU2iUiSQ5b
— Brett Callow (@BrettCallow) September 23, 2022
The post claims this data is from 11.2 million users and is demanding a million dollars from the company for the sale to be cancelled.
|
A media conference by Optus chief executive Kelly Bayer Rosmarin on Friday did not offer any new information about the data breach.
Bayer Rosmarin claimed the attack was "sophisticated", but that is a claim made by every company that suffers a data breach.
In a post dated the 17th, names and email addresses allegedly associated with 1.1 million #Optus mobile numbers were put up for sale. pic.twitter.com/AkUgrFCFes
— Brett Callow (@BrettCallow) September 22, 2022
The first lot of data was advertised in a post dated 17 September and offered 1.1 million Optus mobile numbers and asked those interested to contact a given Telegram account.
Meanwhile, encryption software firm Senetas has questioned whether the data that was pilfered was encrypted or not.
Senetas chief executive Andrew Wilson said: "The critical question that must be answered by Optus [is] - was the data encrypted? If not, why not?
Update from the site owner. #Optus https://t.co/tZkVXgI5pR pic.twitter.com/DMKCYf0pqU
— Brett Callow (@BrettCallow) September 23, 2022
"If this is strongly encrypted sensitive data, as it should be, then Optus customers do not need to be alarmed. They likely have years to change their passports and other identity documents before the attackers can read and use what they’ve stolen. If it isn't, customers need to get onto that process today. That's quite a difference!
"Further statements from Optus that this was a very 'sophisticated' attack are unsatisfactory. Very sophisticated and increasingly malicious attacks are common. That's why 'data protection' is essential today - and that's encryption. It is the last line of defence. Whether the stolen data is encrypted or not should be in the first communication about a successful breach. It is concerning that this vital bit of information is missing so far.
"Many have questioned whether the prevention systems like those used by Optus are sufficient, or if the company under-invested in its cyber security and this is the inevitable result. This is unlikely. No cyber-attack prevention system is bullet-proof.
"The focus should instead be on regulation - we need comprehensive federal cyber security legislation that punishes companies and government agencies that fail to encrypt sensitive data. Not every company can afford the type of prevention systems Optus has, but the lesson must not be that they shouldn't try or have a last line of defence in place should a breach occur."
Update: Later in the afternoon, Optus advised: "Apologies for the delay. We are co-ordinating with the AFP [Australian Federal Police] because this is now a criminal investigation. On their advice, we can't comment on this."
#Optus. To consolidate the info., somebody is attempting to sell data which they claim relates to 11.2 million Optus customers. They've linked to a paste of 100 records as proof of the data that's on offer. 1/ pic.twitter.com/RT5W8vZW9e
— Brett Callow (@BrettCallow) September 23, 2022