Hot off the press. Our good mate “optusdata” has decided to completely backflip on his plans to hold Optus ransom for
👉😐 ONE MILLION DOLLARS
In exchange for not selling all their user details on the digital black market. “Too many eyes” he says, “Australia will see no gain in fraud”, in an apparent change of heart. At least on the surface. But something seems a little off about it all, what do we reckon is REALLY going on?
realised Optus is so cheap on security, they wouldn't pay any ransoms either. Gov had to step in.
Optus paid fast, that's a first.
More like government, media, and public absolutely thrashed Optus's reputation, forcing Optus to pay ransom, may be take a loan from government to pay a negotiated amount
Why would Optus need a loan for $1.5m? They're a major national telco with millions of customers, they have that kind of cashflow.
It would be significantly cheaper than the cost overruns on most IT projects.
They might need a loan when the authorities in Europe come knocking for GDPR breaches.
4% of profit as a fine. And it doesn't matter if you operate in Europe or not. All that is needed is one European passport to be in the breach.
@Lord Fart Bucket: Can you provide an example when a company with no presense in Europe got a big fine under GDPR?
The fact that they issue Amazon a €746 million fine shows that they do take data security a bit more serious than others.
@Lord Fart Bucket: I was specifically referring to the payment of the ransom.
Did Optus accept non Australian passports as valid identification documents?
@Domingo: Think international visitors, international students, migrants. They don't have a drivers licence that is accepted as ID or a medicare card.
Not everyone that is in Australia is a citizen. Permanent residents hold other types of ID.
@JeremRrss: Cool, good to know, thanks - I've gotten a few overseas SIMs but never have gone through the experience of getting one as a visitor to Australia
@Lord Fart Bucket: I don't even think it needs to contain a European passport, I think it is just 1 person who has European citizenship.
Still cheaper than the CEO salary lol
queue whining from 'sensitive' users about your source being dailymail
so…. one of our biggest telcos got owned by 'something potentially a highschool kid could've pulled off,'…unfrickinbelievable
It was pretty obvious from the start that this was not a "sophisticated operation run by non-state actors" as the Optus CEO ridiculously tried to claim. The kid was/is a complete amateur.
Professional ransomware people do not publicise their feats - the only place they post random data for verification is direct to the CEO or CIO of the corporation. The whole point is to be able to say to them "for a really modest fee you can make this whole thing go away today, keep your shareholders happy and keep your job. Noone will ever know", which is not possible if the thing is widely known. Hell, they would try and make sure even the IT security teams didn't know about it until after the money is paid.
That's why we don't know how widespread or successful randomware raids are - only those who DIDN'T pay up acknowledge them.
How do they know it's really the hacker?
Well to be fair, I did have a moment thinking it was you or MSPaint..
Definitely MSPaint. Where is he now?
their username checks out?
Does mine?
User name checks out
Someone looked at sample data, compared to pwned database (some were not 100%), called those on list and all of them are optus customers.
It's a good question actually. Apparently one of the lads that was tracking it can vouch for the fact that the same poster that made the original leak post on BF was the same one that made the update.
Of course, we'd never really know. It could, of course, always be the case that the original hacker had their hacker forum account, y'know, hijacked to remove the original thread and post a fake update. You know, like someone else somehow bypassing security and making their way into the hacker's account through underhanded means. I'm sure that sort of thing never happens on BF though, they're not the type of people who do stuff like that.
How do you know they're the only people who had access to the data?
on his plans to hold Optus ransom for
👉😐 ONE MILLION DOLLARS
One billion gagillion fafillion shabadabalo shabadamillion shabaling shabalomillion… yen
Should've taken morbillion dollars instead.
It’s morbin time
Singtel paid up is my guess.
I'm suprised not many if any mentioned this. Optus is owned by Singtel, one large comms corp in Singapore.
Surely they would have paid to ease the tension and possible backlash.
And so they would have if the stupid hacker wasn't so stupid as to publicise it all. Once the hack is public knowledge Singtel couldn't pay up and have it all hushed up. The hacker shot themselves in the foot.
'yes'
(I'm just a Telco that can't say no) lol
10.200
Looks like the hacker is from overseas since they use a period for the thousands separator
did their use of the English language not give that away?
I have encountered plenty of people from Australia with bad English grammar haven't you?
Number formatting is different all together.
If I were the hacker that is roughly how I'd have written it out so it looks like I didn't know English. And using a full stop instead of a comma seems to be a good idea as well for the same reason - would point me to being potentially elsewhere.
Do you mean "full stop"?
When proof reading print, saying period is easier than full stop.
They used Optus text to speech
The mistakes in this message are not the mistakes a person would make who doesn't speak English well. They are the mistakes a person who does speak English well would make to pretend they are not a native English speaker. They are only in wrong choice of words that sound the same or similar, not in the construction of the sentences. These are the sorts of mistakes that someone who only speaks English thinks someone who doesn't speak it well would make.
And the sentence "deepest apologies to Optus" definitely says something. Though I'm not sure what. We're going to find that out if/when they identify him. Why would a hacker offer his deepest apologies?
Why would a hacker offer his deepest apologies?
Because Optus told him to say that when they paid 150% of the asking price for the ransom, and the hacker doesn't care about the ego of their pseudonym so figured why not?
Exactly money talks. He got what he wanted doesn't matter saying sorry. He even said no ways of reporting in the first place if there was a way to do that he would, that's going a far more extend why he went this way in the first place scrapping the data
https://indaily.com.au/news/2022/09/27/hackers-release-custo…
I know it makes me sound like an amateur but does anyone here know how to find that released data..? I am concerned my data might be amongst one of those 10,000 data files that have been released.
I did try searching it on my pc in a dark room but apparently thats not how you get on the darkweb.
So…, anyone ?
have a look through these threads…not sure if there is a direct link but lots of useful info
https://whirlpool.net.au/wiki/optus_sept_2022_breach
https://www.reddit.com/r/AusFinance/comments/xnehts/optus_da…
Yeah, some other user also shared these a few days ago and I scoured through them. Very insightful indeed.
But unfortunately they don’t tell you how to access that released data.
@Gervais fanboy: Was on the dark web, it's blocked or something has happened to the site it's on.
The reporter who got into a conversation originally posted it fully, I tried to look into it, but still can't get the site name.
You need a VPN it was blocked by Optus.
You need a VPN
I have got a VPN
But how do I cross check that data
Can you share a hyperlink with me ?
@Gervais fanboy: Nah, it's gone, I can't even find the site the reporter dropped. I think it's been removed.
Inside job
Agree with this.
Someone at Optus probably told their mate “Optus infosec/cybersecurity practices are so weak lmao they have a public facing API!” Optus investigated who works in the team and probably found a grad who seemed dodgy. In exchange for not ruining the grads reputation by making their identity public they’ve decided to make a deal, delete the data and no one will know who did it.
Hell, maybe there wasn’t even a mate.
Everyone who worked in the industry knew this as far back as 2003.
If that’s true, why did no-one do anything about it until 2022?
@garetz: Until its exploited nobody really care. When it hits hard and get the publicity it deserves companies won't do jack.
I used to work in the IT team at one of the public health services in Victoria, 2 months after I had resigned I checked if I still had remote access to the systems. And sure enough nobody disabled my account. 2 months after I had resigned I still had access from the comfort of my home to almost all the systems and patient records and databases. If I was a sinister person the damage I could have done, and they would have reported it as a “hack” when in reality it was incompetence on their part. So yes….always and inside job.
Security is hard. And there's not much incentive for companies to get it right cause there's no visible benefit until something goes wrong.
I used to work at a contracting company and had VPN access to heaps of clients - ranging from councils, unis, mining companies, etc. The company's practice for storing passwords was in a plain text file. But the main issue is similar to your situation. When an employee leaves, you can bet that all the different clients won't suddenly all change their VPN credentials at once.
Is optus good enough to pay money to the hacker?
Is it tax deductible?
Even if they did, they’ll probably get their insurance to cover it.
And then their insurer would get the rest of us to cover it aka higher premiums.
Don’t think they would have got cyber insurance considering their cyber security posture. If they did, they may not get coverage anymore.
You can always get insurance, its just a matter of how much you pay for it.
Is it tax deductible?
Only if they get a receipt with a valid ABN.
I think you mean tax invoice.
A tax invoice becomes a receipt after payment.
@jv: Receipt doesn't mean anything for tax purposes, it's all about the tax invoice (or recipient created tax invoice).
Sounds like a PR business expense to pay it. Pretty small percentage of their marketing budget.
When I and so many individuals got scammed in many different ways we couldn't recover money from ATO, So why should Optus be allowed to ?
👉😐 ONE MILLION DOLLARS(youtu.be)
or sharks with fricken laser beams attached to their heads
How do we know if we were in the 10,000 users he/she published today..?
Ctrl+F in the data?
Where's the data?
An Ausfinance subreddit user posted it in excel format.
They got paid off. Good. a) these companies have insurance b) it's worth $1.5m c) these companies should be 100% responsible for protection of data within their business model. This push it off to the consumer rubbish has got to stop. Our laws are cr@p!
Since about 3 years ago no corporate cybersecurity insurance includes ransom in the cover. But $1.5 m is nothing to Optus…
Ransom and extortion are still covered. It’s certainly harder to get these days, but it still exists in cyber insurance.
Paid off but hopefully the CEO gets shitcanned. She has been shown to be not only incompetent, but irresponsibly stupid as well.
For me it's just as much the lack of contrition and ownership thats the problem. Her actions in the aftermath have been pretty poor
Gladys might take over
Really the CIO should get the can first.
Also, don't forget to riot if ANY executive gets a bonus this year.
No way in hell optus paid
why pay a ransom when the CEO could have that money
Honestly, I prefer the hacker gets the money. Then I'll know it's going to someone more ethical and who is a hard worker. Hopefully this get their family out of poverty.
Exactly. No way Optus would pay a cent. Damage to them is already done and will be soon forgotten. Potential damage to clients, they DGAF. There's literally no upside to paying.
There is plenty of upside. Even the 10k records had plenty of important people in high up places in it. If the full leak ever does surface there's going to be a lot of pissed off powerful people, even more so if their identity gets stolen.
Paying the ransom gives them a chance (actually a pretty reasonable one imo) that that never happens.
That's an upside for the victims, not Optus.
@apsilon: It's one thing for a breach to be reported, it's another for the data to be actually shared around and identity theft actually occurring.
Powerful people being less pissed off at Optus is an upside for Optus.
Bikies.