An Optus executive has struggled through an this morning, appearing unable to answer a number of questions about the cyber attack and why there are still customers that haven’t been interviewed.
Up to 9.8 million past and present Optus customers are at risk of having their personal data stolen after the telco was the subject of a massive security breach last week.
The attack resulted in Australians having their names, emails, phone numbers, date of births, addresses and in some cases even drivers’ license and passport numbers exposed.
The fallout from the breach has been monumental, with many furious customers the way the company has handled the situation.
Now, a bid to be “informative and transparent” with customers about the situation has resulted in a very bizarre interview for one Optus representative.
Optus director of corporate regulatory affairs and public affairs Sally Oelerich spoke to 2GB’s Chris Smith on Monday morning, appearing to struggle to answer his questions throughout the interview.
RELATED: What to do if you are affected by the Optus cyber attack
“I’m on here. I’m really trying to be informative and transparent for your listeners,” Ms Oelerich said.
“However, a big however, this is under investigation by the Australian Federal Police. There’s a criminal behind all of this who has attacked Australians, including me, my driver’s license has been compromised.”
Smith asked Ms Oelerich to confirm exactly how extensive the Optus data leak was, noting a person claiming to be a hacker has claimed to be in possession of important data of about 11.2 million Optus customers.
Cyber security researcher and writer Jeremy Kirk claims to have been in contact with the hacker and believes the person is “the real deal”.
Ms Oelerich did not confirm whether the 11.2 million number was accurate, though she did say she was “aware” of Mr Kirk’s claims about the hacker.
She said no one has “picked up the phone to call us” to make the claims the hacker has done online.
“I cannot actually validate whether that’s even legitimate. And part of that is part of that is you know, again, it’s under investigation,” she said.
Smith then pointed out that Mr Kirk said the sample dataset provided by the hacker aligned with the breach and indicated they may indeed be the person behind the attack.
“He thinks this hacker who claims to … have all this data is actually legitimate,” the radio host said.
There was a long pause before Ms Oelerich asked, “Sorry, um, was there a question?”
“Does it seem to you that this hacker is legitimate?” he asked.
“Well, to me personally or to me as Optus?” she responded.
Smith then said Ms Oelerich had seen what has been posted online and, once again, pointed out Mr Kirk had traced some of the data provided back to Optus customers.
“Yes. That’s what Jeremy has been reporting,” she said, before avoiding the previous question and instead talking about how she has been compromised as well and was trying to do everything she had been advised in order to protect Optus customers.
When asked if Optus had informed all impacted customers that their data had potentially been breached, Ms Oelerich confidently said yes.
“At this point, anyone whose most sensitive information has been compromised, such as the driver’s license and passport member, we have reached out to them via the information that we have for them,” she said.
Optus customer, Casey Robinson, was then brought on the air and revealed her husband’s data had been breached.
New loan accounts had been opened up in his name using his license and his 2022 tax return had been lodged.
Ms Robinson said the problems began on September 12 when they believe his phone number became compromised.
She confirmed they had never received an email from Optus informing them of the breach, instead they had to contact the telco themselves.
“Sally, why hasn’t Casey got an email from Optus? You said you’ve contacted everyone who you’ve thought had had their data compromised,” Smith said.
“As a result of this attack,” Ms Oelerich responded, prompting Smith to question whether she was suggesting this situation was not related to the recent cyber attack.
“I don’t … I don’t,” Ms Oelerich said, before apologizing to Ms Robinson on behalf of Optus and saying it is “not something I would wish on my worst enemy”.
Smith cut in, pointing out Ms Robinson has been dealing with this for a while and suggesting it could be linked to the hack.
“What I can tell you Chris, is that for customers who had their data compromised because of this attack, we have now informed them,” Ms Oelerich said.
“You haven’t informed Casey Robinson,” Smith pointed out.
“I don’t believe well, I don’t know Casey’s individual or that of her partner who is said to be, before this circumstances,” the Optus representative said she would personally follow up with her regarding this issue.
Furious customers lash out at Optus response
This interview with many customers have been complaining about the treatment they have received from Optus in the wake of the attack.
In one case, Optus refused to compensate a customer for running a $15 credit check and in another, a young mum has discovered that she is unable to change her mobile phone number to better protect herself without copping a fee of about $1000 to switch providers.
James*, who preferred to stay anonymous, learned he had been impacted by the data breach and raced to protect his identity and his money.
But the Sydneysider, 35, said the response he received from Optus was “despicable” after being “forced to set up” an identify theft monitoring account via credit checking agency Equifax, which costs $15 per month.
But when he requested that Optus cover the cost, a worker told him he wasn’t entitled to any compensation.
“It’s a pretty despicable act as a company to allow for a breach to occur and then refuse to assist customers protect themselves when they exposed those customers to the risk,” he told news.com.au.
Olivia*, who also preferred to stay anonymous, from Launceston, said Optus assured her she had not been impacted by the attack when she called after hearing about the breach.
However, a day later she received a concerning email showing this was not the case.
She arranged to change as many of her personal details as possible, but when it came to changing her phone number she said Optus made it so difficult that she wanted to switch telco providers to Telstra.
However, this would mean having to fork out $1000 to Optus in cancellation fees and to pay off a phone.
Olivia has lodged a complaint with the telecommunications ombudsman.
Optus CEO’s tearful apology after cyber attack
Optus chief executive officer Kelly Bayer Rosmarin said soon as the telco learned of the hack it took action to stop it and launched an investigation.
Speaking to reporters on Friday, Ms Rosmarin apologised to customers.
She said she was “devastated” by the attack, which compromised information including names, dates of birth, addresses, phone numbers and in some cases passport or driver’s license numbers.
Ms Rosmarin said Optus believed the number of people who had data stolen was substantially lower than its “worst case scenario” of 9.8 million.
The amount of data stolen and the reason for the attack is not yet known, with the Australian Cyber Security Center and the Australian Federal Police investigating.
An Optus spokeswoman on Saturday said Optus is contacting all customers to notify them of the cyber attack’s impact on their personal details.
“We will begin with customers whose ID document number may have been compromised, all of whom will be notified today,” she said.
“We will notify customers who had no impacts last.”
She added Optus would not be sending links in SMS or emails.
“If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus,” she said.
“Please do not click on any links.
“We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals seeking to benefit financially, including through: phishing scams via calls, emails and SMS and offering illegitimate customer details for sale.
“Once again, we apologise.”
Optus customers who may have had their data stolen are urgent to:
• Be careful of possible scam calls;
• Consider strengthening password and other online security measures; and
• Be on the lookout for more information from Optus in the coming days
How do I know if I am at risk?
Customers who have been affected will be contacted by Optus in the coming days.
Customers who believe their data may have been compromised, or who have specific concerns, were asked to contact Optus through the My Optus App (the company said this is the safest way to interact with Optus), or by calling 133 937.
Optus said it would not send links in any emails or SMS messages.
What should I do to protect my details?
Customers have been advised to change their online account passwords and enable multifactor authentication for banking.
They are also being advised to place limits on withdrawals for their banking.
“It is important to be aware that you may be at risk of identity theft and take urgent action to prevent harm,” Scamwatch said in a statement.
“Scammers may use your personal information to contact you by phone, text or email.
“Never click on links or provide personal or financial information to someone who contacts you out of the blue.”
Originally published as Optus executive’s awkward radio interview amid hacking backlash