Australian telecommunications firm Optus is warning current and former customers that their personal details were exposed after it suffered a major data breach.
“Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses and for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers,” the company says in a data breach notification issued Thursday. “Payment detail and account passwords have not been compromised.”
Optus has more than 10.2 million customers, accordingly to publicly available data, and is Australia’s second largest telecommunications company, providing landlines, mobile connectivity, internet and cable access, leased lines and more. It is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group.
The company’s data breach notification doesn’t detail when the breach began, when it was discovered and how, if there are any indications of who might have perpetrated the attack or how many current and former customers were affected. Optus didn’t immediately respond to a request for comment.
But when asked Thursday how many current and former customers might be affected, Optus CEO Kelly Bayer Rosmarin told Australian broadcaster ABC: “It’s just too early for us to give specific numbers. It is a significant number and we want to be absolutely sure when we come out and say how many.”
Optus Alert: Beware Fraud
Rosmarin says in a statement that the company is issuing the breach notification now to alert customers to watch for signs of fraud (see: Data Breach Notifications: What’s Optimal Timing?).
“While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” she says. “We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organizations.”
The company says it’s being assisted by the Australian Cyber Security Center, and has notified the Australian Federal Police, the Office of the Australian Information Commissioner and regulators about the breach. Banks have also been notified, it says, so they can watch for suspicious activity. “While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” it says.
The company says that “for customers believed to have heightened risk,” it plans to offer “proactive personal notifications” as well as “expert third-party monitoring services.” It gave no timeline for when it expects to determine who is at heightened risk or when it might offer.
Optus says none of its services – including mobile and consumer internet – were disrupted by the data breach, and that attackers do not appear to have compromised either landline or mobile calls.
But given the risk posed by phishing attacks to individuals whose names, email addresses and phone numbers were exposed, the company is warning all current and former customers: “Optus will not be sending links in any emails or SMS messages.”