Optus data breach: Small business customers likely exposed to major cybersecurity attack

A massive cyberattack potentially exposing the personal data of millions of Optus customers has highlighted the vulnerability of Australia’s small business community to hackers, industry observers say.

On Thursday, Optus, Australia’s second-largest telco, revealed it had fallen victim to a major cyberattack that exposed sensitive information to unauthorised parties.

“The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers,” the company said in a statement.

Messages, voice calls, and customer account details, including billing information and passwords, were not compromised in the attack, Optus added.

In a Friday press conference, Optus CEO Kelly Bayer Rosmarin said the “absolute worst case scenario” is that as many as 9.8 million customers were affected, but the company expects the final figure to be lower.

The company said it immediately closed the vulnerability once it was discovered and has launched an investigation into its source: an IP address that appeared to move across Europe during the attack.

“It is too early to determine if the hack was perpetrated by cybercriminals or state-based hackers,” Rosmarin said.

“We don’t yet know who these hackers are or what they want to do with this information,” she said.

Optus is now working with the Australian Federal Police, the Australian Cyber Security Centre, and the Australian Information Commissioner as it chases the source of the attack and works to minimise its fallout.

Small businesses in the crossfire

While Optus confirmed the cyberattack did not reach any enterprise customers customer information, Rosemarin said small business clients, whose personal and business accounts could be one and the same, could be affected.

The cyberattack should serve as something of a wake-up call to Australian small businesses, said Skye Theodorou, co-founder of insurance startup upcover, and a former cybersecurity advisor to the NSW Small Business Commissioner.

“This is really something for business owners and individuals, but business owners particularly, to take very seriously,” she told SmartCompany.

If worst comes to worst, those with access to personal information linked to those Optus accounts could sell those details on the dark web, potentially allowing other criminals to impersonate business owners.

“What that means is that now and into the future, these credentials … can be used by individuals to try and perpetrate identity theft and fraud against you,” she said.

The telco is proactively contacting its most at-risk customers, but Theodorou said customers could consider changing passwords and login details for accounts using the same email address tied to their Optus account.

While Optus has not indicated that any payment details were accessed, Theodorou said the most concerned small business clients could consider imposing online transaction limits on their bank accounts to ward off fraudulent transfers.

For her part, Rosemarin said reducing the cyberattack’s impact on small business clients and individuals alike will require a more holistic approach.

“We don’t have a simple message… just be vigilant,” she said, calling on customers to be “alert to any activity that seems odd or suspicious or out of the ordinary”.