Australia's government said Tuesday it was "incredibly concerned" over the reported release of customers' personal data stolen from a telecoms company in one of the largest hacks in the country's history.
Information on up to 9.8 million Australian customers of telecoms provider Optus — more than one-third of the country's population — may have been compromised in the cyberattack, which was revealed last week.
An anonymous poster who claimed to be behind the data breach reportedly released the personal data of more than 10,000 people late on Monday.
In posts to a hacking forum seen by AFP, the purported cybercriminal threatened to release more customer records daily unless a US$1 million ransom was paid by Optus.
But on Tuesday morning, the poster appeared to perform a U-turn.
"Too many eyes. We will not sale data to anyone," said a post written in broken English on the forum, claiming that the only copy of the information hacked from Optus had been deleted.
"Sorry too 10,200 Australian whos data was leaked," the post read.
The Optus breach led to the theft of customers' names, birth dates, phone numbers, addresses, driver's license information, and passport numbers, the company said.
The data released late Monday also reportedly included people's Medicare health service numbers, according to cybersecurity journalist Jeremy Kirk, who said he had independently verified some earlier customer information released by the poster.
Home Affairs Minister Clare O'Neil said she was "incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom".
O'Neil, who has chastised Optus for failing to better protect its customers, said the government had not been advised that Medicare information formed part of the breach.
"Consumers have a right to know exactly what individual personal information has been compromised," she said.
'Left the window open'
O'Neil has previously dismissed Optus' claims that the breach was a "sophisticated" hack, telling national broadcaster ABC that the company "effectively left the window open".
Australia was about a decade behind on privacy protections and five years behind on cybersecurity, both of which needed to be addressed, she said.
"In other countries… a breach of this scale would result in hundreds of millions of dollars worth of fines," the minister said, while the maximum penalty in Australia was just over Aus$2 million (US$1.3 million).
"So I think there are a few things that we're going to need to look at," she said.
Optus said it could not comment on whether it had been in contact with the poster or paid the ransom when asked by AFP on Tuesday.
"The attack is being investigated by the Australian Federal Police, and they have advised Optus not to provide comment on certain aspects of the investigation," a spokesperson said.
Australia's Federal Police announced an international inter-agency investigation into the breach on Monday, including the hacking forum posts.
Justine Gough, assistant commissioner of Australia's Cyber Command, said the police were aware of reports of stolen data being sold on the internet and were monitoring activities on the "dark web" — areas of the web that enable users to operate anonymously.
"Criminals, who use pseudonyms and anonymizing technology, can't see us but I can tell you that we can see them", Gough added.
