After a cyberattack, the CEO of Optus gives an emotional apology.
After Optus was accused of "failing" its customers, CEO Kelly Bayer Rosmarin wrote an emotional letter of apology to those customers.
Customers were angry with Optus because they found out about the major cyberattack from the news instead of being told directly.
Now, it's been found out that Optus knew about the breach on Wednesday, but they didn't make an official statement until Thursday afternoon, after an article about the cyberattack had already been published by The Australian.
Optus said in a statement Thursday afternoon that there had been a data breach. The attack is said to have affected about 9 million people.
In a statement, the telco said, "Information that could have been exposed includes customers' names, dates of birth, phone numbers, email addresses, and, for some customers, addresses and ID document numbers like driver's license or passport numbers."
"Account passwords and payment information have not been stolen."
On Friday morning, Kelly Bayer Rosmarin, the CEO of Optus, said that reports of 9.8 million records being hacked are the "absolute worst case scenario."
She said that what happened was a "sophisticated attack" and that she found out about the breach less than a day before it became public.
Ms. Bayer Rosmarin said, "I found out about it less than 24 hours before we went live to the press."
"It wasn't until late that night that we were able to figure out how big it was. I think that was a call from late at night. By 2 p.m. the next day, we had told everyone and were trying to get everything in order."
When asked how she felt about the data breach at the end of the press conference, Ms. Bayer Rosmarin seemed to get upset.
She looked like she was about to cry as she said, "Of course I'm angry that there are people out there who want to do this to our customers."
"I'm sad that it has taken away from all the good work we've been doing to be a leader in this industry and a real challenger who gives our customers new and wonderful experiences."
Nearly 2.8 million customers had all of their information taken during the attack, and about 7 million had information like their dates of birth, email addresses, and phone numbers taken, according to The Australian.
Andrew Sheridan, Vice President of Regulatory and Public Affairs at Optus, told 2GB's Ben Fordham that he wanted to "directly apologize" to the customers who were affected.
"I think honesty is very important in these kinds of situations," he said on Friday morning.
Fordham then asked why it took Optus so long to say something and why they didn't say anything until after the story was already out.
"I can say for sure that information didn't go from Optus to The Australian, but in terms of using the media..." Mr. Sheridan started to say, but the radio host cut him off.
"But wait, Optus knew about it before The Australian published their story online. He told her, "It's not like you read about it in The Australian newspaper."
"Absolutely, Ben, and we were getting ready to send out a press release," Mr. Sheridan said. Fordham then spoke up again and asked when Optus knew about the breach.
"We kind of knew about the breach late Wednesday," he said.
"On Wednesday, you knew about it. Fordham said, "You didn't tell us on Wednesday, you didn't tell us on Thursday morning, and you didn't tell us at lunch on Thursday."
"You didn't say anything until The Australian newspaper put the story all over their website. If you want to protect your customers, why didn't you let them know as soon as you found out about this possible breach?
Mr. Sheridan said that in these situations, there are "a number of steps" that need to be taken, and he said that Optus had acted "very, very quickly."
Fordham said, "I have to call you out, Andrew. I don't think you've moved at all quickly."
The host of 2GB said that in the past, companies have often told customers right away when there was a risk of a breach.
"You didn't do that," he told them.
When asked if Optus could promise that if this happened again, they would tell customers right away, Mr. Sheridan said he couldn't make that promise.
He said that customers would be told "as soon as it makes sense to do so," so that they would know the truth.
Customers are angry about how Optus handled the situation, and they have taken to social media to slam the company.
"Looks at emails. "I haven't heard anything about this from Optus," said Guardian audience editor Dave Earley on Twitter.
"It's terrible that customers are finding out from the news instead of Optus," said someone else on Twitter.
Another person wrote, "It's disgusting that you haven't told anyone about this data hack. You haven't even sent anyone an email about it. I found out about it today from the news. I'm not happy!"
'Can't say anyone is safe': New notice
As the telco continues to recover from the attack, Delia Rickard, Deputy Chair of the Australian Competition and Consumer Commission (ACCC), has issued a new warning.
She told Nine's Today that other Telcos could also be at risk of security breaches like this one.
"Cybercrime is big now, and even though most organizations spend a lot of money to protect themselves, you can't say that anyone is 100% safe," Ms. Rickard said.
The breach may have happened because Optus's firewall had a flaw, and it affects both current and former customers.
Ms. Rickard said there are a number of things people can do to protect themselves if they are worried that their personal information may have been shared.
Keeping your information safe can be as easy as turning on two-factor authentication for all of your banking and checking your accounts regularly to see if any strange purchases have been made.
Ms. Rickard also said that people should be aware of any contact from people who might be trying to scam them.
"I think one of the most important things to remember is that if you are contacted by someone you didn't expect, even if they say they are from the government, your bank, or anyone else, you don't know who they are because you aren't in the same room with them," she said.
"Because scammers have so much information about you, they will know your name and your age. They will be able to personalize scams, and we know that when someone calls you and knows your name and a few details, you are much more likely to trust them."
So I think you should also be very skeptical."
You can also get a free credit reference check every three months to find out if anyone has tried to get a loan in your name.
Ms. Rickard said that everything about this was "very worrying."
The hackers who did the attack are still a mystery.
It is still not clear who was behind the attack on Optus, and officials are still looking for the hackers who did it.
Ms. Bayer Rosmarin said that ransomware demands have not been sent to Optus yet and that the attack is being looked into by the police.
"We're leaving everything up in the air. It could be criminals or people working for the government. We're looking into it together with the government and the Australian Federal Police, she said on Friday morning.
Alastair MacGibbon, who used to be the head of the Australian Cyber Security Centre, thinks that a criminal group is most likely to blame for the breach.
He told Nine's A Current Affair, "They take information and then sell our personal information."
"The fact that Optus came out so fast is actually a big plus for us.
"In terms of cyber crime, this is pretty fast."
Mr. MacGibbon said that organizations sometimes take a week to look into a hack before they even tell the government about it.
Ms. Bayer Rosmarin said that when the telco found out about the attack, it took action right away to stop any further action. She also said that the police had been called to help find the source of the attack.
She said, "We're very sorry, and we know that customers will be worried."
"Please know that we are working hard and talking to all the right people and groups to help keep our customers as safe as possible."
Optus has also told the most important financial institutions about this. We don't know of any customers who have been hurt, but we encourage them to be extra careful with their accounts and keep an eye out for strange or fraudulent activity and notifications that seem odd or suspicious.
Optus said that the breach did not affect its services and that they are still safe to use. Messages and voice calls were not affected by the breach.
Optus said it would send "proactive personal notifications" to customers who are at "heightened risk," but it won't send any links in emails or SMS messages.
The phone company told their customers to check out their website or call them if they had any questions or concerns.
The Australian Federal Police said Thursday that they had been told about the incident but couldn't say anything else.
The situation has been brought to the attention of the federal government. The Australian Cyber Security Centre is giving security advice and technical help.