Almost 10 million Aussies have had their personal details compromised following a major cyber attack on Optus last week.
The attack is currently being investigated by the Australian Federal Police, who are working to identify the people behind the breach and to prevent identity fraud of those affected.
"We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities," said Assistant Commissioner of Cyber Command Justine Gough.
"Criminals, who use pseudonyms and anonymising technology, can't see us but I can tell you that we can see them."
Optus announced they were hit by the attack last Thursday, saying they immediately shut the breach down.
"We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it," Optus CEO, Kelly Bayer Rosmarin, said at the time.
"We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible."
Slater and Gordon Lawyers are investigating whether to launch a class action lawsuit against Optus on behalf of former and current customers.
Class actions senior associate Ben Zocco said the leaked information posed a risk to vulnerable people, including domestic violence survivors and victims of stalking.
Prime Minister Anthony Albanese said the data breach was a "huge wake-up call".
As the government prepares to introduce new cybersecurity measures, Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.
As more developments come to light about the attack, here's what you need to know.
What information may have been accessed?
Customers' names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers or addresses could have been accessed in the attack, Optus has confirmed.
However, they assure payment details and account passwords have not been compromised.
What has the hacker said?
On Tuesday morning, the alleged hacker behind the data breach announced they had reportedly released 10,000 customer records and promised more would follow if Optus did not pay AUD$1.5 million in Monero cryptocurrency.
In a statement, the hacker, known as "OptusData" said 10,000 records would be released daily until the money is paid.
"Four more days to decide Optus!" they wrote in the statement, which was shared on Twitter by Brett Callow, an employee from New Zealand-based cyber security company Emsisoft.
People in Queensland and South Australia can organise replacement licences free of charge, while the ACT and other jurisdictions are still working through the issue.
Optus also said they will be offering a complimentary 12-month third-party credit and identity monitoring service subscription through their partner, Equifax, for the "most impacted customers".
If you think your account has been compromised, you can contact Optus on the My Optus App – which they say is the safest way to contact the company, or call 133 937 for consumer customers and 133 343 for business customers.
You can also find the most recent updates from Optus at their media centre here.
What is the government doing?
Treasurer Jim Chalmers said the government had been "working around the clock" following the breach and has brought together Treasury, the banks and regulators to address privacy and data retention concerns.
"We'll do our best to resolve these issues as soon as we can as part of a suite of broader efforts," he said.
"We want to... make sure that if there's more that can be done by financial institutions to monitor risks and protect consumers, then that should be done."
Health Minister Mark Butler has confirmed the government is also examining whether new Medicare cards will need to be issued to customers.
"We’re particularly concerned that we weren’t notified of the breach of Medicare data until the last 24 hours," Butler told reporters on Wednesday.
"So, we're working hard to develop strategies for a response to that, as government has been, for example, for some time in relation to passport numbers, as state governments have been in relation to driver's licence numbers."
This article was originally published on September 27, 2022, and was updated on September 28, 2022.
- With AAP.
Feature Image: Canva/Getty/Instagram@victordominello.