Australian telecom giant Optus on Monday confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information and at least one form of identification number as a result of a data breach late last month.
The company also said it has engaged the services of Deloitte to conduct an external forensic assessment of the attack to "understand how it occurred and how we can prevent it from occurring again."
Optus is fully owned by Singaporean telecommunications conglomerate Singtel, which also has a significant stake in Bharti Airtel, the second largest carrier in India.
"Approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised," Singtel said in an announcement made on its website.
It also said the breach affected expired IDs and personal information of about 900,000 additional customers. It further emphasized that the exposed data did not contain valid or current document ID numbers for some 7.7 million customers.
The leaked data is said to contain email addresses, phone numbers, and dates of births, necessitating that customers remain cautious about potential phishing and smishing attacks.
The company also said it has notified users whose current identification documents had been compromised in the attack. This includes driver license numbers, card numbers, and Medicare ID numbers.
Of the 9.8 million customer records exposed, 14,900 valid Medicare IDs and 22,000 expired Medicare card numbers are estimated to have been exposed, Optus previously disclosed on September 28.
The security incident, which came to light on September 22, involved a malicious actor gaining unauthorized access to customer information. It's not immediately clear how and when the actual intrusion took place.
The attacker, using the alias "optusdata," subsequently published a published a small sample of the stolen data belonging to 10,200 users and demanded that Optus pay a $1 million ransom to avoid more leaks.
The self-identified hacker has since withdrawn the extortion demand while apologizing for the crime and claiming that the "only copy" of stolen data had been destroyed, citing increased public attention.
While it's not known if "optusdata" is the person/group responsible for the breach, the Australian Federal Police (AFP) has launched twin operations to identify the perpetrators behind the attack and "supercharge the protection" of the 10,200 customers.
The latter, called Operation Guardian, offers "multi-jurisdictional and multi-layered protection from identity crime and financial fraud," with the agency stating the impacted users had 100 points of identification released online.
"There are reports that sophisticated scammers are contacting Optus customers via phone, email, and text to get further personal information from the victims of the breach," the AFP warned last week.