Australian Scammer Targeting Optus Data Breach Victims Sentenced to 18 Months

An Australian court ruled a heavy punishment for a scamster in Sydney who was misusing the data leaked during the Optus data breach.  

The individual in custody was convicted for his nefarious attempts to squeeze money out of unsuspecting Optus customers by leveraging stolen records he had procured from the data leak websites. 

According to the Australian Federal Police, the court imposed a sentence of 18 months under community correction, mandating 100 hours of service to the community and a lasting mark on his record. 

Scammers targeting Optus data breach victims  

Following the massive Optus data breach, thousands of victims were left worried about their personal data being misused. In a recent incident, the nightmare came true when a scammer was targeting Optus breach victims. 

According to government records, the man’s illicit scheme was uncovered when he targeted individuals whose sensitive information was exposed in the infamous Optus data breach of September 2022. 

He sent deceitful text messages to around 92 hapless customers, menacing to use their details for financial fraud unless they coughed up $2000 and deposited it into a bank account of his choosing.

The Australian Federal Police (AFP) embarked on Operation Guardian, and their tireless efforts paid off on October 6th, 2022, when they successfully tracked down the culprit and apprehended him.  

Despite his attempt to trick 92 unsuspecting victims through text messages, the AFP discovered that not a single penny was lost to his deceitful schemes. 

Optus data breach explained   

On September 22, 2022, the digital world was rocked by a devastating cyber-attack on Optus that exposed sensitive customer information, including names, birth dates, email addresses, driver’s licenses, Medicare cards, and even passport numbers.

The data of customers data who have been associated with the organization since 2017 was affected, as the company preserved identity verification records for six years. The company served 9.8 million customers at the time of the breach.

Though telecommunication service providers fall outside the purview of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, disclosing such personal information could lead to increased risks of money laundering, terrorism financing, and criminal activities for businesses under the watchful eye of AUSTRAC. 

The Optus data breach was a stark reminder of the importance of proper security measures. The source of the breach was an API that was left exposed and unprotected, open to anyone with knowledge of its existence.

The API failed to enforce even the most basic level of security – user authentication. With no requirement for a username or password, anyone could easily connect to the API and gain access to sensitive information. 

Optus, data breaches, and penalty

Following major cyber incidents such as the Optus data breach, the Medibank cyberattack, the Harcourt data breach, and the data breach at the Australian defence e-communication platform, the Australian Parliament increased the privacy penalty bill on defaulting companies.

According to the new Bill, repeat offences as well as serious data breaches may incur a penalty of $50 million, three times the value from profits made by misusing breached data, or 30% of a company’s adjusted turnover in the applicable time period, whichever is higher.