Australia Police Charge Teen With Extorting Optus Victims19-Year-Old From Sydney Suburbs Allegedly Sent Extortion SMS to Data Breach Victims
Australian Federal Police arrested a teenager who attempted to capitalize on the massive data breach at telecommunications provider Optus by threatening to blackmail victims whose data was published online.
The man, 19, allegedly sent text messages to 93 of the 10,200 Optus customers whose data was posted online by the hacker who stole millions of customer records from the cellular network provider. Police are not revealing the teenager's identity but say he threatened to use victims' personal information for financial crimes unless he received a payment of AU$2,000 - approximately US$1,300.
The teenager is not a suspect in the Optus data breach investigation itself, which police say is ongoing and "aggressively pursuing all lines of enquiry." The hacker behind the breach late last month backed off from selling the entire set of stolen customer records. "Too many eyes," the hacker posted in a forum (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).
Police arrested the would-be extortionist Thursday morning in his home in the Sydney suburb of Rockdale and seized a mobile phone allegedly used to send the blackmail messages. None of the recipients appear to have paid out.
Police charged the teenager with using a telecommunication network with the intent to commit a serious offense and dealing with identification information, which respectively carry a maximum penalty of 10 and seven years.
Following the Optus breach, Australian law enforcement inaugurated Operation Guardian to monitor for illicit online activity involving individuals swept up by the breach.
A number of public service agencies, including the Australian Competition and Consumer Commission have alerted Optus customers to be on the lookout for scams. Multiple bad actors already have sent out Optus breach-themed phishing and SMS messages.
Police are "scouring forums and other online sites for criminal activity linked to this breach. Just because there has been one arrest does not mean there won't be more," Australian Federal Police Assistant Commissioner Justine Gough said in a statement.
Optus is conducting its own investigation into the data breach incident. In a Monday update, the company said further analysis shows that of the 9.8 million records exposed, only 2.1 million involved an identity document number.*
*Correction Oct. 10, 2022 21:02 UTC: Clarifies that Optus has found that, of the 9.8 million individuals affected by the breach, only 2.1 million must take action due to having an identity document number included in the affected data set.