Singtel’s Optus says IDs of over two million customers compromised in cyberattack

SINGTEL’s Australian subsidiary Optus has confirmed that the cyberattack it faced in late September resulted in a leak of the personal identification data of some 2.1 million of its 9.8 million customers.

In a statement to the media on Monday (Oct 3), Optus said about 1.2 million have had at least one number from a current and valid form of identification compromised, while the other 900,000 customers have had numbers relating to expired identification information compromised.

While the identification numbers of the rest of its customers – some 7.7 million individuals – were not exposed, Optus said it is important for them to “remain vigilant” as the breach contained details such as email addresses, date of birth or phone numbers.

The update came the evening after Singtel announced the appointment of Deloitte to undertake an independent review of Optus’ cybersecurity systems following the cyberattack.

On Monday morning, the telecommunications giant said in a bourse filing that Optus is working closely with identity document-issuing authorities to determine the appropriate next steps for its customers.

Separately, Singtel said it seeks to clarify “certain reports in the media citing potential fines or cost associated with the incident”. The group considers these reports “speculative and this juncture and advises that they should not be relied upon”.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Citing a cybersecurity consultancy on average costs incurred by hacked companies, a Sept 29 Bloomberg article had estimated Optus to face a loss of US$420 million to US$560 million from the recent data breach.

The report flagged a likelihood of additional expenditure incurred by Optus on tightening security as well as training. It also said an Australian law firm was assessing a class action against Optus after receiving “tens of thousands” of registrations.

Singtel in its Oct 3 statement said that it is continuing to evaluate the potential financial implications arising from the matter. The group has engaged lawyers to advise on the matter, although no legal notice of a class action has been received to date.

“Any class action will be vigorously defended, if commenced,” it added.

Meanwhile, Optus said that it has sent an email or SMS to customers who have had their current ID documents compromised in the attack. It also said that it has contacted customers whose ID documents had expired to notify them that their ID documents were compromised.

Shares of Singtel closed S$0.06, or 2.3 per cent lower, at S$2.60 on Monday, after the news.