Senior officials involved in the government’s response to the massive Optus customer data breach in 2022 believe the telco’s Singaporean owner agreed to an undisclosed payment to end the damaging ransomware incident.
Numerous figures from the intelligence community, and inside the Albanese government, have told The Nightly that Australia has long suspected parent company Singtel paid the hackers an unknown sum to ensure personal details were not exposed.
In September 2022, a hacker claimed online private data of around 9.8 million current and former Optus customers and initially demanded $1 million in cryptocurrency or threatened to release records daily.
Sign up to The Nightly’s newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.
Later that month the alleged cyber criminal had an apparent change of heart, removing their online posts and claiming they had also deleted the only copy of the stolen Optus data.
“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy)… Sorry too [sic] 10,200 Australian whos [sic] data was leaked,” they wrote online.
“We never had any concrete evidence that Singtel, or the Singaporean government, facilitated a ransom payment – but it was certainly weird and more than curious the way the hackers just suddenly backed off,” one senior government official tells The Nightly.
Figures inside the country’s cyber spy agency, the Australian Signals Directorate (ASD), have also privately confirmed that assessment to The Nightly, but stressed they never obtained any substantial proof of a payment.
ASD declined to comment on the matter, but a spokesperson has told The Nightly: “The Australian Government’s advice remains that Australian businesses and organisations should not pay ransoms.”
“When paying a ransom to criminals there is no guarantee you will regain access to your information, or prevent it from being sold or leaked online,” the ASD spokesperson added.
In response to recent questions from Greens Senator Sarah Hanson-Young, Singtel has given a written submission to the Senate’s inquiry into the Triple Zero service outage declaring it has never made ransomware payments.
“Singtel adheres to the guidelines from the Cyber Security Agency of Singapore (CSA), which strongly discourages ransom payments. Singtel has not paid any ransom in relation to any ransomware incident.”
“Accordingly, the Singtel Board is not aware of, nor did it discuss, any such incident where Singtel had paid any ransom,” the Singapore based company added.
In April 2023 Singapore’s Minister for Communications and Information and Minister-in-charge of Cybersecurity, Josephine Teo, travelled to Australia where she spoke out publicly against the payment of ransoms to criminals online.
On Thursday Singtel’s Australian board representatives John Arthur and Gail Kelly are scheduled to front the Senate Environment and Communications References Committee where they are expected to be quizzed on the 2022 Optus breach.
