Optus has disclosed a major cybersecurity incident affecting roughly 10 million current and former customers—around 40% of Australia’s population—triggering what experts describe as one of the nation’s most serious data breaches. The telco said personal information, including names, dates of birth, residential addresses, phone numbers, email addresses and, for some, passport and driver’s licence numbers, was accessed. Payment details and account passwords were not taken, the company said. Government officials later estimated that about 2.8 million people whose identity document numbers were exposed face a “quite significant” risk of identity theft and fraud.
The company, a subsidiary of Singapore Telecommunications Ltd, detected suspicious activity and went public about 24 hours later, notifying federal authorities, regulators, and financial institutions. Early indications suggested the intrusion originated offshore, according to local media reports. In an emotional statement, chief executive Kelly Bayer Rosmarin described the incident as a “sophisticated attack,” apologised to customers, and said Optus maintains strong cybersecurity practices but was nonetheless targeted. “I am angry that there are people out there who want to do this to our customers, and I’m disappointed that we couldn’t have prevented it,” she said.
The fallout escalated over the weekend when a forum user posted a small sample of purported customer records—about 100 entries—and demanded a ransom of US$1 million in cryptocurrency, threatening to sell additional data in batches if payment was not made within a week. While investigators had yet to authenticate the claims, several cybersecurity observers said the sample appeared genuine. Sydney-based technology reporter Jeremy Kirk said he contacted the purported offender, who provided a detailed account of how the data was obtained, intensifying scrutiny of Optus’s initial characterisation of the incident as a “hack.”
The episode has quickly broadened into a national debate over data retention and privacy safeguards. Lawmakers, regulators and security experts questioned why telcos hold sensitive identity information for extended periods, and whether existing rules and penalties adequately deter negligent data handling. The Office of the Australian Information Commissioner and the Australian Federal Police opened inquiries, while state authorities considered fast-tracking new licence numbers and passport remediation for affected customers. Banks and major financial institutions moved to heighten fraud monitoring, warning customers to be alert to targeted phishing, SIM-swap attempts, and account takeovers leveraging leaked personal details.
Consumer advocates urged Optus to fund document replacements and provide multi-year credit monitoring, arguing that identity risk persists long after the news cycle fades. Security practitioners reiterated practical steps for the public: enable multifactor authentication wherever possible, monitor bank and telco accounts for unusual activity, be sceptical of unsolicited messages asking for verification or payment, and consider placing extra verification flags on mobile and financial services. They also called for stronger breach-notification timelines, mandatory minimisation of stored identity data, and clearer liability settings to ensure victims aren’t left carrying the cost of remediation.
As investigators work to reconstruct the intrusion and the chain of custody for the stolen data, the breach has become a test case for Australia’s cyber readiness. For Optus, the immediate priorities are securing systems, supporting customers at risk of identity misuse, and cooperating with law enforcement. For policymakers, the case is likely to shape reforms around data retention, corporate accountability and penalties, and the practical mechanics of helping millions of Australians recover trust—and their digital identities—after one of the country’s most consequential breaches.
