Hackers have leaked the personal information of 30,000 past and present Telstra employees on a dark web forum. In a statement on Tuesday, Telstra said its systems were not affected by the breach, and no customer data was exposed.
The data, which is from 2017, came from a now-defunct third-party platform called Work Life NAB.
“The supplier previously provided a not-obsolete Telstra employee rewards program,” the company said.
Telstra is an Australian telecom giant with over 18 million retail mobile services subscribers. This leak comes a few weeks after hackers breached Optus, its chief competitor.
The leaked Telstra employee data was posted on the same dark web forum used by the threat actor responsible for the Optus breach. Last week, the Optus hacker released sensitive information belonging to 10,000 people. The hacker has demanded a ransom of AUD$1.5 million in the crypto token, Monero.
What We Know About the Telstra Breach
Telstra said it learned about the breach last week. The company said it had informed its current employees about the incident, and it will try to reach out to its former employees, although the “risk is low” for them.
Alex Badenoch, Telstra’s group executive for transformation, communications, and people, told company staff about the leak on Saturday.
The stolen haul contains the first names, last names, and work email addresses of 30,000 Telstra staff. Only 12,800 of the affected staff still work at the company. Badenoch said Telstra is working with the third-party company to learn more about the incident.
“We understand this may cause some anxiety to our people, particularly in the current climate of heightened awareness around cyber security,” Badenoch said in her staff note. “If you wish to find out more about the breach, or to find out if your email address was exposed, please contact our cyber team… In the meantime, we remind you as always to remain vigilant about any unexpected communications.”
Telstra said the incident did not compromise any other information, including its current rewards program. The company insists it did not store customer data on the supplier’s platform.
Badenoch said the company had reset the passwords of all users to exercise caution.
Stolen Information May Not Be Relevant
A Telstra spokesperson played down the significance of the leaked data on the dark web. The spokesperson said the hacker may have released the stolen information at this time “to profit from the Optus breach,” describing the leaked data as “very basic in nature.”
A source within the company told 7news that the stolen data may not be relevant, as the information “could be found on Google or LinkedIn.”
“It’s not a breach of an internal system … it’s a platform we no longer use and haven’t used for a number of years,” the source said. “It’s old information from 2017, a lot of it wouldn’t be relevant. It was posted to Breach Forum last week as information a hacker has tried to sell off as new information.”
Meanwhile, Optus has come under fire from the Australian government and policymakers. Last week, Prime Minister Anthony Albanese revealed plans to make changes to the country’s privacy laws in light of the Optus breach. Albanese stressed the importance of quickly reporting breaches to banks.
The government has been critical of how the company handled the breach and the delays in communicating with customers.
“Optus senior management are kidding themselves if they want a medal for the way that they’ve been communicating,” said Bill Shorten, Australia’s Government Services Minister. “Not even a crocodile’s going to swallow that.”