Hackers have hijacked the account details of 400,000 Optus Internet dial-up customers launching the biggest computer crime investigation undertaken by the NSW Police.
Both Optus and the NSW Police have confirmed the hack attack in which the entire customer database and account details were hijacked on December 19.
But an Optus spokeswoman denied credit card details were stolen, adding that the information couldn't be compromised in any way, because it was encrypted.
However, reliable sources have told Computerworld that credit card details were stolen, and that details were posted on the Internet for about four hours.
"Optus doesn't use a single field for the information; it breaks it up into separate fields, but it can still be used," a source said.
One Optus customer has had more than $500 stolen from a credit card account, but the spokeswoman said the two incidents were unrelated. After the December incident occurred, the telco e-mailed its entire Internet database advising customers to change their passwords and user names, the spokeswoman said.
A spokeswoman at the NSW Police Media Unit confirmed the investigation is under way and is being handled by the Commercial Crime Agency, but was unable to release details because investigations were continuing.
She said the Police had a number of good leads simply stating that, "we can confirm there is an investigation under way involving Optus".
IT security consultancy E-Secure Pty Ltd is providing technical support in the investigation, but could not comment due to strict nondisclosure agreements.
The company's general manager of sales and marketing, John Paul Burgess said E-Secure does a lot of work with Optus, but was unwilling to discuss recent security breaches.
According to sources, the NSW Police has been able to narrow the investigation down to three or four computers in South East Asia and is close to a breakthrough in the case, but Optus denied the claims.
The Optus spokeswoman said that as a "responsible corporate citizen" customers were advised of the hack attack and also advised Police were undertaking extensive investigations.
"An e-mail was sent to customers advising them to update their passwords," she said.
Computerworld was unable to find documentation supporting this although the spokeswoman said the media were also advised.
When asked for a copy of the media statement the spokeswoman said some media were advised "verbally".
The spokeswoman also rejected claims in information obtained by Computerworld that Optus customer details had been hacked four times in the past year.
Computerworld understands that sections of data were obtained in a number of hacks over a period of 12 months, before all Internet customer details were taken on December 19.
While refuting these claims as untrue, the Optus spokeswoman said, "The last time we were attacked [before December 19] was two years ago."