Arrest after Optus data breach: Accused fraudster is charged with using stolen data for an alleged SMS scam

• Man arrested for alleged SMS scam using information from Optus data breach
• The 19-year-old was arrested at a property in Rockdale, Sydney on Thursday
• It is alleged the man sent 93 blackmail scam text messages to Optus customers

A Sydney man has been charged over an alleged blackmail scam where he allegedly used details obtained from the Optus data breach. 

On Thursday police arrested a 19-year-old man at a Rockdale property with a mobile phone allegedly linked to the text messages seized.

He has been charged with using a telecommunication network with the intent to commit a serious offence and dealing with identification information, offences that carry a maximum penalty of 10 and 7 years imprisonment respectively.

Police will allege text messages were sent to 93 Optus customers who had their data exposed in the Optus hack. 

It is understood none of the individuals who received the text messages transferred money to the nominated account.

An AFP-led investigation was launched following the text messages demanding some Optus customers transfer $2000 to a specified bank account or see their personal details used for financial crimes. 

The data used by the alleged offender was taken from the 10,200 stolen records posted online during last month's Optus breach.

The AFP identified the bank account in the name of a juvenile with police alleging it was actively being used by the man.

The 19-year-old man will appear at Sydney Central Local Court at a later date. 

Some 9.8million Optus customers' names, passports, drivers' licence numbers, addresses, email addresses, dates of birth and phone numbers were stolen by hackers in Australia's biggest ever data breach last month.

Several victims reported receiving 'highly targeted' scam texts and emails in the wake of the hack. 

Assistant Commissioner Cyber Command Justine Gough said the man is not suspected of being responsible for the largescale Optus hack but did allegedly try to financially benefit from the stolen information.

'Last week, the AFP and our state and territory partners launched Operation Guardian to protect the most vulnerable customers affected by the Optus breach and we were absolutely clear that there would be no tolerance for the criminal use of this stolen data,' Assistant Commissioner Gough said.

Assistant Commissioner Gough said the AFP has committed 'significant resources to protect those customers at risk from identity fraud'.

'We understand how worried some members of the community are, and I want to give the community reassurance that the AFP and our partners are working around the clock to help protect your personal information,' Assistant Commissioner Gough said.

'Do not test the capability or dedication of law enforcement. The AFP, our state partners and industry are relentlessly scouring forums and other online sites for criminal activity linked to this breach. Just because there has been one arrest does not mean there won't be more.'

Assistant Commissioner Gough said Operation Hurricane - the AFP investigation into the alleged offender responsible for the breach - is still ongoing.

'The Hurricane investigation is a high priority for the AFP and we are aggressively pursuing all lines of enquiry to identify those behind this attack,' she said.

Mobile phone and internet customers however, will soon be better protected from fraud under new regulations set to be introduced following the massive data breach.

Under a new federal government plan Telcos will be able to coordinate with financial institutions to fight against potentially malicious activity if customer details are compromised.

The amendments see will allow companies to temporarily share key information such as driver's licence, Medicare and passport numbers with financial service firms to allow them to better monitor and safeguard against breaches.

This will also mean Optus will be able to share identifiers with Commonwealth, state and territory agencies preventing fraud directly relating to the data breach.

Communications Minister Michelle Rowland said the move strengthened safeguards in the event of a future breach.

'What this is all about is to try and reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring,' she told reporters.

'We take people's personal information and the protection of that very seriously.'

Ms Rowland said after the breach Optus asked for greater data access to improve the monitoring of any future fraud.

'We examined this, did proper due diligence and we need to be clear, these regulations are specifically in response to these cyber threats and we know this is on a scale and scope that hasn't happened in Australia before,' she said.

'We considered it prudent having taken and considered the proper legal advice that the most effective way to enable this data to be shared beyond doubt was through amending these regulations.'

Treasurer Jim Chalmers said the amendments followed close industry consultation and would allow for safer and more secure data sharing.

Cyber security consultancy Gridware previously told Daily Mail Australia that Optus's stolen data would be sold on the dark web to criminals and used to create authentic-looking phishing scams.

Ahmed Khanji, Gridware's CEO and professor of cybersecurity said criminals who buy the data were able to create convincing-looking SMS messages and emails because they already have so much personal information.

'These messages will be advanced, targeted phishing attempts trying to get you click a link to pay a fee or a fraudulent invoice, or fill out more details,' Prof. Khanji said.

'They are far more believable than random messages saying 'I'm from the ATO, you owe money.'

The messages could most obviously try to pressure existing Optus customers for money.

People unaware their details had been stolen could easily fall for the scams because any messages would quote their personal details back to them - including residential address and date of birth.