Three Adelaide-based Chinese men have been charged for illegally obtaining the personal details of Spotify, Netflix, and Foxtel customers by using data leaked from Australian telecommunications giant Optus.
Sheng Li, 24, on Dec. 20 faced 76 charges of money laundering and the federal charge of conspiracy, although he was initially charged with using other people’s identities to commit offences, Adelaide Now reported on Dec. 21.
Meanwhile, Renzhong Chen, 31, and Xiaoxin Zheng, 20 were charged with conspiracy, which means they could be subject to more than 12 years of imprisonment. Chen was also charged with unlawful possession, which carries the maximum penalty of two years in jail or $10,000 (US$6,700) under South Australian law.
The phishing scam has reportedly affected 1,500 people.
Three men have applied for bail in the Port Adelaide Magistrates Court. They currently remain in custody.
It was also reported that Police Prosecutor John Payne told the court that the accusations, in this case, were “extremely complex” and the charges of money laundering could go up to hundreds of thousands of dollars.
Court documents show the trio carried out the hack in November, two months after Optus suffered a cyber attack—breaching its firewall—that saw the private information of millions of Australians placed onto the dark web.
It came amid a spate of cyberattacks that saw major institutions suffer huge data leaks including Australia’s largest private insurer Medibank, energy firm EnergyAustralia, supermarket giant Woolworths, as well as the Australian Department of Defence.
On Sept. 23, an alleged hacker called Optusdata announced on BreachForums, a dark web hacking community forum, that they obtained 11.2 million Optus customer details, and 3.66 million driving licence numbers.
The hacker released two sample batches, each containing the records of 100 current and former Optus customers, and threatened that it would continue leaking those details until Optus paid them $1 million.
The released data also contained email addresses from the Department of Defence and the Office of the Prime Minister and Cabinet.
But the alleged attacker later apologised for the attack, deleted their posts and claimed they had also deleted the only copy of the Optus data.
“Too many eyes. We will not sale [sic] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” they wrote online.
“Sorry too [sic] 10,200 Australian whos [sic] data was leaked.
“Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.”
In light of the data breach, the Victorian government announced that almost one million people in the state will be eligible for a new driver’s licence to secure their personal details.