Australian mobile-phone company Optus said authorities are investigating an online ransom demand following a major data hack that exposed the personal details of as many as 10 million customers.

The Singapore Telecommunications Ltd-owned company is still trying to retrieve the data and is working with police and cybersecurity officials, chief executive officer Kelly Bayer Rosmarin said Sept 27.

The Australian Federal Police is “all over” an online post indicating that customer details will be sold unless Optus paid a ransom, she said.

So-called ransomware hacks have soared worldwide in recent years, with attackers targeting businesses, schools and even hospitals. Since January 2020, at least 92 corporate, government and nonprofit organisations have suffered major cyberattacks exposing one million records or more.

Over the course of more than a decade, the tally exceeds 11.43 billion records across 382 entities.

Optus, which revealed the security breach last week, is now under mounting pressure from the government as well as customers who accuse the company of poor communications in the wake of the attack. Home Affairs and Cyber Security Minister Clare O’Neil has said Optus left the “window open” for data to be taken, and was duped by “quite a basic hack”.

Amid reports that private information of 10,000 Optus customers has already been released, Bayer Rosmarin defended the quality of the company’s cyber-defenses. The hackers, not Optus, are the villains, she said.

“It’s not as its being portrayed,” she said. “Our data was encrypted.”

Still, she said: “If something indicates that Optus has made an error or done something bad we will of course take full accountability for that.”

The Australian Federal Police (AFP) is working with overseas law enforcement to determine who carried out the attack. The force said Monday it’s also monitoring the dark web – hidden sites that are only accessible with special software – following reports that stolen data is being sold there. An AFP spokeswoman declined to comment Tuesday on the reported ransom demand.

According to Minister O’Neil, “basic personal information” had been taken from 9.8 million Optus customers, while for some 2.8 million of them, the theft includes personal data such as driving license and passport numbers. In Australia, that’s enough to provide proof of identity to obtain a wide range of services such as loans and credit cards.

“The scope for identity theft and fraud is quite significant,” she said. Australia’s data and technology defenses are years behind the criminals, she said.

“We are probably a decade behind in privacy protections where we ought to be,” she said. “We’re about five years behind where we should be in cyber protections when it comes to how fast things are moving.”

A company like Optus would be fined hundreds of millions of dollars for a breach of this scale in other countries and current penalties for privacy lapses in Australia were “totally inappropriate,” O’Neil said. – Bloomberg