Photo by Markus Spiske on Unsplash
Optus Data Breach - what to do?
6 min read
A week ago, on 22nd September 2022, Optus notified their customers of a sophisticated cyber-attack. The outcome of this attack is the theft of 9.8 million records of personally identifiable information (PII). Woof! 9.8 million is a large number. One solace is that Optus confirmed this number is a worst-case scenario, and there is not much info on the exact volume as the details are still part of the ongoing federal investigation.
What's disappointing is after a week I still see posts on social media for help from direct customers on what to do and how to confirm whether their data is compromised. In this age and time, one would expect transparency, honesty and consistent communication about the actions taken for resolution. There is a compelling need to arm the customers with steps to protect themselves, educating them about cyber security measures and controls. This post is a compilation of all the relevant links to help some novice customers.
What information has been exposed?
Personally identifiable information (PII) of retail customers. Now the question remains what is PII? A piece of data on its own or combined with other relevant data that can be used to identify a person or locate the individual is called personally identifiable information, in short PII. So, in this case, if you are an existing Optus customer or held a retail service (not business/ enterprise/ wholesale/ satellite) in the last 6 years - then there is a good chance that your name, date of birth, phone number, email address, physical addresses, and identity numbers such as driving license, passport numbers and/or medicare numbers.
Did my payment or banking details get exposed?
From the information available from Optus and various other news outlets only customer identifiable information is exposed and that does not include payment details. So you don't need to change your bank details but it does not hurt to up your security game. For example, recently I received a call from my bank enquiring if I am looking for a loan and instead of providing my details I asked the banker to email me to confirm that they are the person they are saying. The banker was able to send me a security verification message to my email and my banking app to validate that she is who she is. Doing these basic checks will ensure that you won't fall rampant with any fraudulent activities or scams. Always ACT with caution:
✔ [A] Aesthetic - Are there any grammatical or spelling errors? Is it missing a basic signature? Genuine organisations use professional branding and links starting with HTTPS for safety (remember the additional 's' means it is a secured site).
✔ [C] Compelling triggers ⛳- if you are being compelled to provide information within a certain time frame or threatened that not taking an action can result in loss. That's a big red flag to avoid and contact the relevant person or organization through other means.
✔ [T] Trust - Do you trust the recipient to share your details? Do you need to provide the information they are asking for? Enable two-factor authentication where applicable.
Some basic guidelines and support extended by the top 4 Australian banks can be found below:
How long do we have to worry about our details being used by hackers?
At minimum years! Shocking I know but remember some of your details like date of birth is not going to change ever. So those basic security/identity questions you answer to identify that you are who you are have been compromised in this grand-scale data breach. There will be an increase in several scam texts and messages. Do not click on any suspicious links. Always remember to ACT with caution.
How do I know if my details got hacked?
Optus has emailed all affected customers informing them that their details have been exposed as part of this data breach. I have read news where customers have received their email after a week too so it won't surprise me if you haven't received it yet. The worst-case scenario suggests that 9.8M records got exposed. On top of that, the hacker released 2 sets of 100 samples of user data in the initial threat to show that they legitimately hold the data. In another ransom threat, 10,000 customer details are released.
- You can check if your email address or mobile number got hacked through Have I Been Pwned site.
- Fill in the ACSC form for Have you been hacked?
- Contact IDCARE on 1800 595 160.
- Identity theft | Moneysmart
- Identity fraud | OAIC
- Australian Cyber Security Centre Homepage | ACSC
- Make privacy compliant with Optus
What are the basic steps I can take to protect myself?
Optus is providing credit monitoring and identity protection service free of cost for 12 months to the affected customers present and past. Subscribe to it and request a credit report immediately and keep an eye on it frequently. If you are one of the most affected customers I would recommend negotiating with Optus to extend the subscription to 5-6 years.
Get a new driving license - most of the states are offering this free of cost or you will receive a refund from Optus through direct credit to your account. Victorian customers are also required to flag their record for breach by filling this form.
Apply for a Commonwealth victim's certificate.
From the Optus emails, it is hard to know what personal details of yours got exposed. See what details you shared for the 100 points check when applying for an Optus connection. Assuming you provided your passport and medicare for the 100 points ID check, this means there is a possibility they got exposed. The department of foreign affairs and trade (DFAT) has clarified a number of questions related to this matter and confirmed that your existing passport is still valid for any immediate travel. However, if you plan to request a new ID, keep in mind the current waiting times, and Optus has agreed to pay the replacement costs.
Do I have to switch my connection from Optus to a different provider?
This is a personal choice. After everything, if you want to move on to a different provider it's your call. Having said that moving to a different provider is not going to solve your problem - if your data is leaked, it is out there in the open and moving providers is not going to make it disappear.
Hope this helps and please use the comments below if you have more questions that are not covered in this post.
Thank you for Reading - Let's Connect!
Enjoy my blog? For more such awesome blog articles - follow, subscribe and let's connect.
Did you find this article valuable?
Support Narmada Nannaka by becoming a sponsor. Any amount is appreciated!