The Optus data breach is possibly the worst data breach in Australia’s history, so as a cyber security specialist, it is of great interest to me, but I also have a personal interest. I am a former Optus customer whose personal data has been exposed.
There has been an abundance of information in the media about the Optus data breach, but unfortunately, it includes a lot of confusing and misleading advice for people who are the victims of this data breach. I want to provide some clarity around the situation, along with some clear advice on what actions you should consider taking.
Things Everyone Should Know
There are already several active Optus related scams, and there will be many more to come. You are likely to be targeted by these scams in various ways, including via email, SMS, phone call and social media.
This is what you need to be aware of:
- Any communication from Optus will not include a link or attachment of any sort.
- Threats to fraudulently use your data unless you pay a ransom should simply be ignored (regardless of whether your data was exposed as part of the Optus data breach).
- If you receive any communication that references the Optus data breach, DO NOT click on any links, and DO NOT open any attachments.
- Never respond to any request for you to provide, confirm, or renew an account password (for any type of account).
Who is Affected by this Data Breach?
Optus has reported that records of 9.8 million current and former customers have been exposed. Anyone who is, or has been an Optus customer, should assume they are probably affected. I am a former customer, having closed my Optus account earlier this year.
What Data was Taken?
Based on advice to date from Optus, this is what we know about the information that has been exposed:
- For most affected customers it involves names, dates of birth, phone numbers, email addresses, and addresses.
- For a subset of customers, it involves either driving licence numbers, or passport numbers.
- For a smaller subset of customers, it involves Medicare ID numbers (36,900 Medicare ID numbers were exposed, comprising 14,900 current numbers and 22,000 expired numbers).
- Payment details and account passwords have not been compromised.
According to Optus, it has contacted (by email or SMS) all customers whose ID document numbers, such as licence number, passport number, or Medicare ID were compromised.
In my case I have been advised by Optus in an email that my information which has been exposed comprises a combination of name, date of birth, email, phone number and address associated with my former Optus account.
Action Optus Customers (past and present) Should Consider
Most importantly, although you should be concerned, there is no need to panic. The unfortunate reality is that this type of incident is not something new, either in size or sophistication, and data breaches like this have been a common occurrence around the world for many years.
Carefully read the information below, identify the situation relevant to you, assess the advice, and then determine what action is appropriate for you.
- You have been advised by Optus that the exposed information DOES NOT include an ID document number (licence number, passport number, or Medicare ID).For most people, the information that has been exposed is readily available to anyone who cares to do a bit of searching on Google (give it a try). Most importantly, it is highly unlikely you will end up the victim of identity theft based on this information.
Suggested Action: No specific action is necessary, but in general, multi-factor authentication on your bank account is highly recommended if your bank supports it.
- You have been advised by Optus that the exposed information does include an ID document number (licence number, passport number, or Medicare ID).
- Enable multi-factor authentication on your bank account (if your bank supports it).
- Contact your bank and inform them of the advice you have received from Optus, and request additional measures be taken to secure your bank account against identity fraud. Make a record of this conversation.
- Depending on what ID document number has been exposed, take action to change it: abc.net.au/news/2022-09-28/optus-data-breach-how-to-replace-your-drivers-licence-passport/101482638
- If you think you are the victim of identity theft, contact IDCARE: idcare.org
- You have not been contacted by Optus.
Suggested Action: Contact Optus and request confirmation in writing about whether any of your personal information has been exposed.
This blog was prepared by Ian Bloomfield of Ignite Systems, AIC VIC’s preferred cyber security and computer management provider.