Optus - Major Data Breach

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Related Stores

Optus
Optus

Comments

  • Do we know the wholesale ISP's don't have the same vulnerability etc?

    • -1

      it's more of a mis-configuration than a vulnerability in a sense…

      it's not a matter of "if" but a matter of "when" in all organisations that are online.

  • I am fairly certain I signed up to Optus but I do not have access to that dummy email or phone number anymore… I like to activate these sim cards with a random email address which is not my main one just in case it gets hacked, but here they took more than just the email, password which is the usual hackable material…

    How do I seek reimbursement for the license/passport?

    I also have an email from Optus on my proper email account stating I bought a sim card, but I do not know how, where, or when I activated it… I also remember the free sim card at some point in time which I took up… I am sure many did.

    • Don't you have to use 100pts of checkable ID to activate a sim?

    • ok, help me out with the thought process.

      you used a dummy email to sign up for a line that you provide a form of ID that is tied to your real identity?

      and you no longer have access to that email?

      then you later on said you got an email from Optus?

      ???

      • The email is from purchasing the sim and this is sent to my main email as I use paypal and all payments come out of this main email address to help me when I do the accounting. I am then subsequently activating it using a dummy email address.

        The ID is not viewable on the portal, so if Optus got hacked then I would assume they could only see certain details. This is important to me, but it seems like they managed to extract all that data and more… If they only stole parts of my data that are usually available in the portal I would not be as worried. You do not usually see someone's passport number/drivers license/medicare number when you login.

        So… Yeah, it's a bit of a dilemma, but it is also because I am activating hundreds of sim cards a year; notably during periods when we had tourists coming in…

        • thanks for clarifying.

          if you are a bit tech minded, operationally, it would be less painful to invest in a domain name and an email provider that allows you to generate a fair bit of aliases (where you can de/activate any time). you retain more control over that instead of some random throwaway email addresses from a domain that you don't own.

          *a fair bit : >100 aliases for free

  • I've signup for a prepaid mobile broadband for a month back in May but closed after on month. When I log into Optus, i get an validation code sent to my email and can only use that to login. But after that, i can only back to the same login screen. But i notice my name is mentioned under the User setting on that page. So Optus still have me as a customer but not active.

    Using the link from Whirlpool, i can only this text

    {"ErrorInfo":{"errorCode":"InvalidInput","errorMessage":"Invalid input: {0}.","backendErrorInfo":"AMSS [ContactDetails] : Transaction ID:***** missing","errorUUID":"*****"}}

    So what do I make of this? Did I just dodged a bullet?

    According to Optus email to me several days ago "The information which has been exposed is a combination of your name, date of birth, email, phone number and/or address associated with your account. No ID document numbers or details have been affected."

  • +1

    If you have had an old an Optus account that does not start with '6' then Optus will not be informing you if the account has been breached as the call center and "security" team cannot access it to check….

    They wanted me to go into store to check and the store will have just call the call centre and get no where (been there done that in the past).

    If you do have an account that does not start with '6' call Optus and ask for them to check if the account has been breached and escalate it if they cannot find out.

  • +1

    anyway to find out if I was among the initial 10000 leak?

    • I'm told there is a clear web site for a "breached data forum"… I'm sure if you google you will find it :)

  • +2

    As an FYI for those intending to replace their license and seek reimbursement from Optus: based on a discussion I just had with an Optus rep any reimbursement for replacing your license etc will be by providing credit on your optus account, not via a direct payment.

    I just closed my final service with them and said I'm not interested in reimbursement and will require direct payment (which I'm sure they'll ignore).

    Did some googling around and couldn't find confirmation of this, but I believe the recording played when I was on hold said this too.

    • +2

      Wow, reimbursement via credit on your bill is NOT paying for the new licence. I haven't had an Optus account for many years, yet I was notified of the data breach via email from Optus. How are they going to compensate me?

      • +1

        They won’t. All customers past and present will be notified of a breach. Only a relatively small number are considered impacted. I’m a current customer and as I haven’t been advised I’m impacted, I can’t claim anything being offered.

        • That is complete BS. These arsehats did not even have safeguards against a basic hack, how can you trust their claim "your customer records weren't impacted". I would get that in writing.

        • I’m a current customer and as I haven’t been advised I’m impacted

          Time to buy a lotto ticket.

    • Just adding to this comment that I've noted that Service NSW's website for replacing your driver's license number has now changed so it directs you to the Replacement Application instead of the form seeking a Replacement Driver Licence/Customer Number.

      I believe the wording has changed too, but couldn't find a cached version of the page.

      • do you know what's the difference between those forms? it's confusing.

        • Fraid not. I was trying to figure out exactly that.

          Unbelievable that Optus has been able to alter the services available to citizens in this way (this was the reason given by Service NSW for not processing forms). + Service NSW is denying us one of the few means available to reduce the risk we're exposed to as a result of the breach + pushing people to accept a second best option by ordering a replacement card with the same license number that was leaked.

  • +6

    A bigger question is why is it so easy to sign up for thousands of dollars of credit in someone else's name. All you need is their name, address, DOB, and drivers licence number. That's it. The ease with which money can be obtained is perhaps a little too easy.

    If a reply paid letter was required to be sent to the household for confirmation before credit is issued, the entire trove of stolen Optus data would be useless for basic theft. I know this would slow down the whole process, and people need their credit now dammit, but waiting a few days wouldn't kill.

    • +1

      same reason why emails about the launch of <latest korean or fruit phone> arrived faster to the entire population of australia than this breach.

      $ $ $

    • +1

      Agreed. Plus why the huge trove of data is needed even in the first place for a $20/month phone line. The cynic in me thinks big data can be sold or used to turn Australia into a police surveillance state.

  • Just got an email that GOMO customers are also affected.

    • Oh FFS this just gets worse and worse. Can you paste what the email says please?

      I just contacted Gomo and they said Gomo customers weren't affected:

      Thank
      you for contacting us / visiting us today. Just to inform you this incident of
      cyber attack it was shut down as soon as it was discovered. Our teams are
      engaging with all the relevant authorities and Organizations to safeguard our
      customers as much as possible.
      I’ve
      looked at your account, and at this stage I can confirm your GOMO account it was
      not impacted by this incident. We’re in the process of evaluating accounts, and
      will contact customers who have impacted. However, I recommend staying extra
      vigilant

      “I’ve
      looked at your account, and at this stage I can confirm your account is not
      impacted by this incident. We’re in the process of evaluating accounts, and will
      contact customers who have been impacted. However, I recommend staying extra
      vigilant at all times. Nothing to worry about Our Optus/GOMO services remain
      safe to use and operate as per normal.

      uhhh
      You at 15:04, Sep 28:
      but i haven't given you any information about my account
      You at 15:04, Sep 28:
      i don't even know my gomo mobile number
      You at 15:05, Sep 28:
      so Gomo customers weren't affected?
      You at 15:05, Sep 28:

      Yes that's right.
      Kristine at 15:07, Sep 28:

      • gomo website has banner link to the news on Optus website:https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack

        Has the customer data of Optus' other brands and partners that use the Optus network such as GOMO, Coles Mobile, Amaysim and Catch Connect been impacted?
        Unfortunately some GOMO customers may have been impacted. We will get in touch with all impacted customers over the coming days.

        Amaysim, Coles Mobile and Catch Mobile customers have not been impacted.

      • +1

        “ Thank you for reaching Gomo.

        I’m sorry to confirm that Optus has been subject to a cyber-attack, which was shut down as soon as it was discovered. Our teams are engaging with all the relevant authorities and organisations to safeguard our customers as much as possible.

        Yes, Gomo customers are also impacted.”

        Supposedly not impacted at this stage

        • +1

          What a fustercluck

    • so roughly in 2 months we going to be "living with data breach"?

      • Only once 95% of us are vaccinated against phone viruses

    • +1

      We are all in this together

      Will they quarantine those affected by the breach

  • -2

    I hope Optus goes bust.
    I've always been a Telstra customer and I was silly enough to touch Optus for a prepaid Sim to take advantage of a Telstra deal well I won't be doing that again with Optus

  • Got a email from Optus/GOMO

    Dear X,

    It is with great disappointment I'm writing to let you know that GOMO, powered by Optus has been a victim of a cyberattack. As a former GOMO customer this has resulted in the disclosure of some of your personal information.

    No financial information or passwords have been accessed. The information which has been exposed is a combination of your name, date of birth, email, phone number and/or address associated with your account. No ID document numbers or details have been affected.

    Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. While our investigation is not yet complete, we wanted you to be aware of what has happened so that you can be extra vigilant at this time.

    We are currently not aware of customers or former customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including:
    Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
    Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
    Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
    If people call you posing as a credible organisation and request access to your computer, always say no.
    You would have seen we announced this first in the media. We did this as it was the quickest and most effective way to alert you and all those impacted, while also communicating the severity of the situation through trusted media sources.

    For the most up-to-date information and FAQs, go to optus.com.au. If you wish to speak to us, you can contact us via the GOMO app.

    We apologise unreservedly and are devastated this could occur. We are working as hard as possible with the relevant authorities and organisations to ensure no harm comes from this unfortunate occurrence.
    Sincerely,
    Kelly Bayer Rosmarin
    CEO, Optus

  • +1

    Here's the wording of the message on Optus' customer help line confirming they intend to reimburse license replacement costs via account credit:
    "…We will be in touch with specific guidance over the coming days if we consider there is a need to change your driver’s license details.

    When we get in touch with you, we will place a credit on your account to cover the replacement cost, if any. We will do this automatically so you will not need to contact us."

    (this was the customer retention line. No idea whether this applies to people without an active account)

    • +1

      What about replacement passports for those that only used those I wonder. I’m not a current customer.

      • Govt has sent a letter to Optus about passports.

        • +1

          What about the overseas passport?

  • +2

    They got me. I managed to login into one of my dummy emails and received this and several scam emails today:

    We regret to inform you that you have been a victim of identity theft. Your identity and consumer credit files were compromised during a data breach where millions of user profiles were exposed to hackers and used in an identity theft scheme now uncovered by federal authorities and Interpol.

    Steps have since been taken to mitigate the issue.

    The offenders have been prosecuted and ordered to pay a substantial settlement in which you are eligible to receive a portion of. You are eligible for reimbursements of false acquisitions, compensation for potential impact on your credit, and any additional claims you may make.

    It looks like they are starting to use people's data already. Our data has already been sold. RIP…

    • Who sent you this this email ?

    • +1

      pretty much everyone in Australia is gonna start receiving spam like this

    • Were you one of the 10,200 who’s info was leaked? It could be that this email account been compromised elsewhere.

      Not saying that this wasn’t a part of the Optus data leak, but it seems premature to think it came from that just because of spam emails.

      • +1

        To check if the email has been compromised and where that compromise occurred use https://haveibeenpwned.com/

        • +1

          Yea exactly, if the email has already been pwned then more likely this spam email is from a previous hack. If it’s cleaned then it would be good to know if you were part of the 10,200 or not. Even if you weren’t, spam email can come from lots of places unless you absolutely do not use this email anywhere other than Optus.

    • +1

      Are you hoping to collect a 'portion of the substantial settlement'?

      It's a scam. There's no way your data has already been used and the culprits caught and prosecuted and are paying 'a substantial settlement, of which you will receive a portion'.

    • Received this exact same email today with my first name both in the subject heading and the email itself. I reckoned it's my first time seeing a phishing email with my name in it. Having said that, my name is also in the email address itself so it wouldn't have been too difficult to figure that out.

      How do I find out if I am part of the 10200 whose data was leaked online?

      • I can PM you the link for you to check.

  • +2

    Optus are so hopeless they couldn’t even get our notification of the data breach correct.

    We left Optus about two years ago and soon after started getting monthly outstanding payment demands for $31 addressed to Betty. Did the monthly dance with them for many months - ‘we’re not Betty, don’t know who Betty is, and we don’t owe you money, our account has been closed’. We even joked about paying it as we were wasting so much time every month dealing with it. Haven’t received anything for a while until last night and we were notified that Betty had her data breached. We have no idea what our data breach looks like, only Betty’s.

    So if your name is Betty and you’re wondering where your email is, none of your document IDs were impacted. Hopefully Optus haven’t already screwed your credit rating by somehow linking your account to ours meaning you weren’t notified you had $31 outstanding.

  • I never had any plan with optus. However i had Amaysim plans for awhile, then port to Boost last three years.

    Then i got an email of victim of crime!

    [quote]
    It is with great disappointment I’m writing to let you know that Optus has been a victim of a cyberattack. As a former Optus customer this has resulted in the disclosure of some of your personal information.

    No financial information or passwords have been accessed. The information which has been exposed is a combination of your name, date of birth, email, phone number and/or address associated with your former account. No ID document numbers or details have been affected.
    [/quote]

    I am abit confuse here. How come amaysim customers like me got tangled in this?

    So i applied for vicroad license replacement but i never got email confirmation from vicroad yet?

    Hmm!

    • +1

      Most people feel what Optus CEO informed to the public could have some misinformation. However, in your case, since none of your ID documentation or details were leaked, not sure why you want to change your driver's license. Is Optus offering free license replacement? Or, you believe Optus is still investigating the impact and could send you another e-mail later on revising the hacker(s) managed to obtain even more information than they thought?

      • +3

        She needs to be jailed surely. There has to be repercussion on corporate management who are used to getting millions dollars paychecks.

    • No ID document numbers or details have been affected

      FYI, this means you don't need to get a VicRoads license replacement.

      • Lol…. I spoke to vicroads last friday. Vicroads is recommended to get license change when vicroads contact me back regardless what optus stated in that email.

        • -1

          If your license number wasn't leaked, there is no reason to get new license.

          • +1

            @cerealJay: that depends on whether you have faith in optus to accurately determine whether your data has been breached. i get the impression they have nfi.

            • -1

              @c64: Of the 10k Optus users who were part of the released data so far, a bit over one third had drivers license or other ID details recorded. That has been confirmed. "ID document details" data object was completely missing for the remaining two thirds of the 10k users in that leaked file.

              This means it's highly likely that Optus could easily determine which of the 9 million users had the ID document object against their record. Apparently it's about 2 million customers, including me.

          • -1

            @cerealJay: Wow you are just as blind as a bat, you believe whatever optus says!

            The fact is i love to believe my details didnt leak as the email stated.

            I had a phone call, call my name out and said my bank home loan is overdraft. The fact is - luckily i just login into my bank and check my council rate payment. Then i question the person which banks acc are we talking about. He said westpac. I never had westpac. I hanged up.

            Now u tell me it ok to ignore the changing of lic? Even vicroads recommended?
            Vicroads just email. My lic is confirmed and been flagged.

            • @blackwind:

              Wow you are just as blind as a bat, you believe whatever optus says!

              Er, the 10,200 leaked records are freely available - if you don't believe the stats, then download them and look for yourself.

              There are absolutely a majority of records that do not have document numbers associated to them. And what's more, you (and Optus) can trivially see which records stored which ID if any.

            • @blackwind:

              "No ID document numbers or details have been affected."

              Again, this means your license wasn't exposed, and you don't need to change your license. Optus this week emailed affected customers with a second email, confirming their license was exposed. You didn't get this email did you.

              But go ahead and do what you want! Sounds like you are master of your own domain, lol.

              VicRoads are not in a position to give different advice to difference customers on this matter. They will say the same thing to everyone.

              Here is the email I got from Optus yesterday:

              Subject: Update from Optus about your ID document number

              Dear Customer,

              We recently communicated to you that your personal information has been exposed during the cyberattack on Optus.

              During further analysis as part of our ongoing investigation, we can confirm that the licence number on your Driver Licence was exposed. Please note, a copy of your Photo ID was not exposed.

              Please go to vicroads.vic.gov.au for more information and to report that your Driver Licence has been exposed by filling out the online form on their dedicated Optus Cyberattack page. If you've already reported the exposure to VicRoads you do not need to re-submit your details.

  • Did anyone manage to contact Optus? I can not call as its only for optus customer. Tried chat the same.

    How does ex optus customer contact them ?

    • +2

      I'm an ex customer and I managed to get on them yesterday morning.

      Jumped on live chat on the website at 7:45am. An agent joined the chat at 11:55am.
      Basically you've just got to keep the window open and wait.

      • what was your resolution out of curiosity i got the ring around in circles..

        • +1

          I was asking for an Equifax code. There was a bit of resistance, but I got one.

  • +2

    What's the exact point of replacing the NSW license for $29?

    The License number does not change - only the card number changes as I currently understand this.

    Isn't the license number the important piece of information?

    Can someone please let me know? This is a genuine question, I'm not trolling.

    Sorry if it has already been discussed on this thread, I have not gone through all the comments yet.

    • +1

      still figuring out. because service nsw can't get their sh it together even if someone straight up tells them what is the correct way to do it.

    • +1

      The most recent card number is required for DVS checks, assuming the service you're signing up for uses and verifies said checks. This page has more info on that: https://www.equifax.com.au/knowledge-hub/risk-solutions/faqs…

      • +3

        no one is doubting the usefulness of those card number checks.

        there are plenty of services that don't check for card numbers but only driver license numbers.

        the inability to change the driver license number is the problem. talking about just the card number is detracting from the problem.

        • +1

          I agree, I'm just letting OP know what the card number is for. Hopefully there is a solution that works for everyone after all this.

        • there are plenty of services that don't check for card numbers but only driver license numbers.

          They will need the card number now.

          If they aren't asking for the card number, they're probably not even checking the DL number is valid and any number will do.

          • @b3au: well, that's putting the onus on other business to do the right thing… which is kind of how we ended up here in the first place.

            service nsw should pull out their finger and start changing DL numbers last week.

            • @slowmo: If they're not validating drivers licence numbers, then you can give them any number you want right now :)

              A drivers licence won't validate without the card number.

              • @b3au: well, the problem isn't me giving the license number is it? the point is proving it isn't me that registered for a new line or port my own line to timbuktu.

                • @slowmo:

                  the point is proving it isn't me that registered for a new line or port my own line to timbuktu.

                  But nobody can register for a new line without the card number.
                  You need both the drivers licence number and card number to pass DVS.

                  (And a drivers licence on it's own, with or without the card number, isn't enough to port your number anyway)

                  • @b3au: ok, you are making quite a lot of assumptions around the eligibility and the due diligence done for a pass in DVS.

                    at the same time, there's no official statements from anyone in the different industries using these identities confirming that just the driver license numbers cannot be used for fraudulent purposes.

                    what's the point you are trying to make?

                    edit: also: https://www.equifax.com.au/knowledge-hub/risk-solutions/faqs…. verification on card numbers started only 1st sep this year. (again, not all states)

                    it's a bit naive to think that all businesses would have implemented that verification by now.

                    so again, why are we detracting from the problem, which is service nsw inability to do their job of changing DL numbers when told to?

                    • @slowmo:

                      ok, you are making quite a lot of assumptions around the eligibility and the due diligence done for a pass in DVS.

                      at the same time, there's no official statements from anyone in the different industries using these identities confirming that just the driver license numbers cannot be used for fraudulent purposes.

                      If a business isn't even going to verify the license - then you can literally give them any number you want.
                      For a business to verify a drivers licence issued in NSW, you'll need both the licence number and card number

                      edit: also: https://www.equifax.com.au/knowledge-hub/risk-solutions/faqs…. verification on card numbers started only 1st sep this year. (again, not all states)

                      I thought we were talking NSW :-)

                      Anyway, another gateway that isn't Equifax - have lots of documentation on their wiki - https://vixverify.atlassian.net/wiki/spaces/GREEN/pages/2130…

                      Card number is a unique identifier which is updated each time a driver’s licence is re-issued. By including card number in the matching criteria, you can validate that the document being presented is the most recently issued document. This change will help reduce identity crime in Australia.

                      it's a bit naive to think that all businesses would have implemented that verification by now.

                      The September 1 deadline actually comes from the Department of Home Affairs, as per the GreenID wiki.

                      It's been known for months. Heck, years! For example, this wiki page, dated November 2021, says that the card number will be made mandatory.

                      what's the point you are trying to make?

                      Easy - for a licence issued in NSW, ACT, SA, TAS, NT and WA, you need both the licence number and the card number.
                      Without both, your licence won't be verified.

                      And if the business proceeded, you could have just given 12345678 since they don't appear to be validating anything :)

              • @b3au: I activated a new sim yesterday with just a DL number. Qld licenses did not include card number until recently. The mobile provider asked the question if there was a card number or not. Even though my new license includes a card number I ticked no and it happily authorised with just DL number. Appears not everyone has caught up with new rules.

                • @racer1234: Yes. Everyone but QLD and VIC needs card number as well. They'll come onboard next year.

                  • @b3au: They are onboard now for new licenses. Mine arrived early this week and has a card number. The point was that the mobile company allowed me to tick the box that said no card number and then went ahead with the verification based on just DL. There will also be people who had licenses renewed presumably up until 30th August who do not have card numbers so these people have to be catered for for the next 5 years. So yes it will be better in somewhere near 5 years time. Until then it appears that they are not checking whether there is a card number tied to the license based on date of issue and is therefore required.

                    • @racer1234: If it's a QLD or VIC issued DL, then the card number isn't passed through for validation.

                      Even if you entered it - it's not passed on to DVS (but I'm sure if it was Optus it'd be captured and kept anyway!)

                      greenID:

                      What will happen if a card number is sent to greenID for a state that is not on the supported states list?
                      greenID will ignore the card number for any state that is not on the supported states list and continue to send the request to DVS without the card number.
                      https://vixverify.atlassian.net/wiki/spaces/GREEN/pages/2130…

                      Equifax:

                      For VIC & QLD - Optional to capture driver licence card number starting now. If provided it will not be used for verification therefore no impact on matching
                      https://www.equifax.com.au/knowledge-hub/risk-solutions/faqs…

      • Another good resource is here - https://vixverify.atlassian.net/wiki/spaces/GREEN/pages/2130…

        (fun fact, GreenID proudly show Optus as one of their customers…. alongside NAB, UBank, etc https://gbg-greenid.com)

    • +4

      What @rith said seems to be the line Service NSW link and Minister Dominello link are using.

      I suspect they're saying this to reduce the administrative burden on the NSW civil service, but surely it's better to replace both the card number and license number to reduce the value the leaked information has for commiting fraud and to make the apparent 'double lock' of the updated DVS checks as useful as possible. Particularly if the Card Number has been generated based on the license number (rather than being random or sequential) as this has the potential of being cracked.

      It's also weird they're downplaying the breach in a similar fashion to early statements made by Optus eg "most of this information can be found on people's Facebook pages/google etc." This definitely wasn't true for myself prior to the breach (and I doubt it's true for the majority of others).

      I also have been thinking about how we've been advised to look out for suspicious activity: Well, one thing which is odd is how NSW was one of the few states that already had provisions to replace license numbers prior to the breach, but are one of the only states refusing to do this at the same time as our former premier happens to be part of Optus' executive team link.

      🤔

      (How's that for suspicious activity? 😂)

      • if anything, the take away from this event is that if you (as a resident in nsw), think the govt body will be helpful and do good by you, just ask anyone who was affected by this optus breach and tried to get their license number changed.

      • +1

        Yes, when they advise you need not bother them with a query, because only one of your government issued identifiers was compromised, it is a lie.

        Not half a lie.

        Two Gov IDs compromised may be able to produce a larger impact in some cases, but that's the only difference

        • Absolutely!

          Frustrating to see how many people in NSW are buying the justification. Particularly as the unwillingness to act is just putting 500K people at higher risk for the sake of it being easier and cheaper (I assume).

          This paper sums up the strategy well:

          "…From the data observed, having the ability to permanently change the identity credential compromised would prevent repeat victimisation for that individual, hardening them as a target, thus increasing effort for the criminal to gain as much from an individual victim, and prevent them from having ongoing, relentless access to that victim using their identity…" (p.96)
          link to source

          The argument that the DVS provides a 'two-lock system' only makes a difference when both of those keys are secure. The driver's license numbers of those impacted by the breach means one of those keys will be effectively publicly available (alongside all the other personal information that can't be changed).

  • I just had a look at potentially what information was exposed via the account contact detail api. I can see my old drivers licence number there, however the number appears off by one - does the final number increment with each renewal? I assume that even old licence details expose you as the new renewal date can be inferred based off the old?

  • Why is the huge trove of data even needed in the first place for a $20/month phone plan?

    Optus is definitely negligent but may have been used by the media as an easy scapegoat when they were legally obliged to collect those information. The cynic in me thinks big data collected can be sold or used to turn Australia into a police surveillance state.

    https://www.sbs.com.au/news/article/why-human-rights-groups-…

    • +2

      Dutton the main architect. I think the totalitarian law passed before his election loss.

      https://www.smh.com.au/national/new-asio-law-one-more-step-t…

      • +1

        As poor as this is, the really scary thing is that the overwhelming majority of the parliament went along with legislation that made all of us, and the country, its institutions, and even government, vulnerable to the simplest of attacks.

        All the idiots that voted for this should be confessing to obtuse levels of stupidity, and willingly attend re-training camp for >6 months. And never be allowed anywhere near public service again.

        • Yeah mate, it erodes our democratic institutions but most of us are unaware of it. Optus got thrown under the bus for what is essentially a legislated requirement

          • +1

            @xdigger: Not sure anyone significant at Optus has got in trouble yet, though.

            Except Optus shareholders, who lost some value, they might think; temporarily. Mostly the same shareholders who were the ones that appointed the board, who were the ones who chose to save money and not bother setting up their core management systems even half right.

            And then, chose to leave it as is, poor, broken, and vulnerable to all kinds of abuse. For years and years.

            Add to that poor development practices: Not one person in Optus managed to raise a case to enhance the security of PII, or the awful practices that created this entirely avoidable mess.

            This is not a case of a developer making a mistake. Such things are a matter of time when you have no controls, no checks. When you have no security… well let's just say it is amazing it didn't happen earlier.

            But it is a textbook case of IT Managers, Risk managers, Security team, Chief execs, all of them with their heads in the sand, ignoring waves of risk from critical brand impacts, customer impacts, Oz business, political and National Security impacts.

            Now… How many Telcos have we got in Oz? Who else holds PII on their customers and is not doing so safely, or deleting that which they do not need? You may like to think these corporates are all on notice to clean up their acts, but this won't change much for the better. The solution they are already legislating involves sharing more PII with other corporates, whilst not informing the consumers that are affected. Little to nothing will actually prevent it from happening again.

  • +16

    I left Optus couple years ago because I was unhappy with their services. They didn't leave me alone! Now they leaked my personal details in what they claimed a sophisticated hack…

    I wrote a small tool to check if a mobile or email appeared in the already published 10.2k records here (Moderator doesn't allow me to post this as a new forum topic):

    https://optus10k.ducn.co/

    I'll just post here what the guys on "that" forum talked about how the data got leaked

    Brilliant!

    • There's a minor mistake, after entering an email address, it returns:

      You mobile or phone was NOT FOUND in the public 10.2k records. This doesn't mean you're safe

      I'm sure if you read that you'll see the error.

      BTW, thanks for making this. I couldn't be bothered trying to get the 10k records, and also frankly don't want to be downloading such data. I guess you had to download it though to make this tool!

      • yeah, those data is only a few google search away…

        • Thanks for fixing that minor issue I mentioned in previous post :-)

    • thanks, mate!

    • nice work mate, I was just going to write something. Glad you beat me to it :)

    • Thanks for doing it! Feel a little bit better now.

  • https://7news.com.au/technology/optus/optus-reveals-thousand…

    Now they are saying there's nearly 37000 medicare numbers leaked? where is this coming from? it doesn't add up. I thought only 10,200 got out

    • +1

      10,200 out of 9.8 million records were leaked by the 'hacker' to show that the data was real. 37,000 is the total out of 9.8 million.

      • +1

        Only those 10,200 are entitled to anything from Optus. They are happy to take the word of the hacker the rest has been deleted. The risk is all ours unless we pay for updated ID ourselves

Login or Join to leave a comment