Optus - Major Data Breach

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Related Stores

Optus
Optus

Comments

        • Optus must be pretty dumb to take the word of the hacker.

    • +1

      I thought only 10,200 got out

      All the data is "out" - the 10200 is just the number of records that have been released to the public so far.

  • Anyone get an email saying "It is with great disappointment I'm writing to let you know that Optus has been a victim of a cyberattack that has resulted in the disclosure of some of your personal information. No financial information or passwords have been accessed. The information which has been exposed is a combination of your name, date of birth, email, phone number and/or address associated with your account. No ID document numbers or details have been affected."?

    When I called up Optus they said they checked my two accounts and none of them were compromised, but this email I got instead was a 'generic' one. But only one of my accounts got sent this email and it doesn't sound like a generic email if they state "disclosure of some of YOUR personal information". So don't even know if they know which accounts are compromised or not.. super confusing :/

    • +2

      Grunts in the basement don't know anything, use the Whirlpool link at the top of this section to check your own details, then assume everything which is listed there is in the hands of the bad actors.

    • +1

      they checked my two accounts and none of them were compromised

      I would assume they meant only the ID doc details weren't compromised - but other info, like name, date of birth, email, phone number and/or address associated with your account, would still be compromised on at least one of your accounts (the account that received the email).

      I received such an email, and this is my interpretation. I have checked using Whirlpool link as @neophytte mentioned - and the info is consistent with the email received. Do that if you can, on both your accounts.

      • +1

        Awesome, thanks heaps @neophytte @bluesky — I checked out the Whirlpool link and makes it clearer as you guys suggested.

  • A real OzBargainer would be on Boost not Optus anyway ;-)

    • What about optus nbn?

      • +1

        Aussie Broadband or Launtel ;-)

    • What if they purchased the samsung tablet for $16/month for 12 months inc 30gb data?

  • "Australia's Attorney-General Mark Dreyfus has warned politicians to "watch out", after confirming their encrypted text messages on platforms such as WhatsApp and Signal could be tapped by the federal government's new integrity commission."

    Yeah, right. How?

  • I apologise in advance if this has been answered before, but there's 12 pages worth to review.

    Has anybody tried to change their actual NSW Drivers License using the Report Cyber Receipt/CIRS (https://www.cyber.gov.au/acsc/report) and then filling out the Replacement Driver Licence/Customer Number Application (https://www.nsw.gov.au/sites/default/files/2021-09/45065767-…)

    I believe that this is the only way to physically change the drivers license number and not the card number.

    There is alot of confusing information out there as most links to change NSW drivers license is a link to change the card number only.

    I know there is this DVS check which started 1 September 2022, but some sites like CBA online secure ID check only needs the drivers license (https://www.commbank.com.au/banking/online-id-check.html)

    • Yep have tried but serviceNSW wouldn’t accept it.

    • Yeah, tried this and Service NSW wouldn't take it.

      New standards were released this month that require both the license and card number to verify a person's identity (link). So the argument goes that the leaked license numbers are now of no value without the card number - which I understand hasn't been leaked for many customers.

      Tbh Dominello's line that the new system is a 'double-lock system link seems to ignore the fact that the 'key' to the first lock is already out there for those exposed, meaning the new DVA requirements provide no additional security to those affected by the breach - as someone is still only one number away from being able to use your driver license as a form of ID (as they were previously).

      As much as the NSW government is patting themselves on the back for their quick response, they haven't done much in practice as the new DVA requirements were already going to be implemented. Additionally, having Dominello actively advocate against replacing everybody's license is also a convenient way for Optus to minimize the costs of reimbursements by only providing credit to those that had both their card number and license numbers leaked (not everyone). Added to this is the fact that Service NSW is forcing customers to chase optus for any reimbursement (rather than providing the service for free like other states).

  • Received the following message from Optus a few minutes back…

    Cyberattack update: Confirming only the licence number on your Driver Licence was exposed, not the card number. Your State or Territory government will provide advice on any action that you may need to take via their website.

  • Is it true that Optus has emailed the people who were part of the 10,000 records published online? As in a new email.

    Read it on the news.

    Also, how accurate is the info on those API's we could see when we logged in? As in, is that really the info that got hacked? Just trying to figure out that my license was out. It wasn't on the API.

    Thanks

    • +2

      You might like to read the Whirlpool post from about here: https://forums.whirlpool.net.au/thread/3z4yl2qw?p=368#r7358

      The info in the API was not a complete reflection, as it was calling a different API, similar, but not exactly the same. Personally I'd be looking at replacing any document listed in there for peace of mind, but YMMV.

      If there are 10 million records out there, your chance of being picked by the hackers is quite small, so you may or may not want to do it promptly - there is also a wiki on Whirlpool which is quite well updated: https://whirlpool.net.au/wiki/optus_sept_2022_breach - it's a long read, but worth it.

      HTH!

      • The API didn't have my license, passport or mobile number but I know they have my mobile number since they have texted me before about my account (1.5 years ago). The email they sent me said "no id's were leaked".

        So still have some level of doubt if the API was accurate. Will read the links. Thanks for the info!

  • +2

    Given my license data was only given by phone to a human in Philippines, as optus didn't have it prior, then i reckon its a call centre download of data in Philippines or india. Both well known scummy scammer countries.

    The manual entry of stuff to a third world country person was concerning to me and appears to have been well justified.

  • Has anyone registered with Equifax using the Optus code? To create an account in Equifax they are asking for 2 identity documents… After getting burnt by Optus, I am just wondering if Equifax is safe enough to trust.

  • Has anyone received an Equifax code from Optus without soliciting it from them? I hadn't bothered to get one yet and when I went to use the live chat function it's been removed. :/

    If you want to message instead of calling them, you have to download their app. What a pain! Has anyone heard if they'll be proactively providing the codes or we have to ask for them?

    • +1

      Don't need the app. You can login from your computer browser and chat with them.

      • You're right! I think something must have been wrong with my browser because the "Message Us" button wasn't appearing so I thought they'd removed it. It's back now so all sorted :)

  • Received the below by sms. What's odd is that my driver licence is in VIC…

    Cyberattack follow up: Further to our communications yesterday we wish to confirm that NSW uses a national Document Verification Service (DVS) that means both your driver licence number and card number are required to verify your identity. Therefore, NSW Gov advises you do not need to replace your Driver Licence. Visit Optus website for details.

    • Obfuscating information …

  • +1

    Optus have no idea who was breached. I was okay last week when I called on Wednsday afternoon and today I get the email your drivers license only has been compromised, which is a lie as they also got my DOB, Address and email after speaking with Optus.

    As such do not believe Optus when they say you are okay or only X was compromised as they have no idea and are going off a support script.

    • Downplay to stop potential legal action …

      • More like lulling people into a false sense of security and as per usual Optus support not tell the customer all of the info…. which is why I left Optus years ago and support kept telling me everything was okay and someone would call back, but 9 times out of 10 no one ever called back. The only way to get anyone to call wad to make a formal complaint via the web site (via phone issues were raised)

  • +1

    some noob got busted trying to scam people using the leaked data https://www.abc.net.au/news/2022-10-06/sydney-19-year-old-ma…

  • +1

    It ridiculous that Optus, who is trying to minimise its losses, gets to choose who is eligible for replacement documents at their cost. They are specifically limiting ‘affected customers’ to the 10,000 odd that have had data leaked already. The other 9 million records stolen are considered ‘not affected’ and we all just have to hope for the best for YEARS to come. Pathetic that Optus continues to be allowed to protect its own bottom line at everyone else’s expense and with government support.

    • They are specifically limiting ‘affected customers’ to the 10,000 odd that have had data leaked already.

      Where are you seeing this latest news?

      What about VICROAD's promise to send out a replacement DL in due course if Optus has confirmed that your DL number was part of the data heist (which they have in writing via email)?

  • +1

    What are you all doing if your mobile number was leaked? Are you changing your mobile number?

    My mobile wasn't on the API but these last few days I've been getting scam messages and calls. So definitely it increased after the Optus leak. I'm not on the 10,000 leaked registers.

    • +2

      Yeah, changed my number, updated passwords etc etc.

      Seemed to make sense intuitively that I should make the leaked data as worthless / hard to use as possible. However, when looking for advice from people smarter than me I found this research paper that makes the case for this strategy:

      There are some great points in the paper, but I thought the one below makes it clear that NSW's approach is more about convenience than actually protecting those exposed by the breach:

      "…From the data observed, having the ability to permanently change the identity credential
      compromised would prevent repeat victimisation for that individual, hardening them as a target, thus increasing effort for the criminal to gain as much from an individual victim, and prevent them from having ongoing, relentless access to that victim using their identity….This would essentially render the documents stolen by the criminal useless and prevent them from committing ongoing harm to the identity system and the individual. Such an intervention method would also contribute greatly to addressing the victim’s need for a permanent solution to their recovery from identity crime…" (p.96)

      Source.

      • Yes, I did change passwords and other things immediately. I now have to change the phone better.

    • +2

      If you have an iPhone turn off unknown callers: https://support.apple.com/en-au/guide/iphone/iphe4b3f7823/io…

      • +2

        Still better to change your number if it was leaked, else you will be putting up with all kinds of scams trying to worry you into responding, and worse.

        Also, changing your number makes Optus pay (every little bit counts)

        • My mobile not with optus, not on the API but now getting scam calls. Now looking for another NBN service to leave Optus, would love to change to Telstra but is much more expensive.

          • @Cherry12: It can be our fault too: Every time we give away our number, someone can put it into their computer network, and share it, lose it, compromise it, sell it, send us unsolicited messages, or worse.

            Just makes it too easy for the scammers to profit big time from broad-scale attacks when a honeypot like a gov dept or major corporation allows their database to be exfiltrated.

            But it is often our choice to share. Perhaps change your number while you can, and be more careful with the new one. Beware them allocating you a recycled one, change again within the first couple of weeks if you get spammed on the new one.

      • Can you do this on Android? Or is it exclusive feature?

        • +1

          Try this page: https://support.google.com/phoneapp/answer/6325463?hl=en

          I don't have an Android to test, so let this page know if this succeeds

        • On my phone I can see the option in the settings of the 'Phone' app:
          Settings>Blocked Numbers>Block calls from unidentified callers

          You can also use google's call screening service, but I prefer to not answer at all so they don't know it's a valid number.

          I used a call screening app called 'should I answer' in the past, but it relies on the number having been already flagged as spam by others. I still found it helpful for screening most spam calls.

      • Android.

  • +1

    Optus advised via chat that Medicare and Passport people are still to be contacted. They could only tell me people would be contacted soon. They also told me that If you seek out new ID and pay for it before officially being told you’re not entitled to a refund.

    They also told me they keep chat information for 13 months.

    • More lies. They forgot to tell you how long the backups are kept (7 years- but Optus has demonstrated it doesn't think about deletion).

      Did you ask how many Optus staff (BCP team, IT teams, etc) have access to the network's handling the backup data, oh, and yes, how many working for the third party service providers like their contracted call centres, the IT staff and other third party providers they engage. Go only two degrees of separation and you find all jurisdictional controls are meaningless, and given that PII tends to end up on everyone's backups, stored in line with their own set of rules (or lack thereof), it's not even a duck short of a custardflap.

      Then, ask if any of your PII was ever emailed (behind the scenes, support staff email each other all the time)? Anything that was, will is likely backed up forever and never deleted. Just sits there, waiting for someone to access it and begin querying for IDs.

  • During further analysis as part of our ongoing investigation, we’ve discovered that the number on your Australian Passport was exposed. Please note, a copy of your passport including your image was not exposed.

    The Australian Government is working with Optus to safeguard customers from identity crime, including providing advice on actions you can take. As a result of the government’s rapid response, you don’t need to replace your passport.

    I thought they had offered to pay for new passports? Also using whirlpool guide my driving license also exposed but no optus email!?

  • Only received a letter from Optus yesterday

  • I received an email from VicRoads that they will send me a new license. It will have a card number apart from the DL number.

    • Same here, will be issued by end of year.

      • What expiry date? Same as current or 5/10 years from reissue?

Login or Join to leave a comment