Optus - Major Data Breach

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Related Stores

Optus
Optus

Comments

  • +1

    I only joined these SOBs 3 weeks ago. I was waiting a month so I could jump onto any JB HIFI $400 giftcard port over deals which is my annual ritual.

  • +1

    The data has already been posted online and confirmed, it’s for sale. GG

    • +2

      Source?

    • +2

      Maybe Floptus should buy it back haha

  • +2

    I've noticed over the years that when these things have happened it's not because there was a fiendishly clever genius nerd able to penetrate the best security systems on the planet. It's because some IT security dumbf*cks are using a ten year old version of a program. I doubt that is the reason here - say it ain't so, Joe, although why wasn't all sensitive Optus data encrypted?

    • +1

      It's pretty much confirmed by reliable sources that human error at Optus, and a general culture of neglect and failure at Optus led to this breach.

      Apparently the hackers didn't even need to authenticate (break in), because the API was open, and they just needed to spam the endpoint millions of times to receive unencrypted customer data. Which is the worst outcome for Optus, because it reveals their staggering incompetence.

  • +4

    Does this mean we can terminate our contracts without paying out half the remainder?

  • +15

    If you've ever used any website or any major service online your info has been breached multiple times by now through the hundreds of breaches that have happened over the years.
    Major companies will be upfront about data breaches but smaller places won't bother to tell people or might not even know.

    As expected when we moved to relying on online profiles, everyone's addresses, phone numbers, names, email addresses and passwords for the sites that have been hacked are all available on data dumps. All someone has to do is go through the lists and start matching info for any missing pieces.

    The best thing people can do is to assume your full bio is out there and do the following to prevent further issues:

    • Use password generators for unique passwords for every site they log into.
    • Password manager to keep track of the passwords
    • Use 2FA where available
    • Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim
    • Check your credit report using Equifax or similar every 2 months for unusual activity, attempts for credit card applications etc
    • Use a bank that gives you instant notifications of login attempts and notifications of charges to your accounts or transfers.
      I'm embarrassing for my friends who still have to log onto their bank account to see if I've transferred them money or to check when money has been removed from their account.
    • Keep on top of common scams by following sites like Scam watch or following youtubers like Jim Browning
    • +1

      Have absolutely no idea why youve been negged, everything you have written is correct. It truly is "Ozmoron" now.

      • +1

        I was confused as well. Maybe people don't like to believe it?

        I'd be keen to get a reply from someone who negged it if I'm wrong somewhere..

      • +1

        I believe this was edited. Started with "not a big deal" or along those lines. I kinda think having 1 in 3 Australian's data stolen is a big deal!

      • +8

        It's because he has no clue how much worse driver licenses and passport data theft is ;)

        It's completely different from the general rubbish he is going on about and password managers and 2FA will not have prevented this theft nor will it protect from the identity theft that can happen with drivers license and passport details stolen :/

        Ozmorons indeed ;)

        • +3

          Yep. It goes beyond online. Passwords can be changed, but drivers licenses, passports, date of birth, addresses? The data released here can ruin people's lives and is very valuable to the right (or wrong) people.

          This is a huge problem. Millions of people have been exposed and there is nothing most of us can do about this now.

          • +1

            @m34nstav: Put a 21 day halt on your credit report … It's the fastest and safest way to deal with it ;)

            That is what should be in the first post, not rubbish about password managers that would do nothing in this situation!

            • +2

              @7ekn00: I've partially dealt with credit card fraud before, but what happens after 21 days, lets say 6 months time, they open up accounts randomly under people's names? My drivers license and DOB did not change, nor will they ever. I imagine many people will find out in the future as they go down this list and continue to do it to millions of people, even if only 1% stick that is a LOT of victims.

              • @m34nstav: Can extend the block, etc
                Just means you have to be a little more calculating with credit applications :/

      • -3

        Oh well. Can't help everyone. Especially if they don't want to r we a whole post because it's too long

        • +3

          Not the length, it's lack of relevance to the actual situation :/

          How does your response help protect people from identity theft when actual drivers licenses and passport details are stolen?!?

          • +1

            @7ekn00:

            Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim
            Check your credit report using Equifax or similar every 2 months for unusual activity, attempts for credit card applications etc

            Those steps are for helping with identity theft and people using the data from the Optus breach to illegally port your number to get around standard 2FA security or apply for credit cards in your name.

            • +1

              @Herbse: And that stops the thieves from applying for new credit / loans in a persons name how?!?

              WOW! you didn't port my number, but you have taken out 4 home loans and 12 credit cards in my name!! BRILLANT advice!!

              You do realise they use the drivers license / passport with THIER number for new credit RIGHT?!?

              But you keep peddling the relevance ;)

              • @7ekn00: This is my concern. I have a business that requires credit so any halts on my accounts are not really possible, it would restrict my income and business. I would not notice fraud attempts until it was far too late.

                I am fairly concerned about the future impacts on me personally. My family is partially impacted too.

          • +1

            @7ekn00: What gets me is they specifically asked why they were negged, then say "Oh well. Can't help everyone."

            Brilliant!

            • -1

              @m34nstav: Because they claimed my post had nothing to do with the Optus breach and only about password managers.

              Amazing!

              • +3

                @Herbse: No, you originally wrote "not a big deal" in your post then edited it to a diatribe about password security when it is irrelevant and about personal data theft, not password management

      • Probably victims of Jim Browning or Kitboga.

    • Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim

      How do you check that

      • Probably call the provider and ask. Most of them do offer an SMS confirmation. However I have seen an incident where someone on an Aldi plan got ported without the confirmation because the jacket used another Aldi Sim to steal the number. Apparently Aldi don't require confirmation when going to another Aldi Sim.
        So check on that too with your provider.

    • +2

      If you've ever used any website

      Ridiculous comparison.

      We don't provide websites with date of birth and driver's license number. And those websites don't then store those details for years even if the customers leave, in an online accessible database, unencrypted. Why are you trying to frame this as "just another website breach"? It's not even close.

  • +1

    why does optus need peoples passport and drivers license numbers? am with telstra and pretty sure ive never handed over those types of details to a telco before…

    • +1

      if you're signing up to a plan, you're entering a financial contract with them. Like same day loans, you are paying off the cost of your phone and your plan on a pay back contract.
      So they take your identification details to use for debt collection if you ever decide you don't want to pay what's owed to them.

      • +1

        “if you ever decide you don't want to pay what's owed to them”
        That could be me after this #%*^ up

      • pay back contract.

        Um… I had no such "pay back" contract with Optus. I had basic month to month internet until I decided to leave Optus in 2019 because their service was crap. I owed them nothing when I left, but they kept all my details including home address, drivers license etc in an online database, unencrypted, now leaked.

        Please stop channeling your inner Optus CEO with her downplaying deflective nonsense.

    • +1

      When I joined Telstra 2 years ago they took my DL details to signup at JB. Also when I sold my business a couple months ago, transfering ownership of the business account with Telstra, the new owner had their DL details taken at a Telstra store. This is fairly standard for any contract.

  • https://www.news.com.au/technology/online/hacking/aussies-of…

    The breach is thought to have been launched through a weakness in Optus’ firewall and affects both current and former customers

  • +12

    Looking at the press conference of the CEO… what the hell is up with "we've done everything right, we've alerted the media, the authorities…"?
    If you did everything right, we wouldn't be in this mess.

    • Get rid of Ms Bayer, but dont forget today's corporations are an IDENTITY likeable to a prson, so the employees even CEO are NOT responsible for the acts of the corporation

  • +1

    Quick everyone, change states and get your new drivers license!

    • +7

      I'm currently in the state of disbelief and it will take a while to change states…

  • +2

    My comment is going to get buried. But 2 things:
    1. Data breaches can happen to anyone even if a company takes utmost care and puts policies in place. These days systems have gotten difficult to hack but all it takes is 1 employee reusing their password or losing their device while logged into their optus account etc. Slowly but surely hackers get access to data.
    2. I used to work for Optus and I built a new feature that encrypts your licence, passport, personal details and only unlocks them with a face scan in the app. This feature is still in beta phase although its already been rolled out to customers and in stores. Hopefully Optus pushes all teams to use this feature to store and retrieve user data that way even if a breach happened the encrypted data would just be gibberish text.

    • Though data breaches are much more likely if the company has not supplied proper resources to their security team.
      It'll be interesting to learn how this breach happened. Assuming we get the full story eventually.

    • Interesting. Is the encryption key only on our devices?

      • No it's on the server and the device both. Basically end to end. But so far this feature is only implemented in the app. There are 3rd party libraries that offer identity check and they handle the differences between all passports, drivers licenses etc. We went with Mastercard ID for this. If you My Optus App you will see the ID by mastercard button on the For You tab. If you have an Android phone, yours truly built the feature.

        Ideally Optus will implement this feature to encrypt all data in all systems. It can make things complicated but it is a way to protect data.

        • Will you be removing Optus from your resume? I would if I were you.

          all it takes is 1 employee reusing their password or losing their device

          But that's not what happened here, and I think you would know this. Optus wrongly exposed a dodgy API. In other words, your former workplace left a side door open. It's worth adding that encryption is not new. I don't think this is a good time to be bragging about some shiny new encryption you made at Optus. I was encrypting data with basic javascript libraries more than 10 years ago in my hobby projects. And I'm not even an expert in application dev, far from it. Encryption should be the norm, not some "bright idea" after everyone's details are leaked.

          • @cerealJay:

            other words, your former workplace left a side door open

            More like front door.

          • @cerealJay: Haha I'm just proud of my work and I know this is going to be integrated in their systems. It's relevant to the topic so nothing's wrong with mentioning it. I don't own the company and I didn't build the exposed API. You can redirect your frustration at the CEO of the company if you like.

            Also if end to end encryption was a norm that you "did 10 years ago before it was cool", what's app took 2 years to make itself end to end from 2014 to 2016. Skype isn't by default. Snapchat became encrypted in 2019. May be you can send them a hate mail for being late to the party.

  • +1

    Damn.. We (Optus users) are now going to be socially engineered and our accounts locked out. This is VERY BAD.

    • Not if you close your accounts and move to a different telco. Don't stand for their crap. vote with your feet.

  • +1

    Having worked in one of the telcos data warehouse systems, you can literally have access to all the customers accounts and their info. But in the last few years or so, data masking of sensitive fields were implemented so that no unmasked data field can be attributed back to an entity . But still, if you have access, you can still see all that.

    NVMO data are usually geofenced in their own data marts, which most people would not have access.

    Whilst no longer working there , I still remembered anyone could, including vendors from India could have download the whole customers database if they so wanted.

    What happened here I am surprised this did not happen sooner.

    • What happened here I am surprised this did not happen sooner.

      So far, i haven't heard about when this happened, how long it has been going for. All i have heard is when Optus became aware of it.

  • This is going to end up quite bad for the customers.

    • +1

      But not for Optus management. Sure, some low level lackey might be fired, but the board of directors will still pocket fat bonuses.

  • +6

    I find out A DAY LATER THAN THE ANNOUNCEMENT in the form of an OZBARGAIN THREAD.
    What a woeful level of incompetence that they couldn't send out a text or email to their customers notifying them of the breach.

    • I got an email 1.54 today

      • Funnily enough, so did I.
        A whole day late and approximately 4 minutes after I was in a live chat asking if my information had been compromised.

      • Was this the email you got?

  • I used to be a customer with them and then ported out, I wonder if they still have my data as part of this leak… Probably, right?

    • Yes.

  • Anyone know why they kept those details?

    • +3

      So they could sell the details to third parties and call it a "hack" ;)

      • Sadly plausible.

        Details are emerging that the "hack" wasn't even a proper hack. Password access wasn't even needed. Optus are hoping people don't understand, and are trying to frame it as "Optus is the victim". The truth looks more like that Optus is a victim of its own incompetence.

        And the CEO said "much of the information is stuff you share on Facebook anyway"… LOL, I didn't know you can just click on someone's Facebook profile and see their DOB, home address and phone number among other details.

    • Been calling round to find an alternative to Optus. Vodafone told me they keep the same ID document number data in case they need to do another credit check past the initial sign up. I asked why they would need to do this, and basically they run one anytime you change/upgrade your plan or services.

      So, essentially they are all keeping this data so that they can quickly sell you new products. Saves them time from processing and ID check, and stops you from not bothering because it is too much effort to resupply ID each time.

      Security breaches are just a matter of time. Optus was just the first. Any of these telcos (and it seems to be the done thing) could have been hit with the same result.

      • Optus didn't even have the right licence number for me, can't be too important.

  • +2

    Apparently the data goes back to 2017 because Optus is required to keep identity verification records for six years.

    But I'm a bit confused, wouldn't six years data mean it should date back to 2016?

    https://www.theguardian.com/business/2022/sep/23/optus-cyber…

    • They may have changed systems. For what it's worth I was a customer since then and wasn't impacted so it's possible it's less than the quoted number.

  • +3

    Well. I’m speechless.

    An update:

    'Human error' emerges as factor in Optus hack affecting millions of Australians

    https://www.abc.net.au/news/2022-09-23/optus-hack-likely-res…

    • +3

      Even the explanation given in the article is stupid. You don't load 9 millions of records in test, and you can always anonymise the data. Heads should roll.

      • +6

        Apparently they didn't load prod data into test, but instead gave a test server access to a prod API….and that test server was accessible to the public. Big ol yikes.

        • @ShouldBuyIt, yea agreed….. should never be testing with prod data; they should be obfuscating/masking the data for test purposes.
          And they should be fully isolating prod and non-prod systems. The minute they connect a test system to prod it makes that prod system vulnerable too. A complete screw up of their design and architecture principles.

    • +1

      Systems don't become vulnerable on their own.

      IT databases aren't a natural phenomenon so it was always going to involve a human making a mistake somewhere in the chain. Access through a weak API is not really surprising.

    • +2

      Well. I’m speechless.

      The error isn't the programmer. He/she will be scapegoated. The error is lack of security, system design and sign off processes. Blame those humans. The ones responsible. How the hell can a test network be exposed to the internet? Which clown signed off on that?
      I work for a major organisation… dev, test, preprod and prod all get their own security assessment and are all monitored for compliance.

      • The headline of that article (human error) doesn't match the description (it was all available through an api lol)

    • +2

      I could name a few major breaches where it was down to human error. I.e. an old unpatched server was switched on because the UPS brought it up in a power outage when it should have been disconnected.

  • +2

    Can a hacker apply for a substantial loan with my details and then disappear? Can we sue Optus for losses if such an incident happen?

    • +6

      Absolutely. There will be legal action from various solicitor firms notorious for this kind of thing and rightly so.

      I am fairly furious at the lack of data integrity from Optus. If anything impacts my business from these leaks I will come after Optus for damages, absolutely.

      • +3

        I am fairly furious at the lack of data integrity from Optus.

        I wouldn't be surprised if a lot of Australian organisations have poor cyber security practices to be honest, e.g. the big banks.

        A big part of cybercrime is social engineering (e.g. phishing), if you've ever worked for a large organisation of say, 1000+ people, you'll know stupid people exist everywhere.

  • from the CEO 4h ago

    • +1

      The quality of that youtube clip is as good as their world cup coverage.

      • +1

        tbf they are using Optus internet

    • +4

      Optus CEO Kelly Bayer Rosmarin says the company's data breach was attributable to a "sophiscated" cyber attacker rather than the company's security competence.

      Is the hack because Sophie skated?

      • +2

        Tbh I didn't watch pas 2min.
        Did she really say that? Barely sophisticated when the test server was open to the internet.
        She was probably too busy buying her mansion for $15M overseas and selling her property for $3M. Rich problem hey.

    • +1

      Seems to have been removed now.

      • +1

        That's odd. They made it private. Something's fishy

  • +4

    Any still using Password1 as their password please change it now. :)

    • +5

      Thanks. Changed to welcome1

    • +2

      Thanks for the heads up. Changed it to : abc123

    • +4

      It's all good. My password is hunter2. So it should be safe. Can't think of anywhere else on the internet that would have that password.

      • +1

        That's weird, your password only appears to be ******* for me.

    • Why? The last thing the hackers care about is logging into your stupid Optus customer account.

  • +1

    my number was in a data breach last year, and I've received a number of scam calls but the number of scam calls drop quite recently. now my number joint the Optus data breach party again and I've started to receive more scam calls today and probably even more afterwards :(.

    • as you are "associated", how can we check whether are we in the list if we are former customers ?

      • I tried calling Optus. The CSR could not help me (could no longer pull up my account since I am an ex-customer).

      • I got an email from Optus yesterday confirmed that my personal data has been compromised :(

  • +8

    Quite disappointed with the way Optus handles this.

    • No easy way to get more information for customers and ex-customers (especially ex-customers, the is zero mentioning of those will be contacted).
    • CEO playing down information stolen saying that information has no financial impact (because password is not stolen). It is possible hashed passwords are stolen, it is just you cannot reverse hash to get the actual passwords.
    • Why allow test server(s) access to REAL production customer data? Optus should address this issue immediately.
    • Because it is test environment, it has less security measure. That is Optus' excuse? For a telco, that's irresponsible.
    • +6

      "no financial impact" - but enough personal information stolen to perform identity theft (which could lead to financial loss)

    • -1

      While I think Optus account passwords are largely inconsequential compared to the DL/Passport data + personal info.

      But it's trivial to "reverse hash" by brute force and there could be a huge amount of low hanging fruit passwords ie. any alpha-numeric passwords under about 9 characters in length.

      Assuming Optus use salt and the salt value wasn't part of the leak, would make this harder though.

      • -1

        Hashes are one way and cannot be 'reversed', by brute force unless you have a spare 1000 years on your hand

        • -1

          No, they can easily be reversed by brute force, it can be done within seconds like I said with weak passwords.

Login or Join to leave a comment