Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

            • JonSteele on 25/09/2022 - 08:25

              @bsl: Thanks the terminologies change over time, this is a first for me, but I do think they should be accountable to others.
              Especially bulk sending out a email to non-affected customers.

              • bsl on 25/09/2022 - 10:02
                +1

                @JonSteele: all good!

                Im personally hoping for a massive fine and heads rolling.

                and yeah, comms has been rubbish.

    • drfuzzy on 24/09/2022 - 14:43
      +2

      Do you know if both the "old" and "new" billing system were compromised?
      I have 3 plans on the old system and refused to be moved to the new system where all the plans were more expensive and didn't have the same inclusions.
      Was it the old system hacked? The new system? Or both?

  • smog on 24/09/2022 - 12:30
    +6

    https://www.reddit.com/r/australia/comments/xmcvmi/optus_dat…

    Listing has been put up asking for $1m to delete the data.

    • netsurfer on 24/09/2022 - 12:50

      She wants to stay unnamed but confirmed she is a former Optus customer and that her data is accurate

      That is my main fear, former Optus customers are left in the dark and not contacted by Optus (at least not yet). When you contact Optus as a former customer, the staff is unable to find the data in their "current" system and provides a false negative statement of "unaffected".

      Optus should give the full list of e-mails & compromised mobile phone numbers to https://haveibeenpwned.com/ so we can all check online ourselves.

      • Caped Baldy on 24/09/2022 - 14:18

        I think they retain data for seven years.

        • whatwasherproblem on 24/09/2022 - 17:59

          Given the incompetence that's coming out about how Optus operates, I wouldn't have any faith that they're adhering to the 7-year disposal schedule. Trying to figure out which data you can legally dispose of is too-hard-basket when you can just keep it all and not do anything instead.

      • JonSteele on 24/09/2022 - 19:29
        -1

        Thankyou for the time, I see that your account is not been flagged as victim of Cyber Attack

        Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.

        Is it a shop front hack not a Cyber so called hack?

    • c64 on 24/09/2022 - 13:27
      +1

      if the stats in the screenshot are correct, it would appear to be just about every mobile customer.

      https://treasury.gov.au/sites/default/files/2020-09/115786_O… says optus had over 10.2m mobile customers in 2019

      • JonSteele on 25/09/2022 - 08:24

        No, cause stated last night, I'm not affected by the breach. If they are lying now to customers doesn't that mean further charges? My account has not been flagged as part of the cyber attack.

    • dust on 24/09/2022 - 13:48

      Honestly, it seems like a bargain for the amount of data that is available. Lots of opportunities for identify theft and opening credit cards etc.

      • c64 on 24/09/2022 - 13:56

        yeah, but there's no guarantee they will delete it. i think it recommended to not pay extortionists.

        • dust on 24/09/2022 - 13:57

          I wasn't answering from the perspective of Optus, I was answering from the perspective of the bad guys. (Of course there's no guarantee they'll release the data to you.)

          • c64 on 24/09/2022 - 13:59

            @dust: agreed. maybe they don't really have all the data they claim? dunno

            • bsl on 24/09/2022 - 14:01

              @c64: could be wrong and spreading false information. from what i know, they released a subset of data and its been independently verified… theres a larger thread in /r/australia

        • bsl on 24/09/2022 - 13:58

          from experience of smaller amounts for lesser data breaches… i think off the books it will probably be paid and NEVER announced.

    • Korban Dallas on 24/09/2022 - 15:37
      -2

      Optus better pay this ransom.

      Or all hell is going to break lose.

      Literally enough info to reset online banking accounts.

      • tonyjzx on 24/09/2022 - 17:48

        they wont

        the data is already out there

        paying money isnt gonna 'resecure' their data

        better off class actioning optus

        • Korban Dallas on 24/09/2022 - 22:28

          These types of groups generally honour there word. If they don't they are less likely get paid in the future.

          If it hadn't been released its likely it hasn't been outside of the group.

          PR disaster if Optus doesn't come to an agreement with them. Or at least get into contact with them.

  • glyptothek on 24/09/2022 - 14:25

    Went into an Optus store today and staff were not willing to help Told me if I had had my data leaked, Opotus had already contacted ALL Optus customers by email/text if they were affected. Had to push but looked at my account with an Optus sales rep in store- only my Driver's Licence is held. Specificically asked for a note to be put into my account refusing ANY porting request, and rep told me any rep from any company would have to input my OTP so I would know if my account was going to be ported, or at least a request placed for porting. All kinda dodgy to me - you would think Ms Bayer ve Bayer Suid Afrika would instruct here in store staff to be pro-active rather than dismissing!!!!

  • Heaps for Cheaps on 24/09/2022 - 15:32

    I went on online chat and I was told my information is leaked, but not secondary information, which I am confused about what secondary information is…

    When I told them it will cost me $15.month to have my credit file automatically monitored they gave me 24 months of complimentary Optus Sport as long as I stay connected to my plan for 24 months, which will offset the cost of the credit check.

  • Korban Dallas on 24/09/2022 - 15:34
    +3

    Surprised there isn't much outrage on Ozbargain compared to the Shopback leak.

    While distant memory and mostly forgotten.

    Passports and drivers licenses? WTAF.

    This is illegal under the privacy act to store.

    I mean people are still willing to stay with Optus in this thread

    • Pcoder on 24/09/2022 - 15:55

      I think the issue is Optus shouldn't have been storing ID info like licenses or passports on their databases as I think your supposed to really only store these as encrypted hashes which can only be unlocked by providing these IDs (using them like a password).

      • Korban Dallas on 24/09/2022 - 16:55
        +4

        I very much doubt they would have used salted hashes. Maybe passwords. I bet everything was in plain text. Bookmark my comment!

        • sini180 on 24/09/2022 - 19:34

          Yep, plain text. There are samples of the data available.

    • GeneralSkunk on 24/09/2022 - 19:07
      +1

      There’s a lot of anger on Reddit, under r/Australia. Looks like everyone’s keen to switch away from them and support a class action if there is one. I think because it’s pretty clear that this occurred because of the fault of Optus not adequately securing the information.

    • cdaddy on 24/09/2022 - 20:20

      I mean people are still willing to stay with Optus in this thread

      Mass exodus won't really solve anything though. The data has been taken, if Optus was to go defunct the data is still out there

  • Tink on 24/09/2022 - 15:59
    +4

    Just got the dreaded email. Ex-customer, all info leaked.

    • Korban Dallas on 24/09/2022 - 16:01
      +2

      No email yet touch wood.

      Signed up about 5 months ago

      • amberstyre on 24/09/2022 - 18:17
        +1

        Yeah I haven't gotten an email yet either (signed up earlier this year).. though optus chat says my acccount has been affected so maybe they're sending them out in order of sign up date.

    • brokeneither on 24/09/2022 - 16:09
      +2

      Me too mate. Feels bad man.

      I'm probably gonna change my DL number, medicare and Phone no

    • slowmo on 24/09/2022 - 19:10

      i'm a customer and no emails yet. lol.

      • DoctorCalculon on 24/09/2022 - 19:26
        +1

        I am not a direct customer (and have never been), yet I have received an email from Kelly Bayer Rosmarin about an hour ago.

        The email begins with "Dear There,"
        Should I be relieved they could not read my name from their customer database? Or, most likely their IT team need to hire better QAs.

        • c64 on 24/09/2022 - 19:32

          scammers are at it already :)

  • Coatesy on 24/09/2022 - 16:00
    +1

    I am an old optus customer - i hadnt received an email from optus. I then logged into my optus account and promptly received an email telling me that all my ID has been leaked. Id recommend anyone with previous optus accounts to do the same.

    • tonyjzx on 24/09/2022 - 17:11

      class action these mutherfuqqas

    • T3J on 25/09/2022 - 18:09

      Thanks.. I just logged onto my account and it shows my account was cancelled Jul 2021 as it was. There was no information or notification on there to be seen about my ID being leaked. Fingers Crossed.

  • Nathw on 24/09/2022 - 16:58

    Just received the email.

  • Nathw on 24/09/2022 - 17:10
    +6

    Time to change my DOB and gender.

    • UrMumsOnlyFan on 24/09/2022 - 17:51

      Bikies?

    • ChillBro on 24/09/2022 - 18:00
      +1

      I finally got mine changed with Muzeeb's help after being on hold for 5 hours

      • Heaps for Cheaps on 24/09/2022 - 19:03
        +1

        I'm not even entirely satisifed Muzeeb isn't part of this attack. He obviously has a grudge with us after we ruined his week.

        • ChillBro on 24/09/2022 - 19:30
          +1

          That explains everything. Like why muzeeb kept going afk during live chat sessions. It was because he was hacking optus on the side lol

    • cunningdrew on 25/09/2022 - 19:24

      Easy enough to change your gender, but changing your date of birth is ludicrous.

  • katykat on 24/09/2022 - 18:14
    +2

    Former Optus customer from a few years ago… just got the email. Not inspiring much faith in Optus' ability to manage this as instead of being addressed to "First Name" it is addressed to "There".

    It literally opens, "Dear There," like WTF.

    All info breached apparently. Looks like I need to change my name, DOB, move house asap and spend the next 6 months of my life trying to cancel my passport and waiting for a new one to arrive. Yay me.

    • slowmo on 24/09/2022 - 19:11
      +5

      hackers probably will get your name more correct than these clowns.

    • happydude on 24/09/2022 - 19:41

      Mine says "Hi there"

      • ShouldIBuyIt on 24/09/2022 - 20:41

        Well at least that means they don't even have your first name on record ^^
        Mine states my name in the greeting

      • katykat on 24/09/2022 - 22:06

        At least I now know what they were going for haha. They tried.

    • eathb on 24/09/2022 - 20:49
      +1

      Don't forget to change your gender for extra protection

  • Ash-Say on 24/09/2022 - 18:23
    +3

    My partner just got the email and it includes the following statement.

    "The information which has been exposed is your name, date of birth, email, phone number, address associated with your former account, and the numbers of the ID documents you provided such as drivers licence number or passport number.

    You would have seen we announced this first in the media. We did this as it was the quickest and most effective way to alert you and all those impacted, while also communicating the severity of the situation through trusted media sources."

    My partner is overseas so how Optus expects her to be aware of media announcements. It ok them 3 days to inform here via email. I really hope there is a big class action against Optus and they get smashed.

  • wtfnodeal on 24/09/2022 - 19:28
    +1

    There soon will be more of 'me' in other countries applying loans in form of Apple gift cards to pay taxes.

  • [Deactivated] on 24/09/2022 - 19:34
    +1

    Hahaha get f***** optus

  • ItchyBallsack on 24/09/2022 - 19:43
    +5

    So today i got the dreaded email from Optus that my data was stolen as part of the breach. So if i change my license number and passport, can i make optus pay the cost? Or what sort of compensation can we legally demand?

    • Empharand on 24/09/2022 - 19:53

      Very good point, I'd like to know this also.

    • wtfnodeal on 24/09/2022 - 22:13

      You can by going through a claim in a magistrate court. Don’t waste your time with lodging a complaint with whatever the complaint office in your state as they couldn’t care less about it.

  • Empharand on 24/09/2022 - 19:48
    +5

    Wen Class Action Lawsuit?

    • Heaps for Cheaps on 24/09/2022 - 20:49
      +6

      I'm sure a legal firm is already busy working it out…

      The result, in approx 2025, will be that they will try to contact every single one of the 9.8 million customers to get as much billable hours charged as possible, then drop the case after Optus agrees to their demand to pay the roughly $20 million dollar legal costs of all these hours with Optus agreeing to try harder next time…. while the claimants end up with zero.

  • UNO on 24/09/2022 - 20:15
    +3

    I've not been with Optus for 2.5 years, but still received an email saying my details have been stolen. I'd be really interested in knowing the data retention policy.

    It's very disappointing to say the least!

    • RSmith on 24/09/2022 - 20:39

      7 years

  • Lord Fart Bucket on 24/09/2022 - 20:34
    +2

    Former business customer, got the email as well. Thanks floptus.

  • imrichkid on 24/09/2022 - 20:53

    Run by Singaporeans, not impressed.

    • KiwiTheGreat on 25/09/2022 - 01:40

      Really…. So you are telling me Optus before Singtel merger was better in their IT system and security? My arse…..

      • tonyjzx on 25/09/2022 - 15:50

        worse, run by the singapore govt.

        so you wont see albo waste any political skin in this

  • StonedWizard on 24/09/2022 - 21:20
    +1

    Yesterday I got told non of my data was released. Today, I woke up to an email that said my information etc has been released.

    Live chat today are saying my information is released. But can’t say which part of my information.

    It’s a shame Optus will get a slap on the wrist for this.

    • FuzzyWolf on 25/09/2022 - 09:45
      +1

      Yeah same here, asked the live chat and they told me that I was not affected. But just a couple of hours later received an email stating I was….

    • KiwiTheGreat on 28/09/2022 - 10:41

      Same here. Was told on chat that none was compromised, but got the email just last night the 27th.

      The only good news was that the ID was not leaked, but can you really be sure though?

  • Showmethebargains on 24/09/2022 - 21:30
    +1

    Left Optus years ago due to their awful service and now cop this. All of my info was taken. Yay. So freaking happy right now.😡
    Evidently, VicRoads website is overloaded with people trying to change their DL number because I can’t even get on it at the moment.

    • chartparker on 24/09/2022 - 21:51

      Will they even allow new DL for Vicroads without fraud actually having taken place?

      • dufflover on 24/09/2022 - 22:08

        Nope. Link at the top banner of the website

        https://www.vicroads.vic.gov.au/-/media/files/formsandpublic…

        If you’ve been notified by an organisation that a data breach may have exposed your licence details, but no fraud has taken place, VicRoads will NOT be able to change a driver licence number

        • haemolysis on 25/09/2022 - 04:20
          +8

          Geez, what kind of disregard for security that you have to wait for an incident before they’ll act.

          • T3J on 25/09/2022 - 18:17
            +2

            @haemolysis: Never underestimate the catch 22 and circular logic of Vic govt bureaucracy (starting at your local council)

        • Hahuh on 26/09/2022 - 00:50

          There's also discussion about even if they did change it, they apparently don't burn the previous one hence it being still used for further fraud.

          I'm hoping that's a miscommunication.

  • rmk on 24/09/2022 - 21:38
    +2

    Will Optus pay for costs of new passports? I don’t have the money to pay for a replacement. They are expensive now! I’m another annoyed former customer.

    What about changing Medicare numbers?

    • USER DC on 25/09/2022 - 06:08
      +2

      The mfkn company needs to be held accountable and be asked to pay all victims of suffering

      • resisting the urge on 08/10/2022 - 15:03

        Except it was the Gov that made them collect it in the first place.

        • USER DC on 09/10/2022 - 12:08

          Government had asked them very recently about improving their security, not long before breach. Telco itself refused increased security. Telco didn't say it wants to increase security but need help from government to help ease burden of costs etc.
          Instead telco said there's no need of any security improvement etc. and it is good enough already.

          So government is NOT TO BLAME for this.

          • resisting the urge on 09/10/2022 - 13:34

            @USER DC: Long before that, the government mandated the verification of IDs.

            From what I understand, at the time, both Federal and State govs did not make online verification services readily/reliably available, and the telcos had no choice but to collect the IDs to run an offline verification process.

            That is why the gov is to blame. In effect, they mandated collection.

            Later on, verification services became available via online APIs (another security risk of course). Some telcos used these, but not Optus. Whoops. For the entire board, this is the firing offence.

            The APIs work to meet regulatory requirements by ensuring each account is assigned to an actual citizen's (valid) identity document, using an immediate process that submits the persons details and the government identity number they present, via an encrypted connection to the gov service. In seconds a pass/fail confirms that the applicant is a fictitious individual, or not. The process provides a transaction reference to the telco, so the process can be audited.

            Collecting government identifiers should never have been required for any longer than the verification process requires, except where mandated by a stupid government.

            The telcos were forced to collect to be compliant, they say. But they could have improved their processes and managed stored data better, improved security posture, and reformed their use of PII in line with what is sensible, let alone the law. They did neither.

            <TL/DR>

            All are guilty of creating an environment ripe for bulk identity theft on a catastrophic scale. And the telcos have also failed to secure, maintain or improve systems and processes that have been patently poor and unfit for purpose from day dot.

  • ash2000 on 24/09/2022 - 21:51
    +2

    I haven't been a customer since 2012. I'm sickened to think all my personal document numbers have been retained for this long and have now been compromised.

    Naively I'd always though that such details were used to verify identification (as a new customer) then deleted.

  • dufflover on 24/09/2022 - 21:51
    +7

    All these comments about being gifted Optus credit or asking about staying with Optus with compo … why the hell would you still want to stay with them after this?

    I'm a former customer, just got that generic email too. They could offer me free cable or NBN and I still wouldn't take it. The only thing I'd take is financial compo for the stuff people have mentioned like changing details or credit watches, without being tied in as a customer. Not that a company is ever going to act so graciously.

  • squaredonut on 24/09/2022 - 22:03
    +1

    I got the e-mail, but I didn't have an optus service directly… but I did have Virgin Mobile, but I can't find anywhere where they indicate if Virgin mobile users were impacted or not.

    • asmith84 on 25/09/2022 - 14:27

      same. I am furious they had my info and didn't know for years.

  • glyptothek on 24/09/2022 - 22:52
    +1

    Just got the email, espite Optus staff instore telling me my account details had not been hacked and that Optus has advised victims days ago
    So much for any faith in Optus

  • ShouldIBuyIt on 24/09/2022 - 23:08
    +3

    May want to follow that guy on twitter for some follow up

  • dimes on 24/09/2022 - 23:40

    I got the email and am wondering what damage someone can do with all those details?

    • Nathw on 24/09/2022 - 23:56

      Everyone on the internet will know your name, date of birth, email, phone number, home address, passport number and drivers licence number. Is that not enough?

    • Banana on 25/09/2022 - 00:05
      +2

      They can take out credit cards, loans and god knows what in your name and let the debt collectors chase after you, fun times ahead!

      • Save 50 Cent on 25/09/2022 - 17:22

        But this is not the first time data has been leaked.

  • machej on 25/09/2022 - 00:23

    Have they finished sending out the breach emails or are people still receiving them in dribs and drabs?

    • amberstyre on 25/09/2022 - 00:39

      I just received mine an hour ago - surprisingly it doesn't say my phone number or address were leaked… different to the example posted on this thread earlier

Login or Join to leave a comment
Login Join