Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

    • amberstyre on 25/09/2022 - 00:39

      I just received mine an hour ago - surprisingly it doesn't say my phone number or address were leaked… different to the example posted on this thread earlier

    • ultravanilla on 25/09/2022 - 00:40

      I got one about 20 mins ago. The whole shebang of information. Not sure how much of it is still relevant. Curious how many businesses are affected as I have had the same number for years but ported between privately held and work accounts and providers and haven't been a customer (last through work) since 2017 when a previous employer was sick of crappy regional coverage and switched to another provider. I hope multi-billion dollar orgs aren't settling all their staff pers. data being leaked for a piddly discount.

  • USER DC on 25/09/2022 - 06:01
    +4

    Just read email today

    So pissed of at Optus, even tho i dont have any account with them at the moment. But i did in past causing me to suffer this.

    Never ever using Optus again

    Warm regards Bch
    We've extended the 20% discount on your Wireless Broadband plan fee
    Kelly Bayer Rosmarin
    CEO, Optus

    Go dtch in bushes

    As if name, email, address, password wasn't enough already

    passport and licence numbers got leaked too thanks you CEO with warm dithching regards.
    Can easily see thousands of identity theft victims coming out because of your carelessness

    • JonSteele on 25/09/2022 - 08:33

      I can understand your angar, use it in the right direction, and start a CEO should be stood down pending investigation.

      These CEO's are paid to much do to little except dictate and invisible fake theory of life.

      I would look at Maurice Blackburn ask for advice on the situation, they are yet to get back to me.

      • resisting the urge on 08/10/2022 - 15:07

        Did the Optus chief execs lose copies of their IDs in this hack?

        Or were the 'activated' without this requirement, and in breach of the Telecoms Act?

        I can't imagine a single chief exec being silly enough to up actual copies of their Gov provided IDs to a local or foreign owned Service Provider.

        Oh wait, don't tell me… they used Telstra?

  • RSmith on 25/09/2022 - 06:47
    +2

    Hope they were not keeping the credit check information result in their database. That xml received from the credit check companies contains a lot more information… Sigh

  • Abraxsas on 25/09/2022 - 08:07
    +2

    Here is my thoughts on this hack….It makes for a great argument to implement a new Digital ID "here's something we prepared during lockdown". Perfect Timing. (cough)

    • HardQuiz on 25/09/2022 - 08:26

      I’m not that cynical, but I think you have a point.

      Governments in the past have done it, passing unfavourable laws after major national events.

      • steve84 on 25/09/2022 - 16:35

        Wonder how many more ransoms will be demanded before governments do a real hard crackdown on crypto. It’s server a purpose so far though. Research for CBDCs and a nice little money black hole to soak up the excess stimulus being a couple

        • resisting the urge on 08/10/2022 - 15:16

          Far more crime is committed in the open using legit banks, let alone cash, or other forms of payment, like crypto.

          Besides, govs can't really crack down on crypto, any more than they can crack down on malicious actors on the interwebs.

          And if you receive a payment in crypto, it leaves a trail of metadata. And the majority of crypto have an open ledger that is designed to allow transaction verification so if the recipient is found, the money trail is publicly available info and enough to hang them in Court.

          Watch Wirecard on Netflix for an example of where the real money can go in gov controlled systems, and that was just a few crooks. Then think about what nation states and organised crime can achieve given entirely non crypto-related tools. I'm not saying they don't use them, but we have far bigger problems in the environments our Govs created, and are actually obligated to maintain. But don't.

  • cdaddy on 25/09/2022 - 09:59

    Going of what the person selling the data has said every current and former customer is in the leak and if you put in your drivers license or passport then it’s in the leak too.

    I wouldn’t put bearing on what an Optus email sent to you says, there is no trust with them just saving face.

  • Saul Goodman on 25/09/2022 - 10:26

    So live chat confirmed they got my drivers licence and medicare details, along with the basics. I asked if they were offering anything to customers to stay and my person said they were not offering any compensation. I made the threat of leaving just to push it a bit further and the response was "bye then". Enter profanity word Optus.

    • Heaps for Cheaps on 25/09/2022 - 13:47

      I have learned one thing with corporations, and it's that they follow only the the minimum they have to under law.

      If you want action, then write your MP, complain to the privacy commissioner, see what case you can bring under XCAT.

    • T3J on 25/09/2022 - 17:48

      'yet' would be the key word here… They will end up paying, either a swag of lawyers and/or fines but you can bet your brass razoo they will do everything they can past useless tears and apologies to hold onto that money let alone ever consider giving it to customers willy nilly.

    • Lord Fart Bucket on 25/09/2022 - 17:52
      +1

      As a former business customer, i'll be sending them an invoice every year for the credit watch i will have to take out for all those that were on the business account.

    • StonedWizard on 25/09/2022 - 22:55

      @Saul Goodman - How did you get them to tell you? Non of the chat people are willing to tell me.

      • Saul Goodman on 26/09/2022 - 08:33

        I was just very stern and used words like 'I DEMAND' in caps lol

        • IdBuyThat4aDollar on 28/09/2022 - 12:33

          it helps when you were Walter Whites lawyer

    • USER DC on 27/09/2022 - 00:48

      I made the threat of leaving

      That's a mistake, you dont make a threat of leaving.
      You ditch the MF company, and demand financial damages
      Okay Better Call Saul

  • Abraxsas on 25/09/2022 - 10:34

    Been with Optus mobile for a few years @$15/month i rarely use mobile so it's a good deal for me, but i have not had any contact from Optus either through either sms, email or account notifications that there has been any breach…So assuming my details have not been leaked or Optus is just very Bad at notifying their customers of what has happened. I'd flip a coin on that 1. Good way to get people to flip their contracts to another provider and upgrade people to 5G phones. Yes i'm a Cynic :P

  • easternculture on 25/09/2022 - 11:16
    +1

    And the spam begins

    They are already trying to change the password of my netflix account. Multiple email requests haha

    Luckily ive put a block on my credit history and will try and change my DL number this week

    • Weezle on 25/09/2022 - 13:21

      What state are you in? Are you in NSW? They need a police number or event number?

      Any ideas what to provide them?

      • easternculture on 25/09/2022 - 14:06

        NSW. Im going to file a report tomorrow.

        • Weezle on 25/09/2022 - 14:18

          Can you let us know if they accept the report and also if service NSW process it

        • Tink on 25/09/2022 - 14:27
          +1

          I think we can report cyber crime/ identity theft online at Cyber.gov.au (there's an option for "Your details were part of a data breach"), then it should give a CIRS number we can then put on the Transport for NSW form? Maybe add a copy of the Optus email as supporting document? I'm not sure if this is how it works.

        • corvusman on 25/09/2022 - 15:31

          Can you please share event number with us? Services NSW states:

          Report the theft or incident to police and obtain a Police Event or ReportCyber Receipt (CIRS) Number. Where a single event affects multiple customers, Transport for NSW may accept a Police event or CIRS number for all affected customers.

    • squaredonut on 25/09/2022 - 22:29

      Do you know if your data was inside the 100 sample leak?

      Because if it wasn't, that means the leak has already started happening and the $1m bounty won't be honoured…

  • Dreamcast on 25/09/2022 - 12:33
    +1

    Bunch of CU Next Tuesdays!!

    Shall be interesting to see if Optus coughs up the ransom amount requested by the supposed hacker/s.

    • Heaps for Cheaps on 25/09/2022 - 13:43
      +1

      They should… US 1 million… I'll happily pay my 10 cent share of this to take the gamble that it's legit… or they can add the 10c surcharge to my next bill

  • NigelTufnel on 25/09/2022 - 13:22
    +8

    FYI for those who had drivers licence number leaked. As of this month the card number (an extra number on the back) on a driver licence will be a mandatory verification field in most states for credit ID checks.

    So theoretically this would make it harder for anyone to steal your identity that only has the licence number. So good timing. Unfortunately I'm in Qld where it seems like it's only likely to be mandatory in 2023…
    Might be worth an email to your local member to get this through asap.

    • Weezle on 25/09/2022 - 14:20

      Do all banks and credit providers complete the ID Matrix for each credit application?

      • NigelTufnel on 25/09/2022 - 14:56

        That I can't answer. But I assume all those that use Equifax for credit checks.

    • yoquierotaco on 25/09/2022 - 16:06

      D&$m! QLD, why can’t they just get with the rest of the country….

  • lysp on 25/09/2022 - 13:40
    +9

    So this wasnt a hack - was just an open / unauthenticated api.

    The hacker basically went:

    • api.optus.com.au/userid=1
    • api.optus.com.au/userid=2
    • api.optus.com.au/userid=3
    • api.optus.com.au/userid=9999999

    And saved the data.

    That was the limit of their "hack".

  • HardQuiz on 25/09/2022 - 13:58
    +1

    I’m angry at previous governments that mandated data (and metadata) retention laws.

    https://www.abc.net.au/news/2022-09-25/new-security-measures…

    • askbargain on 25/09/2022 - 14:31
      +1

      didn't optus keep data for longer than required?

      • lysp on 25/09/2022 - 14:32
        -1

        I can't remember being with them for 10+ years if not longer, and still got a notification email.

        Well, well before the retention laws.

        • lysp on 25/09/2022 - 23:54

          Actually I worked it out.

          I had vividwireless internet who were bought out by Optus. So my details must have been transferred.

          So that puts it around 2019 rather than earlier than 2010 which I initially thought.

  • Miss B on 25/09/2022 - 14:49

    Maybe I should follow through on changing my name. I've thought about it a few times, I don't particularly like my name. Optus decided to give out at least 6 pieces of identifying information about me, with most places requiring ~4, so they can basically do whatever they like as me. I can't change my driver licence number, I don't want to change my phone number, my address will be changing soon, I'd get a new email address as it contains my name.

    DOB, driver licence and phone number won't be much use without name, address or email. I'll just leave all of my details the same with Optus so they can't hand out my new details to anyone. Then cancel everything with them once the 12 month tablet plan is up.

    • resisting the urge on 08/10/2022 - 15:31

      No matter. Once they have a GovID, (especially one that doesn't change, or changes incrementally, or just a little), is that they can use that to relate you to all things you, inc. any new names you adopt.

      That's why legislation needs to protect all data, including PII, and especially private and Gov IDs, because once they leak, the risk of attack goes up in orders of magnitude (Eg. From if, to when).

  • MinifiguresAU on 25/09/2022 - 14:49

    Have they announced how far back as a customer you will have had details stolen?

    • penguincat on 25/09/2022 - 15:00
      +2

      They announced back until 2017 was affected. But also 30 seconds later mentioned they keep data for 6 years so that would mean back to 2016.

      If you still have an Optus account eg able to login follow the steps pointed out in https://forums.whirlpool.net.au/thread/3z4yl2qw?p=75#r1485 even if you have no current sims/services follow that. If it works and shows and shows data then it likely stolen.

      • neonlight on 25/09/2022 - 20:33

        Thankful that I haven't used Optus since early 2000

      • Korban Dallas on 25/09/2022 - 23:51

        Thanks.

        I am safe on my hotmail. But proper feffed on my Gmail. Signed up to get the Tab deal. So many OzB will have their details leaked.

        Where is my email Optus. Lying dogs.

        {"ImplUserInformationResponse":{"transactionId":"xxxx","anonymouUser":false,"otpUser":false,"otpExpiredInSeconds":0,"userDetails":{"user":"[email protected]","contactId":"xxx","pid":"xxx"},"clientContext":{"contact":{"email":"[email protected]","dateOfBirth":xxxxxx,"gender":"M","Emails":"Verified","firstName":"xxxx","lastName":"xxxx","phone":"xxxx","contactId":"xxxx","indentType":"Driving Licence","indentValue":"xxxxx"},"customers":[{"customerName":"xxx undefined xxx","customerObjId":"xxx","customerId":"xxxx","customerType":"Consumer","customerSubType":"Consumer","contactRole":"Account Holder"}],"billingArrangements":[{"barName":"xxxx","barStatus":"Open","barRelatedFA":"xxx","barCustomerId":"xxx","contactRole":"Billing Contact (P)","barId":"xxxx"}],"financialAccounts":[{"Statues":"NONE","faName":"xxx","faId":"xxx","faCustomerId":"xxx","contactRole":"Primary"}],"subscriptions":[{"lineOfBusiness":"Mobile","subType":"Postpaid","primaryResource":"xxx","subscriberCustomerId":"xxx","contactRole":"Subscriber","subscriberId":"xxx","subscriberStatus":"Active"},{"lineOfBusiness":"Mobile","subType":"Postpaid","primaryResource":"xxxx","subscriberCustomerId":"xxx","contactRole":"Subscriber","subscriberId":"xxx","subscriberStatus":"Active"}],"complexServicesExists":false},"migrationParams":{"callLegacy":true,"dashboardRequired":true,"catchupPeriod":false,"lastMigrationStartingTime":xxxx}}}

  • mboy on 25/09/2022 - 15:37

    Got the email at 1pm today, as a former customer.

    "The information which has been exposed is your name, date of birth, email associated with your former account, and the number of the ID document you provided such as drivers licence or passport number. No copies of photo IDs have been affected."

    So they're not even being specific about what documentation was compromised. Anyone have any thoughts how I can find this out?

    The most annoying part of this for me is I was only a customer for 3 months in 2017. I left because they charged me for 'Optus Sport' for 3 consecutive months without me ever ordering or requesting it. I reached out to support for 3 consecutive months where they promised to remove it but never did. Thanks Optus, what a bloody headache.

    • happydude on 25/09/2022 - 15:48
      +10

      See this - https://whirlpool.net.au/wiki/optus_sept_2022_breach

      What Optus account could have been exposed? Can I find out if I used my drivers license or passport?

      You can check the Optus customer API yourself after logging in at https://www.optus.com.au first.

      You can only access data for the logged in user, and can't view the data of other customers.
      This is not the presumed link the hacker used to collect customer data, which allegedly did not require any authentication.

      View Account details (including any identification details, like drivers license or passport):

      https://www.optus.com.au/mcssapi/rp-webapp-9-common/user/inf…
      View Customer Address details (including any identification details, like drivers license or passport):

      https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS
      In the second URL you will need to replace {contactId} with with that found in the first link (number only, without the curly brackets).

      Q: How do I convert the long random numbers in the date fields – date of birth, expiry dates – to a normal date?
      A: They are epoch timestamps. Paste the number in https://www.epochconverter.com/ which will convert it to a normal date.

      • mboy on 25/09/2022 - 15:56

        Thanks Happydude, but I think this only works for current customers? I tried to login / reset my password with my email to no avail. It said no account exists for my email address.

        However, I've called my local Optus Store who were very helpful and let me know everything on my account.

        The only documentation they had on my account was driver's license number, but it's expired. The license number hasn't changed, but do credit checks request the expiry date? And if so, would I therefore be safe in that case?

        • happydude on 25/09/2022 - 16:01
          +1

          I'm a former customer (2019) and I could still log in.

          That's a good question and I don't know.

          • kittymtd on 26/09/2022 - 08:07

            @happydude: Yup also a former customer and still had an account I could login to after resetting my password.

      • Miss B on 25/09/2022 - 16:20

        They have the wrong driver licence number. Makes me wonder why they bothered having it at all. Didn't stop them doing credit checks though.

      • rith on 25/09/2022 - 16:37

        Thanks for this, this confirms they don't have my current licence number after moving interstate and that I probably never gave them my passport number. This is reassuring.

      • 91rs on 25/09/2022 - 22:49

        Thanks!
        Same boat where apparently it's all been compromised as a former customer from a little over a year go but luckily (??) its an incorrect DL number from interstate, address isn't current (previous address) so maybe that mismatch will be enough for not much to happen or it to raise flags on a credit check.

        I was frustrated to read VIC roads letter that basically unless you have been a victim of identity theft or fraud they wouldn't consider changing the license number.

        • happydude on 25/09/2022 - 23:02

          I was frustrated to read VIC roads letter that basically unless you have been a victim of identity theft or fraud they wouldn't consider changing the license number.

          I imagine that is for this very situation. There would be 1m+ Victorians in there and the labour required to process them would be very costly.

          • Domingo on 26/09/2022 - 07:59

            @happydude: That's a pretty pathetic excuse. Improve your processes, ramp up your resources and send the bill for doing so to Optus.

            That's like saying if a bunch of credit card numbers were stolen and a bank said "sorry the effort to cancel all your cards is too much". This isn't quite that, but maybe a step or two back from it.

  • roshee007 on 25/09/2022 - 15:39
    +2

    Not sure if this info is already posted, sharing from LinkedIn

    Hi All,

    In light of the recent Optus Cyberattack and you are concerned that your data may have been stolen (high probability certainly given ~11 million records were taken), and you have used your driver's license with Optus. You can apply for your license to be replaced with a new license number. This will circumvent any issues with scammers attempting to use your license to apply for anything ie credit.

    Check out the below, submit a report to the police and head to a service centre to replace it. I'd rather be proactive with this instead of waiting for Optus to tell you if your data has been stolen. You can also put a block onto your credit reports at the main reporting agencies such as Equifax (it's free), the others may charge a fee - but it will help avoid the headache if something happens.

    https://lnkd.in/dCnWA3qj

    Update: you can submit a report to accompany your form by visiting https://lnkd.in/dC7AXYAz and generate a report number to attach to your form. Save yourself a trip to the police station.

    • yoquierotaco on 25/09/2022 - 16:09

      Link is for NSW, not sure any other states do it? Couldn’t find it for QLD

    • 91rs on 25/09/2022 - 22:53

      Im sure this is posted elsewhere but this is what applies for VIC after looking in to it this afternoon.
      Basically unless it's already done and your identity has been stolen and fraud has been (attempted) they will then look to change it, otherwise until that happens you're out of luck.

      https://www.vicroads.vic.gov.au/-/media/files/formsandpublic…

      "Am I eligible to have my driver licence number changed?
      Yes, if VicRoads considers the information on your driver licence or learner permit was used in the attempt to commit fraud or
      fraudulent activity occurred resulting in identity theft. We will consider changing a licence number when there is a reasonable
      request to do so.
      Some examples of identity theft include:
      • Opening a bank account or a mobile phone service
      • Accessing government benefits
      • Avoiding security and validation checks to gain employment such as a Working with Children check
      • Avoiding licence bans and/or the allocating of fines and demerit points
      • Obtain approval for car leasing or car hiring"

      "When am I not eligible for a driver licence number change?
      If you’ve been notified by an organisation that a data breach may have exposed your licence details, but no fraud has taken place,
      VicRoads will NOT be able to change a driver licence number.
      We will NOT be able to change a driver licence if:
      • there has been access to social media platforms
      • scams attempting to gain access to your personal information
      • creation of pre-paid mobile connections, in your name
      • anytime where the driver licence number was not used in the activity of fraud or a data breach. "

      • RSmith on 26/09/2022 - 07:56

        Vicroads is quite helpful /s

    • Heybargain on 26/09/2022 - 12:35

      I filled out both forms and went to servicensw to lodge my replacement driver license.
      They didn’t even look at the form instead directed me to one of their PCs, asked me to sign into servicensw and there was an online form for replacement drivers license.

      Cost $29,
      I asked if I would get a new drivers license number they said no instead the card number will be different. So not sure if this whole process is applicable or not?

  • Ham Dragon on 25/09/2022 - 15:41
    +2

    I contacted their online support & was told…

    "I've checked your account and you've been impacted. The information which may have been exposed include customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, driver's license numbers or passport numbers."

    But then after advising them they will be held liable for any/all financial loss and that I expect them to pay for Equifax services to freeze any credit applications made in my name:

    "Unfortunately we're not able to offer compensation for the inconvenience. I can assure you that Optus have taken immediate steps to secure your account and protect every customer's privacy, if you are impacted, Optus will contact you soon."

    So these absolute clowns cannot even say if I am affected. Can't wait to join any CAL that pops up. They will be paying for Equifax too. F**k Optus.

    • Nathw on 25/09/2022 - 18:59
      +2

      Unfortunately we're not able to offer compensation for the inconvenience.

      Lol

      • RSmith on 25/09/2022 - 19:06
        +1

        I will be happy to be compensated with the alienware monitor😜

        • Nathw on 25/09/2022 - 19:12
          +1

          I need a gaming desktop this time.

      • Miss B on 25/09/2022 - 19:52
        +8

        It's a pretty minor inconvenience. We're only talking about little things like people stealing your identity, taking out large debts in your name and accessing your existing accounts. Also, it's not like Optus could have in some way prevented it from happening by protecting our information by encrypting it or requiring login to access it.

        • Ham Dragon on 25/09/2022 - 20:24
          +2

          This. FML I hope we get to sue the ever loving shit out of them.

      • Hahuh on 26/09/2022 - 00:57

        I typed this elsewhere but Sony took out fraud insurance of a couple of mil for every user affected by the hack. Can't see why Optus can't do the same.

  • katykat on 25/09/2022 - 15:44
    +1

    So I am incredibly frustrated about this. Past customer, initially through Virgin and then with Optus for a time after they fully took over. Haven't been with them for about 2 years. Received the email which seems to indicate they got everything about me.

    Tried to log in as per some previous thread advice that old account holders can still do this. No dice, I do not have an Optus account. Ok. Tried the online chat. Was initially referred to go to a store because I'm not an existing account holder and have no account number so they can't see my info. Was then told that if I can provide them with my details, including my mobile number when with Optus, they could verify me and then would send an "SMS or email" with confirmation of what they had on file for me and what was stolen. Now almost 24 hours later and no promised SMS or email.

    Seriously screw you, Optus!

    I have never done any of this credit stuff before - how do I lock down my credit? I saw there are three companies that do this? Is there are a preferred one that people recommend? I saw Equifax is $15 a month?

    • mboy on 25/09/2022 - 15:58

      Call the store again, or even better: another store.
      I just got all the details from my local Optus store over the phone in 5 mins flat.

    • UrMumsOnlyFan on 25/09/2022 - 16:21
      +3

      https://www.oaic.gov.au/privacy/credit-reporting/fraud-and-y…

      Requesting a ban period, or an extension of a ban period, is free.

      https://www.idcare.org/fact-sheets/credit-bans-australia

      You can apply for bans with all of the Australian CRAs by engaging just one credit reporting agency and requesting that they place bans with all CRAs if you agree to their terms and conditions.

      • katykat on 25/09/2022 - 20:52

        Thanks so much for this! I was freaking out that the only way to lock it down was to sign up in full for a service. Good first step will be putting a ban on for free asap and then going from there once we all have more info on what's happening.

      • easternculture on 25/09/2022 - 21:12
        +1

        If you have a credit savvy account (now owned by comm bank) you can request it online and they will notify experian and ask experian to notify equifax, illion and other credit reporting agencies

        • Korban Dallas on 26/09/2022 - 00:20

          Experian notifies the others too fyi

    • Richardc on 25/09/2022 - 16:28
      +2

      Viewing your credit report once every 3 months is free, putting a ban on your credit file so no one can use your file to apply a credit is also free, the $15 a month subscription is for service like : when someone request your credit file, they will send you a message.

    • asmith84 on 25/09/2022 - 17:22
      +1

      I am in similar situation as you. I was with virgin till sep 2019, but never signed up for optus. But still they had my info three years later.
      I would suggest to Call them again. I had no luck first time, but second time, the guy gave the details. I am worried about the id doc number they have leaked. I have since moved to different state now, and have phone number changed.
      Regarding credit, I think creditsavvy is free https://www.creditsavvy.com.au/. Not sure how it is different from equifax.

      • katykat on 25/09/2022 - 20:59
        +1

        It's so frustrating! If I was you I would be livid that they held my info when I never even had a service with them.

        I was with them for less than a year until I switched and tbh I don't know what I even gave them. I will be trying again to see if someone will tell me. As no luck with the online I will try on the phone as you suggested. Thanks.

      • Hahuh on 26/09/2022 - 01:00

        Credit savvy checks Experian.

  • Koalabeer on 25/09/2022 - 17:35
    -2

    Glad never been with them only voda . 🫣🫣

  • AustriaBargain on 25/09/2022 - 17:55
    +2

    Not long until people start saying "do you remember Optus?" like they do with Three. Add it to the list of things only adults will remember.

    • neonlight on 25/09/2022 - 20:34

      Three would probably do a better job as HK Hutchison Whampoa owned company wouldn't let this happen. They are more tech savvy

    • cashless on 25/09/2022 - 22:28

      In all seriousness, it is likely to end with a re-brand & name change

  • Lord Fart Bucket on 25/09/2022 - 18:02

    Anyone with a European passport affected? I am a dual national (Australian and Dutch)… I wonder how this would be looked at under the GDPR.

    Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We also talk more about GDPR fines.

    • ShouldIBuyIt on 25/09/2022 - 21:26

      Optus doesn't have a footprint in Europe tho. Don't see how that could be enforced here.

      • Lord Fart Bucket on 26/09/2022 - 07:04
        +1

        That's the beauty of the GDPR. It doesn't matter if they have a footprint in the EU or not, it's the about the data of European citizens.
        If you deal with European data, you need to adhere to the GDPR.

        See the FAQ:

        Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

  • messiah1095 on 25/09/2022 - 19:07

    My wife's Optus account has been affected, and after checking the API for her account, it has her drivers license info in there. We want to look at porting her number across to Boost, will we need to do that in store with Optus or should Boost be able to still do that for us on their end?

    • yoquierotaco on 25/09/2022 - 19:34
      +1

      I’m not sure if they have paused porting, but if not then Boost should be able to do it.

      Unless you’re doing that to not give them any of your money, it won’t change much in terms of risk of identity theft. I would do a credit ban to mitigate this risk. Other feasible things include changing license (number if your state allows) and changing phone number (very annoying).

      Changing address and name is possible but seems highly unfeasible for most people. Changing birthday is impossible.

      • messiah1095 on 25/09/2022 - 19:54
        +1

        Yeah we're aware the horse has already bolted, just don't think Optus deserves any more of our business after this. Will give it a go this week and see how we go.

        • yoquierotaco on 25/09/2022 - 21:59

          Yea, I totally get that. I would do the same. Unfortunately, it’s cheaper for me to stay than to cancel until my 12 months is over with them (tablet deal). The tablet deal doesn’t seem so much of a deal anymore ….

    • netsurfer on 25/09/2022 - 20:03

      Number porting from Boost should still be available. With number porting nowadays, as part of the process, it will send a one time code via SMS to the current number / SIM and you need to enter that one time code before porting can proceed. The process is initiated by the winning provider (there is no incentive for the losing mobile provider to initiate the porting).

      Ideally, it is better to transition to a new number. However, that is easier said than done, especially if the mobile phone number is the one families and friends know / use to contact your wife.

    • G-Dawg on 25/09/2022 - 20:25

      I was able to port from Optus without an issue. Just went into a new provider and followed the usual steps to transfer across.

  • netsurfer on 25/09/2022 - 20:11
    +5

    Suggest people go through and try to find out whether you are exposed through the information below or follow the whirlpool wiki:

    https://whirlpool.net.au/wiki/optus_sept_2022_breach

    For me, Optus CSR gave me false negative information (saying I wasn't exposed). From doing the test, my information was exposed. Anyway, if you had the once popular Optus 12 months prepaid plan back in 2017-2019?, there is a good chance your basic information got exposed (whether DL or other identity verification document info also got exposed, you need to check it yourself). It is disappointing that Optus wants to keep customer data for this long, even for prepaid customer). Problem is, not many people remember their login details from back then.

    • happydude on 25/09/2022 - 20:30

      That doesn't tell you if you were exposed, just if that if you were, then that is what they got.

      • netsurfer on 25/09/2022 - 20:42

        To be honest, I am still cynical about the API check. I did sign up for a new Optus prepaid service in 2022 (just for a month). Weirdly, using those APIs, They are not showing that particular prepaid mobile phone number. The information shown was from my 2019 prepaid service.

        Optus didn't keep 2022 information and instead elected to keep 2019 info… That doesn't seem right. I am going to assume both 2019 and 2022 data I provided to Optus could have been exposed. One possibility is that I didn't bother setup online access for the 2022 activation. Even so, that means the API check depends on online account setup.

    • ShouldIBuyIt on 25/09/2022 - 21:49

      That's good, thanks for pointing that out. Looks like they got my optus services (data Sim only) but also my main number (non optus)
      Has anyone ran the 2 APIs and checked their licence number? Looks like mine is my main phone number (that's odd) and NSW (I'm in VIC)
      Or is the driver licence supposed to be hashed?
      Looks like they got a validity end for my driver licence as 2018. Which doesn't make sense. Maybe I'm safe thanks to their poor DQ ? :-)

Login or Join to leave a comment
Login Join