Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

    • mboy on 25/09/2022 - 21:33
      +1

      It’s too early to say, but I do hope they get a couple of books thrown at them.

      • Baysew on 26/09/2022 - 12:19

        Will one of them be a phone book?

  • ldt on 25/09/2022 - 21:32

    How much can a hacker do with my name, address, phone number and email address?
    They have my British passport number, but it only has 6 months left so time for a new one anyway.
    Luckily Optus didn’t even have my Medicare, drivers license or Australian passport details.

    • ShouldIBuyIt on 25/09/2022 - 21:33

      Passport number doesn't change when you renew tho, does it?

      • netsurfer on 25/09/2022 - 21:34

        It should change.

      • Senatekill on 25/09/2022 - 21:37

        does change

      • ldt on 25/09/2022 - 21:37
        +1

        My current one is different to the one before that so unless something has changed it will be different.

      • Lord Fart Bucket on 26/09/2022 - 07:10

        It does change, usually inside the passport it has the details of the one it replaced.

  • reacher on 25/09/2022 - 21:35
    +3

    FML, thank god only my DOB, name, address, email and driver licence are leaked, but my password and payment info are safe, hooray

    • Hahuh on 26/09/2022 - 01:01

      I know right. Those things are sooo easy to change compared to passwords.

  • G-Dawg on 25/09/2022 - 21:39
    +1

    I went into the Optus store to find out what I needed to do to port my number and see exactly what information had been leaked.

    The rep confirmed basically everything was leaked and gave me the same script the CEO used in her interview about how 'the good news is no passwords or financial information was leaked' (🙄) to which I replied "I can change these, I can't change my DOB".

    I also asked how Optus was planning on assisting customers impacted by the breach and the rep essentially said they weren't (noting it's still early days).

    Porting my number and closing my account wasn't an issue. I just went to another provider and went through the usual steps to port across.

    I would strongly encourage others to move away from Optus so they are immediately financially impacted for the data breach. I'll be moving all my accounts off Optus.

    As painful as it is, I'm going to change my license number and phone number to make the information a little less valuable.

  • richmond12 on 25/09/2022 - 21:40

    $1m is chump change for optus. They will pay the ransom. Worth the risk anyway .

    • Miss B on 25/09/2022 - 21:59

      It's a tiny amount. There's no guarantee if they pay it the data still won't be sold anyway.

      • spammingb on 25/09/2022 - 22:55

        At least they will know exactly what is out there

      • Korban Dallas on 26/09/2022 - 01:06

        It won't. Extortionists do have some moral compass.

        If they did sell it makes it harder in the future to get paid.

        • vawiyoci on 26/09/2022 - 11:48
          +1

          And how in the world would they actually keep track of reputations if everything is anonymous? This isn't like ransomware where the hackers don't actually have your data in their hands to renege on deals.

    • detlef7 on 25/09/2022 - 23:02

      Money is not the problem but it's not like there's a BSB/Acct that you can easily send to. No way that Optus wouldn't have a handy crypto wallet with stacks of BTC, ETH, XMR lying around.

      If you're an Optus employee, how many expense forms & department head sign-offs do you need to approve a box of $5 paperclips at Officeworks? I'll be surprised if this even takes less than a week.

      • Korban Dallas on 26/09/2022 - 01:09

        Just contact CZ from Binance. Done in 24 hours.

        Seriously though clock is ticking but they might be able to negotiate more time

    • machej on 26/09/2022 - 00:38

      I don't think they will pay the ransom… it's now against Australian law to pay cyber ransoms. I suspect even though the hacker may delete the information (excluding the samples they already released) it's too late because they only have a week to pay and they probably can't even do that due to the law.

      • Korban Dallas on 26/09/2022 - 01:08

        Where does it say this?

        Pretty sure businesses can do what is in their best interests?

        • machej on 26/09/2022 - 02:27

          "A company that makes a ransom payment when there is a risk that the funds will be used to commit a crime may be liable for a money laundering offence under Division 400 of the Federal Criminal Code Act 1995 (Cth) (Criminal Code).4"

          It's possible a company could claim defence under duress but the idea behind prohibiting it is to stop criminals from seeking more ransoms when they get paid out.

          • vawiyoci on 26/09/2022 - 11:51

            @machej: How does this reconcile with the existence of corporate ransomware/hacking etc insurance? Someone mentioned on whirlpool that companies typically have 50mil policies or is that a US/Europe thing?

            • machej on 26/09/2022 - 16:25

              @vawiyoci: I haven't heard of it here. I'd be shocked if insurance even covers payouts if you don't have adequate offline backups. These days businesses should at most lose a few days with backups and the insurance payout should cover their operations to redo the work.

  • firstpostbekind on 25/09/2022 - 21:58

    I’m going to sign up to equifax at 15/month for credit monitoring

    Will request new Medicare Card

    Anything else I can legitimately do? NSW resident

    Cant remember what ID documents I used to sign up. Was 5years since I signed up and 3 years since I switched

    • yoquierotaco on 25/09/2022 - 22:00

      You can get a new license number in NSW.

      Changing phone numbers, but that is quite annoying.

      I think banning your credit at all three credit monitoring would be enough. Not sure if paying $15/month is worth the service to receive text notifications unless I’m missing something else the offer.

      • firstpostbekind on 25/09/2022 - 22:12
        +2

        I don’t want to apply for a credit back because I’m looking for a mortgage loan 😭

    • reacher on 25/09/2022 - 22:18

      If you still remember your login, youcan use the following API method, I just checked it works

      https://whirlpool.net.au/wiki/optus_sept_2022_breach

    • USER DC on 27/09/2022 - 00:18

      At the very least you can get a new Licence Number in my state I cannot even get a new licence number

  • glyptothek on 25/09/2022 - 22:29

    Does anyone know how to change drivers licence # in South Australia, or if we will be allowed to? I see my licence # in the info Optus holds about me Have done a Credit Ban but it is very early days indeed
    Maybe this is some sort of engineered "hack" to get many many people into submission? Media and AUSGOV very quiet and if I see Ms Bayer ve Bayer's face I will projectile vomit

    • Whatisthatvelvet on 26/09/2022 - 04:32

      Yes I read on r/adelaide that some one got a new licence and number done. Just had to take copy of email from Optus mentioning the leak.

  • Applause on 25/09/2022 - 22:43

    i've been expecting an email saying I am one since I signed up for that Samsung tab. I got the email this morning but since then it has disappeared and I've found it in spam. It came from the address [email protected]. Did anyone else get that and is that the email they're using?

    • FareEvader on 25/09/2022 - 22:50

      that's the right e-mail address

  • mauricem on 25/09/2022 - 22:51

    If I put a block on any credit applications can I still activate a prepaid Sim like the recent Boost deals?

    • happydude on 25/09/2022 - 23:54
      +1

      Yes, it only prevents a credit check. Identity checks will still go through.

  • StraightGuy on 25/09/2022 - 23:07
    +2
    Merged from Optus Breach: Find out what ID they have of yours.

    Found very helpful information on the below whirlpool link:

    https://whirlpool.net.au/wiki/optus_sept_2022_breach

    You can also find if you have used passport or license number. For myself, I can only see that License Number is mentioned but not the card number, not sure if it’s something positive.

    • Hybroid on 25/09/2022 - 23:14
      +12

      Thanks for that. Can't see any passport or license number for me which explains why haven't had any Optus notification yet.

      For those that can't be bothered reading the whole page:

      • JoeBogan on 26/09/2022 - 00:04

        The link where you pop in the contact Id comes up as invalid for me, what am I doing wrong?

          • JoeBogan on 26/09/2022 - 01:02
            +17

            @jv: @jv mate I love your presence as much as the next ozbargainer but can you $&+" off

        • Hybroid on 26/09/2022 - 00:12
          +1

          Make sure you're logged in and paste your contactid number properly. Just tried on another browser and it works fine.

          https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/0123456789?lo=en_US&sc=SS

          • JoeBogan on 26/09/2022 - 01:01

            @Hybroid: Thanks @Hybroid I didn't get rid of the squiggly brackets. My driver's licence is on there 🙄

      • Jimothy Wongingtons on 26/09/2022 - 09:17
        +1

        Login to account on https://www.optus.com.au

        anyone else having 2fa authentication loop?

        • FLICKIT on 26/09/2022 - 09:23

          I haven't logged in since 2019 and I had no issues, emailed code entered, logged in fine…

          • Jimothy Wongingtons on 26/09/2022 - 09:37

            @FLICKIT: dang - i tried to login via chrome and firefox on desktop - hopefully just something silly…

            • FLICKIT on 26/09/2022 - 09:42

              @Jimothy Wongingtons: Fine for me on Chrome.

              • Jimothy Wongingtons on 26/09/2022 - 09:42

                @FLICKIT: working on my phone now - maybe something up with my pc…

                • CodeXD on 26/09/2022 - 12:05

                  @Jimothy Wongingtons: I have the same issue, after entering the 2FA number from email, it takes me back to log in screen. Top right, if I click on account, I can see my name with the user icon.

                  Same issue with MS Edge on both laptop and mobile.

                  • Jimothy Wongingtons on 26/09/2022 - 12:18

                    @CodeXD: its like they contracted out all the web dev work to the cheapest mob they could find

        • 2jzzzz on 26/09/2022 - 09:53

          Yep, can't get in.

      • FLICKIT on 26/09/2022 - 09:20

        They haven't notified me… I only used a pre-paid SIM for 1-month back in 2019…

        Checking the info of mine they have I cant see any ID document details in there, just name, address, phone number, DOB, email… (I assume all this was lost)

    • coffeeinmyveins on 25/09/2022 - 23:15
      +2

      Optus better get absolutely rekt for allowing this to happen. $100 per person sounds about right

      • Jimothy Wongingtons on 26/09/2022 - 09:49
        +3

        100 pp would be getting away super cheap for them

        • coffeeinmyveins on 26/09/2022 - 10:09

          You're right, it's only 1/7th of their net income looking at Wiki.

          How about fire the CEO, no golden parachute, all profit from the last year gone.

          These guys F'd up big time allowing this to happen.

          • Chandler on 26/09/2022 - 11:18
            +1

            @coffeeinmyveins: Whilst I'm always happy to see the aristocracy punished, the CEO was indirectly responsible. Yes, they're the captain of the ship and they should be hung out to dry, but this breach really falls under the jurisdiction of the CIO (Chief Information Officer). Depending on the avenue of attack, the MD for Optus Digital should probably hang too, and I'm sure there's plenty of people who'd want to see the MD for Enterprise and Business hang, even though it's likely not anywhere near her area of responsibility. (see [https://www.optus.com.au/about/corporate/executive-profiles] for the who's who in the zoo…)

            Whilst I'm not for hanging the little guys out to dry, they do also share some responsibility here. One of the grunts may not have done their job properly, and certainly the middle managers share some responsibility.

            The real issue but is businesses constant lack of interest in terms of digital privacy and security. It always seems to feel like they'll do the bare minimum until they have something happen. They'll pay some fines, patch some holes and then keep on doing the bare minimum (which, to be fair in a capitalist society is to be expected, but still…)

            • SgtBatten on 26/09/2022 - 14:02

              @Chandler: Wasn't the "avenue of the attack" an open API that anyone could have stumbled upon?

              • coffeeinmyveins on 26/09/2022 - 14:10
                +1

                @SgtBatten: lol wtf, really?

                If it's that simple then that's a blatantly inexcusable issue that reeks of when Citibank didn't have any protection (having any account ID would mean you could access any other one ) .

      • 2jzzzz on 26/09/2022 - 09:53

        $15/m for ongoing notifications

        • Gracey on 26/09/2022 - 10:24

          Yeah Ive personally already signed up for the Equifax $10/m Credit Protect plan. We need Optus to provide free access to this or a similar service

      • asmith84 on 26/09/2022 - 18:11

        I probably need my overseas passport changed. The cost of new passport is $300+, and not to forget i must take leave and visit my country's embassy in canberra. $100 wouldn't even cover bus/PT to and from airport.

    • WreckTangle on 25/09/2022 - 23:44
      +5

      How can i get Optus to pay for my Drivers Licence or Passport replacement?

      • jv on 26/09/2022 - 00:05
        +1

        and name change

        • kittymtd on 26/09/2022 - 08:15

          Curious if the Drivers Licence number would have to change if you changed your name?

          • vawiyoci on 26/09/2022 - 11:40

            @kittymtd: Thought that would be the only way to get the number changed? I think mine (QLD) remained the same after the last renewal ….

      • Jimothy Wongingtons on 26/09/2022 - 09:50

        id say you have more chance of Mexico paying to finish building the wall

    • jv on 26/09/2022 - 00:04
      +2

      NOTE that data was also stolen from ex-Optus customers, so even if you had an account with them many years ago, there's a chance your data was included.

      • garetz on 26/09/2022 - 00:14
        +1

        However if you do not have a current account, how can you find this out ?

        • jv on 26/09/2022 - 00:16

          They've been sending out emails to those affected.

          • garetz on 26/09/2022 - 00:18

            @jv: When you are a customer you have an optusnet email, once you are not you no longer have that email address. How is sending an email to an ex-customer who no longer has their email address with optus work exactly ?

            • jv on 26/09/2022 - 00:23
              +1

              @garetz: They sent it to the email address you signed up with, not the optusnet email…

              Dear jv,

              It is with great disappointment I’m writing to let you know that Optus has been a victim of a cyberattack. As a former Optus customer this has resulted in the disclosure of some of your personal information.

              Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your former account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected.
              .
              .
              .
              .
              Warm regards,

              Kelly Bayer Rosmarin
              CEO, Optus

              • apsilon on 26/09/2022 - 06:34

                @jv:

                They sent it to the email address you signed up with, not the optusnet email

                And if you didn't have an email when you signed up?

                • jv on 26/09/2022 - 09:20

                  @apsilon:

                  And if you didn't have an email when you signed up?

                  lol… reported for trolling…

                  • apsilon on 26/09/2022 - 13:06

                    @jv: Genuinely didn't. They were the first broadband service I used. I actually still have the sign up form dated 2001 (so I know I gave them no ID as that field was left blank). My previous internet was through a small company (mate knew the owner and got me an account for free) and was still dial up at the time and they closed without notice and I lost the email address I had been using. Yes it was many moons ago but I stayed with Optus for a long time as work paid for it for over a decade and then somewhere around 2015 Optus just stopped billing me and so I had free internet up until NBN arrived in my area in early 2019 and I moved to Aussie.

              • Typical16-bitEnjoyer on 26/09/2022 - 11:00
                +1

                @jv: Optus have said they've contacted all customers, yet still waiting for an email x2 for my accounts….

                • jv on 26/09/2022 - 11:06

                  @Typical16-bitEnjoyer: you might not have been compromised.

                  • Chandler on 26/09/2022 - 11:39
                    +1

                    @jv: Given the severity of the breach, I think it would be good for optus to advise customers who weren't compromised that they weren't.

                    Optus won't but, because they won't be able to satisfy themselves that those customers definitely didn't have their information compromised.

                    So (IMO) best for everyone to assume all your information was compromised until told otherwise; and even then be very skeptical.

                  • Typical16-bitEnjoyer on 26/09/2022 - 18:49

                    @jv: Hacker had open access to Optus' old shitty API. They've likely dumped everything.

                • apsilon on 27/09/2022 - 19:15

                  @Typical16-bitEnjoyer: I spoke to a Optus customer service rep today. They haven't contacted all customers and they have no idea when the contact process will be completed. They literally said "Within this month. Probably." I was able to confirm that customers will apparently be notified by snail mail where other contact methods aren't current but they weren't able to tell me how they were determining if details are current or not which means they'll likely just email and/or message the mobile on record and call it done.

            • MrFunSocks on 26/09/2022 - 13:12

              @garetz: When you signed up for an optus account you didn't use an optusnet email, you would have signed up using a regular email. I'm not an optus customer anymore yet I can still sign in to my optus account using my email. I got the email saying my data was stolen :(

        • kittymtd on 26/09/2022 - 07:59

          I don't have a current billing account yet I was able to reset my password for my Optus account previously.

      • ESEMCE on 26/09/2022 - 11:51
        +1

        Yep, I can see my data was stolen going back to my Virginmobile account from the early noughties.

    • Gotchas on 26/09/2022 - 06:50
      +5

      Why do they need to keep our ids on file after been identified?

      • WoodYouLikeSomeCash on 26/09/2022 - 07:25
        -2

        When you carry out a customer identification procedure (KYC) you must make and keep a record of:
        what you did to identify the customer
        the identifying information they presented.
        You don’t have to copy documents (for example you can record details of a driver’s licence or passport rather than photocopying them). However, if you do take copies, they become records you must keep.
        If you collect new customer information about a customer, you must still keep the original customer identification procedure records.
        If you don’t verify updated customer information you don’t need to keep a copy of it because it’s not a customer identification procedure. For example, if a customer tells you their new residential address and you don’t verify these new details as part of the customer identity verification procedure, you don’t need to keep a record.
        You must keep customer identification procedure records for the duration of your relationship with the customer, and for an additional seven years after you stop providing any designated services to them.

        https://www.austrac.gov.au/business/how-comply-and-report-gu…

        It’s a legal requirement that they keep the documents, and hold them for 7 years after you cancel a service.

        • mskeggs on 26/09/2022 - 07:42
          -1

          AML/CTF doesn’t apply to supply of telecommunications.
          This is a red herring.

          • WoodYouLikeSomeCash on 26/09/2022 - 07:54
            +1

            @mskeggs: Wrong, similar laws still apply ACMA and Telecommunications service provider law.

            • Baysew on 26/09/2022 - 09:27
              +2

              @WoodYouLikeSomeCash: Similar rules perhaps, vastly different retention period.

              ACMA

              Keep records to demonstrate compliance for at least 1 year.

              No matter how long they need to keep it, it needs to be secure.

              • fprjet on 26/09/2022 - 10:47

                @Baysew: Nothing is ever secure. Had they taken steps to keep it secure is the only question…..No matter how good your security. There is always a way all you can do is put up barriers to prevent/slow them down… Optus isn't the first Sony got breached, companies get breached daily. They will catch them ….But when they do they need to make the penalty so severe that people will think twice…..

                • jorf on 26/09/2022 - 10:58
                  +2

                  @fprjet: The penalties need to be for the companies for storing PII improperly and beyond legislatory requirements, not the perpetrators (who couldn't care less).

                  But the real problem here is why is PII being stored as plaintext in the first place? There's zero reason why it isn't encrypted apart from a) laziness and b) the law doesn't say they have to. It's pathetic.

                  • fprjet on 26/09/2022 - 11:17

                    @jorf: Has nothing to do with storing improperly if you are targeted by hackers….The penalties as in Jail time need to be severe for hackers. Companies spend millions trying to protect data. Your logic is banks should be fine for allowing themselves to get robbed…….

                    • Chandler on 26/09/2022 - 11:48
                      +1

                      @fprjet:

                      Your logic is banks should be fine for allowing themselves to get robbed…….

                      Apologies if I'm wrong but it sounds to me like your logic is this.

                      @Baysew: Nothing is ever secure. Had they taken steps to keep it secure is the only question…..No matter how good your security. There is always a way all you can do is put up barriers to prevent/slow them down… Optus isn't the first Sony got breached, companies get breached daily. They will catch them ….But when they do they need to make the penalty so severe that people will think twice…..

                      Reads to me like they shouldn't be punishing Optus, but the hackers.

                      Yes, the hackers should get punished, but I agree with hcca's comment in that the companies should be investigated and punished if they are not at least meeting legislated requirements for securing PII (personally I think the legislated requirements are too weak, not that I've read the legislation but knowing how companies treat PII…).

                      I also have still not received any correspondence from Optus about the breach, and I do have a active login (for an inactive account). And as per my comment in another thread on this post, if Optus is not going to contact me saying my data wasn't breached, they should at least be notifying me to say it could have been breached.

                    • jorf on 26/09/2022 - 12:10
                      +1

                      @fprjet:

                      Has nothing to do with storing improperly if you are targeted by hackers…

                      It has everything to do with improper storage. When you're dealing with threat actors in other countries, or state-sponsored hackers, threats of lengthy prison time does nothing.

                      Your logic is banks should be fine for allowing themselves to get robbed…….

                      I'd like to see your working to reach that conclusion as I said nothing of the sort.

                      It's entirely up to companies to ensure that PII they hold is held in secure forms, one of which is encryption. Another is ensuring they delete data that they don't need to hold. Also, ensuring that PII is not available through APIs - the fact that I can retrieve my own personal information through an Optus API RIGHT NOW in plaintext shows that they have morons working for them and they are enabled by shitty laws that don't say that they can't do it and don't mandate massive financial/criminal penalties for improper and unnecessary storage and access.

                      • moar bargains on 26/09/2022 - 14:17

                        @jorf:

                        It's entirely up to companies to ensure that PII they hold is held in secure forms, one of which is encryption. Another is ensuring they delete data that they don't need to hold.

                        This is why I'm never using shopback again. Don't care how good their cashback is, they leaked my mobile number because they forced me to provide it unnecessarily.

                    • slowmo on 27/09/2022 - 20:07
                      +1

                      @fprjet: laughable, putting in laws for people who are not going to follow laws.

                • mskeggs on 26/09/2022 - 11:13
                  +4

                  @fprjet: Yes, the police sit bored at work because no crimes are committed thanks to harsh penalties.

                  The security here was manifestly inadequate at several levels.
                  It is illegal with harsh penalties for me to take a bag full of cash sitting on the bank doorstep, but people would be justified in criticising the bank for leaving it unattended.

            • mskeggs on 26/09/2022 - 11:09
              +1

              @WoodYouLikeSomeCash: Not sure how saying the regulations you quoted don't apply is wrong, when it is true they don't apply.

              You will also note the other regulations can be met by a log saying the ID was sighted and confirmed, it doesn't have to be stored.

              Do you also look after Optus end point security?

          • netjock on 26/09/2022 - 11:19

            @mskeggs:

            AML/CTF doesn’t apply to supply of telecommunications

            Shouldn't but most people can't tell the difference. Therefore they lump it in.

            I guess you can resell sim cards at a loss for money laundering or finance terrorism or you give prepaid burners to terrorists.

            There was a British satire movie (home grown terrorists) called "Four Lions" it is hilarious.

    • Montyjpm on 26/09/2022 - 06:54
      -1

      Optus boards should force Kelly to do a CEH course and pass it before letting her resume the CEO role.

      • Chandler on 26/09/2022 - 12:44
        +1

        If you said CIO, I'd potentially agree with you.

        The CEO is the captain of the ship - it is redundant and unneccessary to say that the captain needs to be able to perform the functions and duties of every person on the ship. Sure, they should have an idea of what their role is, and perhaps some idea on how they perform it. But to say they need to be trained to perform those functions themselves is a bit much, in my opinion.

        This is also why I said I'd potentially agree with you - as the CIO is the captain of the ship in the "Information" sense. They'd need to have more of an idea over their portfolio than the CEO would, but I don't (necessarily) agree that they should have to have done the training to perform all the functions that are performed within their portfolio.

Login or Join to leave a comment
Login Join