Optus - Major Data Breach

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Related Stores

Optus
Optus

Comments

    • any news yet on MVNO customers, amaysim, coles, etc. ?

      • +2

        MVNO customers are not affected.

      • ex VirginMobile customers are affected.

    • This page has a lot of clickable links think before accessing are they safe?

      • +1

        They are all to Optus systems, so no guarantees…

    • I followed the steps above and found my details, however they are incorrect (e.g. they have the wrong drivers license number). Does that mean someone has already tried to use my account?

      • Or the Optus took your license number and say by mistake they have typed in wrong number and didn’t bothered to verify. Just saved the details

    • Thought I would check my Microsoft account to see if there was anything suspicious with the email I would have used with Optus.. 17 Attempts to sync my email account over the last 2 days, fortunately all were unsuccessful.

      Luckily I have a couple of aliases, just checked them in https://haveibeenpwned.com/ and they haven't been compromised. Using the Microsoft Security Centre you can change which alias is allowed to sign into your account so now my impacted email can't be used - I also setup 2FA so hopefully will be ok.

      Now my Drivers licence on the other hand…

      • I also checked after your comment and I can also see unsuccessful sign-in attempts. From Los Angeles, Beijing, Bangkok and more places.

      • haveibeenpwned doesn't seem to have the Optus breach in there yet.

        • Because the data is still being held to ransom for a few more days. Can't be uploaded until it's released

    • FYI looks like optus will be paying for the credit monitoring of those affected by the hack https://twitter.com/LucasBairdAus/status/1574185874832490496

    • +1

      I like that they've got a hashed email address and hashed phone number in the API alongside plaintext versions…

    • +3

      Hacker : Hey Optus, can we please have an API for customer details open to the public?
      OPTUS : Yes.

      It starts with yes.

  • +5

    Thank you Jeremy Kirk for properly investigating this and confirming the incompetence of Optus

    https://www.bankinfosecurity.com/optus-under-1-million-extor…

    Waiting for the statements from the AFP, AG and OAIC to see if Optus still keep their telco licence after this

    If poor reception was "Vodafail", WTF is "single company compromises identities of 20-30% of entire Australian population"

    • +2

      Incomptus… i guess that would be the amalgamation of incompetent and optus?

    • That's a good article.

      Hope they cop massive fines and this leads to better legislation to protect all of us from this in the future.
      Once ID is verified high level info should not be stored online anywhere

  • I contacted Optus today morning via chat as no email yet

    “Thanks for patiently waiting, ****. I’ve checked your account, and at this stage I can’t see that you’ve been impacted; however, I strongly recommend staying extra vigilant.”

    I have two active accounts, sim only plan and Samsung tablet.

    • They said that to me, even though I had received an email. I had asked what ID docs details they were holding off mine, but they thought I was asking if I was impacted by the breach.

      • +4

        At this stage it is safe to assume that every single Optus customer is impacted.

        • Without a doubt.

        • Another thing that worries me is if Optus had leaked any information of its MVNO networks too, (amaysim, colesmobile, etc.)
          As if propper Optus accounts were not enough already that May be who knows that Optus leaked other accounts under its network too ?

    • "staying extra vigilant."

      Exactly how? They are so doublespeak. There's absolutely nothing you can do, you can't change 90% of the breached data, unless you'll move house each time someone loses your data.
      And stupid advice like "change your pw" - how does that help???

  • +5

    If the API was open to all, wonder how many other hackers got the data before Optus came to know.

    VicRoads have a banner at the top of their home page saying:

    We are aware of the cyberattack experienced by Optus and the potential exposure to some customers Victorian driver licence details. We ask customers not to contact us directly but please refer to our policy on licence replacement in the event of fraud or other misuse.

    Once you refer to the policy, it basically says that unless a fraud has taken place, there is no way to get the license number changed.

    • Oh that means I can’t get new number 😒. I want to change for peace of mine.

      • +1

        They clearly don't want you to have that peace of mind.

    • +1

      no way to get the license number changed.

      See, this is when we need our politicians to step in and actually do something instead of the usual sound-bite talking points. Force VicRoads to allow the number to be changed for the victims of this breach. Will they do it? Nah, too hard. Instead, here's a link to a listicle of "top 10 ways to protect yourself online".

      I just paid VicRoads $800+ dollars for another year of expensive fuel and rip-off road tolls. They have it so easy, VicRoads. Sitting there collecting all that cash. When it comes to actually helping people when they need it… nah, someone elses problem.

      • +1

        Most of that actually goes to TAC for insurance, not to Vicroads' pocket. But it's besides the point. The politicians need to get involved with this one, on multiple fronts…

  • I think the government will require banks and/or other financial institutions to sight at least 2 forms of ID or verify online 2 forms through the government portal after this hack event

    So it will he hard for these hackers to apply for a line of credit unless they have your other id documents

    Also my understanding the government will require optus to provide some type of details of the people affected to banks so they can do their due dilligence to prevent any financial fraud. So likely if some hacker tries to apply for credit, a red flag will alert the bank and they would contact the customer for further id verification.

    Singtel will risk loosing their telecommunication license in Australia but will try and rebrand under a new one.

    • +1

      Passports & Drivers Licenses were taken, so they have already cleared that hurtle.

      After verification has been attained and certified. They should be dumping this data and not storing it.

    • think the government will require banks and/or other financial institutions to sight at least 2 forms of ID or verify online 2 forms through the government portal after this hack event. So it will he hard for these hackers to apply for a line of credit unless they have your other id documents

      Sounds good in theory but the banks and other companies will need to modify their systems to implement the integration with the government portal and in the meantime, the business will continue as usual.

    • No way! A slap on the wrist and Optus aka Singtel will say yes and keep on carrying on with their pseudo CEO and Oelerich imported just for us by our Aussie Government(s) They reined my Rosh Hahanah aka Jewish New Years but they celebrated theirs!!!

    • +1

      In addition to typing out IDs onto forms, places will need to request for recent certified ID and an additional line saying "for the purpose of…"

      e.g. I, [full name], as [category of persons as listed below], certify that this [name of document] is a true and correct copy of the original [signature and date]. The person in this photo has requested for the certified ID to be use of opening a bank account with ANZ.

      Might be tedious getting multiple certified ID but it'll be safer. Or potentially certified ID only have valid for a certain time period e.g. 1 month.

    • What Australia really needs is a Credit block law.

      Where One person can request government to put a block on the person's credit lines, that way no one can open credit lines.
      Other countries have such a law, and it really is a live saver for a lot of identity theft victims. This solution is no means a perfect one, But it still needs to be there for all people out there who choose never to get a credit line under their name, and not risk being liable to the costs associated with these credit lines etc.

      • +1

        Further more, able to put a lock on the Sim card to stop Sim swapping, and only can unlock in person in store.

    • +4

      People more mad at Optus than the hackers haha.

      Of course. Optus had the responsibility to protect the data and they exposed it to the world without any kind of security.

      People just like being outraged these days.

      Well that may be true but you are trying to downplay the incident.

    • +4

      People are angry that their personal private information are kept and not protected for no reason.

      What a naive take. Wait till you get your numbers ported out by the people with your details now and you lose SMS 2FA and you see how far your spotting of fake emails get you.

      I suggest you go have a proper read before spewing meaningless opinions like this.

    • +1

      OFC, they obtained DOB, Names, Passport & Drivers License numbers. More than enough info to steal your identity.

    • More like in return for some milk, your local corner store wrote down your name, address, date of birth, licence number etc and then just left it on the counter and the door wide open for anyone to come in and get it.

      Enough information for someone to open a credit card in your name and max it out. Or steal your phone number, to let them get all your 2 factor authentication codes and get access to your email, bank accounts, mygov account.

    • +5

      Like if your corner shop gets robbed and all the milk is stolen, do you blame the clerk for not having any milk left for you?

      If the clerk took all the milk out of the store and left it on the street for anyone to take, then absolutely he should be blamed. It's entirely his fault that the store hasn't got any milk left for you

      I haven’t read too much into it as I don’t give a crap (I’m a Optus customer)

      If you haven't read much into it, then perhaps you should do that before you come here to comment ?

      I can guarantee that the majority of people to actually be scammed or affected by this are the same people who would fall for a fake email scam to begin with.

      You are an Optus customer. You can absolutely be scammed or affected by this.
      Please educate yourself 👍

    • great how about you post your

      Name, email, Address, phone number, Driver's licence number, passport number, and medicare number.

      Over the facebook, or somewhere on internet and add there 'I challenge you cannot open a credit line or bank account under this identity of mine' ?

      Then you pay the credit agency millions of dollars that were supposedly taken by someone else under YOUR IDENTITY ???

      How'd that feel.

      • great how about you post your

        Name, email, Address, phone number, Driver's licence number, passport number, and medicare number.

        No need, Optus already publicly posted it. We don't know other people didn't access it either. They shut it down as soon as they noticed, which appears to be after > 11m records were accessed.

        • … and don't forget that according to them the IP address kept changing. So could be more than 1 hacker having access to the data.

  • Does anyone know when signing up to a new telco if they still take physical copy/scan of our ID?
    Can we refuse this?

    • New laws will be put in place.
      I suspect that verification would be done through a government portal so companies cant keep ID data

  • +11

    Heard on the radio that VicRoads is working on allowing the changing of license number.

    Edit: - Hope VicRoads won't see this as an opportunity to make some money by charging for license number change.

    • I really hope so, because right now VicRoads unhelpful policy means we're sitting ducks.

      And frankly, I don't even care if they charge us to change it. Others seem very willing to pay $15 a month for credit monitoring and who knows how long they'll need to have that active.

      • The data from organisations such as the NSW RTA and VicRoads can take up to 30 days to filter through credit agencies, it's wise to apply for a credit ban and then get your licence number changed.

        • Firstly, VicRoads aren't currently offering change of license numbers as a result of a data breach. I think they're reviewing their options, but no word yet.

          Secondly, I've read about some negative implications to applying a credit ban:

          "The Cyber Security Centre provides advice including the application for a Credit Ban with Equifax, illion and Experian (Australia). However, an application for a credit ban may also potentially impact on a customer’s status when applying for credit with other providers because credit bans are also issued to problem gamblers and fraudsters." Source article

          I'm being careful right now not to make any wrong moves, and I don't know what to believe.

          • +1

            @mboy: The sentence doesn’t really make much sense. If you are applying for a credit ban with one provider, then potentially it would affect your “status” with another provider. Not sure what status here means but I would be putting a ban on all three providers which makes this point moot.

            If you’re wanting to apply for credit, say a mortage, just talk to your Mortage broker or bank and figure out which providers(s) they use. You can remove the ban for when you know your want credit. If something funny comes up due to the ban, then it’s very easy to explain you have put a ban info credit with other providers as you a victim of the Optus data breach.

      • yeah $15 a month can compensate someone taking a Million dollar home loan under one's identity ?

        I don't really think so.

        Anyway I hope other states allow this licence number updating too.

  • Take the statement with a huge grain of salt, of course, but Optus have supposedly finished contacting all customers who have had their IDs leaked.

    Media statement here / here.

    I personally didn't get an email, but I guess there's no way to be sure that Optus is sure my ID numbers haven't been compromised?

    • +1

      https://whirlpool.net.au/wiki/optus_sept_2022_breach

      I havent been contacted but i'm not confident i wasn't affected since I can see the worst case scenario amount of data when i use this API.

    • Its more accurate to assume it has been leaked, than vice versa.

      Optus itself claims 6 million people's data breached, 25.69 million was Australia's population in 2020 (yeah that's 2 yrs old but wont be a significant change). That's still easily at least 1 in every 5 people's sensitive info leaked (at best case scenario).

    • Interestingly, I only just received a notification of being involved in this. Maybe they've discovered a new bath of impacted people?

      • for starters, 9 million users… even if you wrote something to spam mail everyone, it is still going to take a bit of time (throttling..etc) to get it all out or risk being sh it canned by other email providers..

      • Which version of the email did you get? There's a slightly different template depending on if they've determined your ID was leaked or not.

        • It mentioned no ID numbers were leaked.

  • +4

    FFS…. Credit checks should start having 2FA , and could probably be centralised through a platform like MyGov

    • MyGov is dodgy. I reported a breach of a similar scale to Optus week ago and haven’t heard of a fix yet.

      Worse still, MyGov uses SMS 2FA, so is only as secure as your telco- oh, wait…

      • I reported a breach of a similar scale to Optus week ago and haven’t heard of a fix yet.

        Oh wow. So soon hackers will get our TFN, CRN and medicare too
        I bet you the hackers are subscribed to this discussion

        • No they won’t. They’ll need your myGov password first to trigger the second factor.

          So in theory they could port your number and they’ll have your email but not your myGov password.

      • What breach did myGov have?

  • Had 2 optus accounts, one recently and an old one. Looks like the old one had all the id details but the newer one did not have it.

    So they must have changed how they stored the data recently but forgot to cleanup the old data.

    • +1

      Or, they linked the 2 and used your old details?

      • this is more likely.

  • I got the email yesterday morning. Was with them more than 3 years ago.

    What should I do?

    So far, I've created an account with Equifax and requested my free report. No credit check has been reported so far. (I was hesitant to give them my licence and medicare number)

    I've also requested a ban on my credit checks as mentioned above. Got an email from Experian saying they dont have a file for me. Waiting to hear back from Equifax and Illion.

    Anything else I should do?

    • +3

      Change your gender.

      • +1

        Easy done

        • Those Victorinox knives will come in handy.

  • +9

    Optus and upper management response to this is so scummy.

    All denial, misdirection, attempted shifting of responsibility blaming everyone else saying the release of this information now is the responsibility of the indidivual nothing about their culpability.

    Absolute delusional arrogant attitudes. Wonder if anything has changed if cyber security is now being taken more seriously???

    Sally Olerich Optus Public Affairs corporate officer train wreck interview shows how Optus fails and is struggling to explain or take responsibility for their malfeasance and what’s happened to Chris Smith.

    https://www.2gb.com/optus-struggles-to-explain-their-data-br…

    Absolute-scummy disgusting response even now. They just don’t get it.

  • +4

    Just called up the Coles Mobile hotline - Coles Mobile was unaffected as part of the breach

  • +3

    https://www.optus.com.au/about/media-centre/media-releases/2…

    How did this happen?

    Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.

    Liars - They became sitting ducks due to their incompetence.

  • +1

    VicRoads has tweeted for the first time in 2 years
    https://i.ibb.co/sqyyxnF/Screenshot-20220926-125229.png

  • Anybody from NSW able to change their driver's licence number? I was thinking of going today but found this on reddit 😔 .

    Good luck if your from NSW and go into Service NSW prepared with all your paperwork and incident numbers to change your licence number….they are just forwarding you onto IDCare and not processing anything.

    • +1

      Nope. I tried at serviceNSW today they didn’t even look at the form instead directed me to one of their PCs, asked me to sign into serviceNSW and there was an online form for replacement drivers license which cost $29. I asked if I would get a new drivers license number and they said no it would be the same but the card number will be different, and that this was the same process they have done for all that have come in to organise replacements due to the Optus leak.

      • +1

        Thanks! That's useless then. Optus stored the driver's licence number not the card number. Most of the time, the driver's licence number is the only thing needed for opening accounts. 🤦‍♂️

  • +1

    When is the class action?

  • +1

    Thoughts from Troy Hunt:

    "Optus will never pay a ransom (they’re no more likely to pay $10 than they are the requested $1M), so the data will be monetised then, eventually, spread publicly such that anyone with a web browser can easily grab it all"

    https://twitter.com/troyhunt/status/1574232357678157824

  • +4

    Went to Service NSW with the required evidence / documentation to change my license number and they wouldn't process it. Said they were working with Optus to determine which license numbers need changing and that until fraud had occurred they weren't able to make changes.

    I noted this wasn't correct and that their regulations merely require that there was a credible risk that a license number will be improperly used as a result of a breach (as per the form), but they refused to process it.

    • +5

      Bureaucracy is same everywhere… Pathetic.

    • +1

      I tried to argue the same. They insisted that with everyone that had gone through earlier than me that it was the replacement license form that I needed to fill out (which cost $29).

    • +1

      FYI when I asked to change my license number I came with CIRS number from the police, a completed form and a copy of the email from Optus confirming my license details were leaked.

      They refused to process the form.

      Their website says:
      "If the security of your driver licence number or Transport for NSW customer number has been compromised or been used fraudulently, you may apply for a new number." Link

      The form says:
      "If you have reasonable grounds to believe that your NSW driver licence number or your Transport for NSW customer number has been misused by someone else or is at risk of being misused by someone else (e.g. via a data breach) you may apply for a new number using this Application form." Link

  • +3

    Optus is offering a 12-month subscription to Equifax Protect at no cost to most affected current and former customers whose information was compromised because of a cyberattack.. so I assume if you've been notified via email / SMS then you are an affected customer?

    https://www.optus.com.au/about/media-centre/media-releases/2…

    • +2

      Define most affected.

      • Exactly. I think they will only provide it to people who had passport or license hacked.

        • Or just those (10,000 so far) that have had their details released to the public for everyone to see and download. At least 99 are still out there and available to view on pastebin…

    • +1

      Probably in response to this call out from home affairs Minister: https://www.abc.net.au/news/2022-09-26/home-affairs-minister…

      It's a good start. Might limit the amount they have to pay out in the class action that comes.

  • +1

    I was with them for 10 years, internet, mobile phone everything, - but finally left them in around 2020.

    Still haven't gotten an email or text from them. Am I one of the few lucky ones didn't have my data breached/out in the open?

    • +2

      I have two active services, no email yet

    • +3

      What Optus account could have been exposed? Can I find out if I used my drivers licence or passport?

      You can check the Optus customer API yourself after logging in at https://www.optus.com.au first.

      You can only access data for the logged in user, and can't view the data of other customers.
      This is not the presumed link the hacker used to collect customer data, which allegedly did not require any authentication.

      1) View User Account details (including any identification details, like drivers licence or passport):
      https://www.optus.com.au/mcssapi/rp-webapp-9-common/user/inf…
      Take note of the 'contactID' to use it with the second URL for extra information on your account.
      You will need to replace {contactId} with that found in the first link (enter the number only, without the curly brackets or other symbols).

      2) View Customer Address details (including any identification details, like drivers licence or passport):
      https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS

  • +3

    a pre-text for digital IDs or micro chipping? - what could go wrong..

  • Got the email, does all the email say that they've taken your ID (driver license and/or passport). If the email says that, is there still a chance that hasnt been leaked?

    • my email specifically said “No ID document numbers or details have been affected”

Login or Join to leave a comment