What data has been breached?
The data stolen in the Optus breach is extensive. The following information is believed to be compromised for some of the telco's users.
- Names
- Dates of birth
- Phone numbers
- Email addresses
- Street addresses
- Drivers licence details
- Passport numbers
Optus has assured customer’s payment details and account passwords were not affected, however this doesn’t mean customers are in the clear.
Only a small amount of personal details are needed for a thief to steal your identity.
How to know if your data has been breached?
Over 10 million customers have had their data stolen and it’s not just current customers. Anyone who has signed up to an Optus service between 2017 and now is at risk.
Optus has already sent out an email to all customers regarding the attack - but this doesn’t mean your data has definitely been compromised. If you are at a heightened risk, Optus will contact you directly.
If you believe your data has been compromised you should contact Optus through their app (this is the way Optus recommends getting in touch) or call the telco on 133 937.
Optus has said it will not send any links by email or SMS so if you receive any claiming to be from Optus, do not click on it.
Computer savvy users would know that the website HaveIBeenPwned.com is the best way to find out if your information was leaked in a data hack.
[NB: “pwned” is gamer slang for being embarrassingly beaten, in this case if you turn up “pwned” on the website it means your data has been leaked.]
Unfortunately it won’t work this time. The website operates like a large search engine meaning the site operator needs to upload the leaked information to the site.
The cyber security professional who maintains the site, Troy Hunt has said he will not upload the data from the Optus hack because it would give users an inaccurate answer.
“The biggest reason not to load the data though is that the leaked 10.2k records represents only a tiny portion of the total corpus of records. 99.x% of people people impacted by the breach would get back "not pwned" (at least not in Optus), and that's misleading and confusing,” Troy wrote on Twitter.
What should I do about the Optus data breach?
Firstly customers should change all online account passwords and, if you haven’t already, set up multi-factor authentication for online banking and your email accounts.
Keep a close eye on your finances. Check bank statements regularly and request a credit report to ensure no one has fraudulently taken out a loan in your name.
The Office of the Australian Information Commissioner (OAIC) says you can request a ban on your credit report if you suspect fraud.
If you’re concerned about your licence or passport number being compromised, unfortunately there isn’t much you can do unless someone has already tried to use your data.
In Victoria, drivers can only apply for a new licence if they have evidence of attempted fraud.
Similarly, in NSW drivers must "report the theft or incident to police and obtain a police event or ReportCyber receipt (CIRS) number". NSW Service Minister Victor Dominello has advised Optus customers to apply for a replacement licence.
Queensland, Tasmania, WA, SA and the territories are yet to advise customers on what they can do about changing their licence number.
How might the stolen data be used?
The biggest risk to customers is that their information may be used to fraudulently take out loans or apply for credit cards.
Although Optus maintains financial records were not stolen, another risk is that thieves may be able to use the leaked information to break into the online banking accounts of victims.
The most likely use of the information, and the one customers have already experienced, would be to perpetrate additional scams through text and email.
The Commonwealth Bank of Australia has already confirmed it has blocked an account used in a scam to extort $2,000 from victims of the Optus attack.
Victims were receiving SMSes demanding the money or “your information will be sold and used for fraudulent activities within 2 days”.
Other common SMS scams have also ramped up in recent days such as those claiming to be from the Australian Post.
It is important that Optus customers remain highly vigilant of any suspect text messages or emails they recieve. Where possible contact business directly instead of clicking links in messages.
You can register fraudulent SMSes by forwarding them to Scamwatch on 0429 999 888.
Has the Optus hacker been caught?
Not yet. But the investigation is ongoing even after the ‘apology’.
Optus and the Australian Federal Police are both investigating and the FBI in the United States has been called in to assist.
If you’re concerned about your data being breached, the OAIC and Scamwatch websites have plenty of resources.
WATCH BELOW: Watch Out, New Parents: Internet-connected Baby Monitors are Being Hacked