Optus suffers massive data breach affecting up to 9 million customers. The largest data breach involving personal information of Australians in history
September 23, 2022 |
Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data. Optus released a media release about it yesterday. The compromised data included names, dates of birth, drivers licences and passport numbers. The sort of information which would allow a hacker to attempt identity theft. Very saleable data on the dark web.
A curious aspect of this incident is that some of that data related to former customers. It will be interesting to see how far back that data goes. Why it is necessary to hold onto former customers of many years back? That may be a breach of the Australian Privacy Principles.
With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected. The breach did not include payment details and account passwords.
Optus has notified the Information Commissioner. One issue to resolve is what notification will be provided to affected Optus customers. Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states. Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support. That is good business.
In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan. In my experience Australian organisations put less than optimal effort into preparing for a data breach. Similarly the response to a data breach is too often marked by improvisation than following a plan.
Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information. It provides:
Following a cyberattack, Optus is investigating the possible unauthorised access of current and former customers’ information.
Upon discovering this, Optus immediately shut down the attack. Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” said Kelly Bayer Rosmarin, Optus CEO.
“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”
Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers. Payment detail and account passwords have not been compromised.
Optus services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
“Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”
To help protect against fraud, customers are encouraged to look to reputable sources such as:
For customers believed to have heightened risk, Optus will undertake proactive personal notifications and offering expert third-party monitoring services.
The most up to date information will be available via optus.com.au. For customers who have specific concerns, they can contact Optus via the My Optus App (which remains the safest way to interact with Optus) or by calling 133 937. Optus will not be sending links in any emails or SMS messages.
Since that media release more information has come to hand, and more players involved including the Home Affairs Minister, the shadow Minister James Paterson in interviews (and here) and the Information Commissioner with a very public service like pronouncement which is an accurate summary of the NBN regime says not much beyond it is working with Optus. Contrasting with the Information Commissioner’s minimalist approach the ACCC has released a very helpful media release Customers warned to watch out for scams following Optus data breach which provides:
ACCC Scamwatch is warning customers to protect their accounts and watch out for scams following Optus data breach.
Scamwatch is warning Optus customers to be on the look out for scams and take steps to secure their personal information following a cyber-attack.
A cyber-attack has resulted in the release of Optus customers’ personal information. If you are an Optus customer your name, date of birth, phone number, email addresses may have been released. For some customers identity document numbers such as driver’s licence or passport numbers could be in the hands of criminals. It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm.
Optus customers should take immediate steps to secure all of their accounts, particularly their bank and financial accounts. You should also monitor for unusual activity on your accounts and watch out for contact by scammers.
Steps you can take to protect your personal information include:
-
- Secure your devices and monitor for unusual activity
- Change your online account passwords and enable multi factor authentication for banking
- Check your accounts for unusual activity such as items you haven’t purchased
- Place limits on your accounts or ask you bank how you can secure your money
- If you suspect fraud you can request a ban on your credit report.
More information about how to protect yourself is available on the OAIC website.
Check the Optus website(link is external) for information and contact Optus via the My Optus App or call 133 937.
Scammers may use your personal information to contact you by phone, text or email. Never click on links or provide personal or financial information to someone who contacts you out of the blue. Learn how to protect yourself from scams by visiting www.scamwatch.gov.au
If you are concerned that your identity has been compromised or you have been a victim of a scam contact your bank immediately and call IDCARE on 1800 595 160. IDCARE is Australia’s national identity and cyber support service, to get expert advice from a specialist identity and cyber security service. You can also report scams to Scamwatch www.scamwatch.gov.au and check cyber.gov.au for information about cyber security.
Not surprisingly this attack, the largest in Australian history involving Australians’ data, has attracted immediate and widespread attention with the Australian writing Millions at risk in massive Optus data breach which provides:
Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million of the telco’s users was compromised in one of the nation’s biggest-ever data breaches.
The nation’s top cyber spies at the Australian Signals Directorate are working with Optus to trace the perpetrators of the devastating cyber attack, which exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers.
A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen
Optus chief executive Kelly Bayer Rosmarin apologised to the telco’s 10 million customers, describing the cyber breach as “absolutely devastating”.
The attack, discovered on Wednesday night and revealed publicly by The Australian on Thursday, comes just days ahead of a visit to Australia by the entire board of Optus parent company Singtel.
It’s understood hackers exploited a weakness in Optus’s firewall. Sources said it remained unclear whether the attack was by a criminal or state-based hacking group.
Cyber security experts warned Optus customers to exercise caution as there was a high risk their data would be sold on the dark web to criminals seeking to obtain credit in their name.
Scammers were likely to use the breach to trick Optus customers into providing information they would otherwise not disclose, CyberCX chief strategy officer Alastair MacGibbon said.
“Certainly if you’re an Optus customer now you need to be extra careful about people claiming either to be Optus trying to help you out, or the police,” Mr MacGibbon said.
“Of course, the more documentation and information you have on a person, the more you can mimic that person to steal their identity and obtain credit or other things in that person’s name.”
“You’re going to see scams carried out either by criminals who will have very accurate information, or by criminals who are now piling in on this event in order to be able to carry out their scams.”
Ms Bayer Rosmarin said the company is investigating the incident and has notified regulators and the Australian Federal Police. It’s understood Optus has not received any demands for ransomware payments.
We were able to notice and stop them but not fast enough. I just want to apologise to all of our customers and all of our people. This is not what we expect of ourselves,” she said.
“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance.”
She said while customers’ personal information was exposed, payment details and account passwords had not been compromised. Optus uses customers’ passport information and driver’s licences to conduct credit checks.
It will reach out to “customers believed to have heightened risk”, and is encouraging customers with concerns to make contact via the My Optus app.
“Optus has also notified key financial institutions … While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Ms Bayer Rosmarin said.
A spokesman for Cyber Security Minister Clare O’Neil said ASD’s Australian Cyber Security Centre was providing advice and technical assistance to Optus.
He said Australians and Australian organisations were being broadly targeted by cyber criminals and state-based actors seeking to steal sensitive data, through the “rapid exploitation of technical vulnerabilities”.
Opposition cyber security spokesman James Paterson said the breach was “very concerning”. “It is important to understand how this happened, who the attacker is, what mitigations can be made, and what changes are necessary to prevent it from recurring,” Senator Paterson said.
The Office of the Australian Information Commissioner said it had been made aware of the data breach and would work with Optus to ensure compliance with the requirements of the Notifiable Data Breaches scheme.
“Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” the OAIC said.
The breach is believed to be the biggest of specifically Australian consumer data. However, major Australian companies with global user bases have also fallen victim to massive data breaches.
Australian graphic design platform Canva was hit by a cyber attack in May 2019 that saw the data of 137 million of its global users exposed, while a December 2020 hack on Australian “internet of things” company Ubiquiti Networks affected up to 85 million users.
The story has received wide coverage with Guardian’s Customers’ personal data stolen as Optus suffers massive cyber-attack, the ABC has gone all out with with Optus Hacked, Cyber expert says Optus breach ‘very significant’ by Australian standards, What we know about the Optus cyber attack, and how to strengthen your online security, Optus CEO can’t confirm how many customers affected by data breach and Optus says it has been hit by a cyber attack that has compromised customer information. The Age covers the story with ‘One of the most serious cyberattacks’: Customer data exposed in Optus hack, the Australian Financial Review with Passports, home addresses at risk as hackers attack Optus and the always breathless coverage with the Daily Mail of Warning for all 10 MILLION Australians caught up in Optus hack to start doing credit checks NOW – and how to get the telco giant to foot the bill. And let’s not forget the Queanbeyan Age with Optus cyber attack: What to do if your data is stolen, compromised and the Laws questioned after Optus cyber attack.