Optus data breach — what you need to know
The Optus data breach has affected an estimated 10 million customers Australia-wide, including businesses.
Those affected are at risk of identity theft. So how did this happen, and what does it mean for you and your business?
What happened at Optus?
The breach exploited a weak API (application programming interface), which is a way for applications and devices to access data securely.
For example, when accessing your bank account with a smartphone app, an API is used to grab your information off the company server and present it on the app after you’ve logged in securely.
In the case of Optus, the hacker reportedly found a vulnerability in the Optus API and was able to access the data of about 10 million customers.
What is Identity theft?
Identity theft is when a cybercriminal gains access to your personal information to steal money or gain other benefits. They can create fake identity documents in your name, get loans and benefits or apply for real identity documents in your name, but using another person's photograph.
What information did Optus Leak?
The details, dating back to 2017, include names, birth dates, phone numbers, email addresses, and — for some customers — addresses and driver's licence, Medicare numbers or passport numbers. It all depends on what was used to prove the identify originally.
What if my phone uses the Optus mobile network?
This is only an issue with Optus customers whose data was stored on the Optus servers.
Customers of Amaysim, Aussie Broadband, Dodo, iPrimus and any other mobile virtual network operator that uses the Optus network are not affected.
Their information is not stored on the Optus servers but on the respective company they are subscribing to, which just happens to use the Optus network.
What should I do now?
Step 1) Identify your most vulnerable accounts and secure them
Make a list of your most vulnerable accounts.
- What bank accounts do you hold?
- What about superannuation or brokerage accounts?
- Do you have important medical information on any services that thieves may use against you?
- What accounts are your credit card details saved to?
Amazon and eBay are common targets as people often keep credit card details saved to those accounts.
Next, check how a password reset is done on these accounts. Does it merely require access to text messages or an email account? If so, protect those accounts as well. Consider updating passwords for each account as a precaution.
Activate multi-factor authentication on sensitive accounts, such as banks, superannuation, and brokerage accounts. This adds an extra layer for criminals to break through, for example by requesting an additional code to type in.
Ideally, use an application like Google Authenticator or Microsoft Authenticator if the service allows, or an email that is not listed with Optus.
Avoid having codes sent to an Optus phone number, as it's at higher risk of being stolen.
Step 2) Lock your SIM card and credit card if possible
One of the most immediate concerns will be using the leaked data to compromise your phone number, which is what many people use for their multi-factor authentication.
SIM jacking — getting a mobile phone provider to give access to a phone number they don't own — will be a serious threat.
Most carriers allow you to add a verbal PIN as the second verification step, to prevent SIM jacking.
While Optus has locked SIM cards temporarily, that lock is unlikely to last. Call your provider and ask for a verbal PIN to be added to your account.
If you suddenly lose all mobile service in unusual circumstances, contact your provider to make sure you haven't been SIM jacked.
Step 3) Improve your cyber hygiene
The personal information stolen from Optus may be used with other information cybercriminals find about a person online; social media, your business website, discussion forums and previous breaches provide additional information.
Many people have unknowingly been victims of cyber breaches in the past.
- Check what information about you is available to cybercriminals via HaveIBeenPwned.
- If any emails have been linked to a breach, consider what passwords those accounts used, and if they are being used anywhere else.
- Take extra care in verifying emails and text messages. Scammers use leaked information to make phishing attempts more credible and targeted. Never click links sent via text or email. Don't assume someone calling from a company is legitimate, get the customer support number from their website, and call them on that number.
- Creating unique and secure passwords for every service is the best defence. It is made easier using a password manager — many free apps are available — to manage your passwords. Avoid keeping digital records of passwords in email or in computer files while keeping any written passwords in a safe, secure location.
How do I know if I've been hacked and what can I do about it?
Any phone calls, emails or letters from financial institutions regarding an unknown loan or service could be suspicious. Call the institution and clarify the situation.
The State Government has also announced that new driver's licence cards with new licence numbers will be issued to those who have been informed by Optus that their driver's licence information has been compromised as part of the breach.
For support contact IDCare, a not-for-profit organisation designed to assist victims of cyberattacks and identity theft. Cybercrimes, including identity theft, can be reported through the Australian Cyber Security Centre ReportCyber.
If your identity has been stolen, you can apply for a Commonwealth Victims' Certificate to support your claim that you have been the victim of identity crime and help re-establish your credentials with government or financial institutions.