What to do about the Optus and future data breaches?

[exceladdict]

As per the example I mentioned, when I was getting my credit reports, as soon as I selected NSW DL as the primary ID, it then opened a further field for the card number. No card #, do not pass ”Go”.

I have seen this on other things, like applying for a UBank account a year or so ago.

I think it's been progressively rolled out - WA said that the card number has only been required for DVS ID checks from September this year.

 

[CMA222]

Every club you enter in NSW usually asks you to place you driver's licence into a card reader. Is anyone worried about the security or lack of with your local club?

I have always refused to provide a licence scan because I have no way of knowing what use the scans might subsequently be put to (legally or illegally). I fill in the hand-written alternative. One club told me no-licence-no-entry, so I walked out and went (with all the people with me) to a pub up the road, which was very good.

 

[Be.au]

Anyone had any further contact re having their passport details exposed?

From my email a few weeks back after the $99 promo for QFF points, the PDF in the "Your Order Confirmation #12345677." confirmation email has my passport number.

I got the "Urgent update from Optus about your personal information" email on Sep 23

The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected.

And had nothing else since.

Anyone else expect it was their passport that was compromised and haven't had any further contact?

Post automatically merged: Oct 9, 2022

Crazy. My ID checks have only used the licence number not the card number. As as a director I've had several. One as recently as three months ago. All I plugged in was my DL which was only 9 months old. If it true it's not needed then why did Optus email me to tell me to get a new licence?

The requirement for card number started from September 1 in every state but QLD & VIC.
FAQs | Changes to the DVS

From 1 September 2022, the card number on a driver licence (DL) will be a mandatory verification field for NSW, ACT, SA, TAS, NT and WA issued licences.

Hence '3 months' ago isn't recent enough!

 

[Pushka]

Anyone had any further contact re having their passport details exposed?

From my email a few weeks back after the $99 promo for QFF points, the PDF in the "Your Order Confirmation #12345677." confirmation email has my passport number.

I got the "Urgent update from Optus about your personal information" email on Sep 23

And had nothing else since.

Anyone else expect it was their passport that was compromised and haven't had any further contact?

Post automatically merged: Oct 9, 2022

The requirement for card number started from September 1 in every state but QLD & VIC.
FAQs | Changes to the DVS


Hence '3 months' ago isn't recent enough!

So it’s only been a requirement for last 5 weeks or so which explains why I’ve not had to use it. Almost like they have been expecting it.

 

[Be.au]

So it’s only been a requirement for last 5 weeks or so which explains why I’ve not had to use it. Almost like they have been expecting it.

Yep

Also why the "vast majority" didn't have both drivers licence + card number exposed, unless you'd signed up for a new service in the past few weeks (or Optus had captured the number earlier, eg off your physical card).

According to greenID (who ironically provide their verification services to Optus, along with NAB, ubank, etc), it looks like QLD will make card number mandatory from November 2023 too.

 

[OATEK]

ID checks are National though. The only time I was asked for the card number was for my ID check for the SA Govt portal. I didn't need that number to create the GovId account and have strong security.

Drivers Licences are a state function, and my understanding is that the DVS has to comply with the API that the state provides.

 

[AisleSeat]

Maybe I'm lucky, I haven't received any email from Optus yet. Mrs AS did. It said no ID had been affected, but combination of name, DOB, address, email and phone. Flagged her licence anyway. I suppose a credit check is in order?

 

[muppet]

Anyone had any further contact re having their passport details exposed?

From my email a few weeks back after the $99 promo for QFF points, the PDF in the "Your Order Confirmation #12345677." confirmation email has my passport number.

I got the "Urgent update from Optus about your personal information" email on Sep 23

And had nothing else since.

Anyone else expect it was their passport that was compromised and haven't had any further contact?

Post automatically merged: Oct 9, 2022

The requirement for card number started from September 1 in every state but QLD & VIC.
FAQs | Changes to the DVS


Hence '3 months' ago isn't recent enough!

I think it was my passport and I’ve heard nothing - despite directly asking, they said they’re working on notifying people.

 

[Be.au]

Drivers Licences are a state function, and my understanding is that the DVS has to comply with the API that the state provides.

Yes, things like card numbers being mandatory is actually set federally, by the Department of Home Affairs

 

[Be.au]

Just got an email from Optus

Dear Customer,

We recently communicated to you that your personal information has been exposed during the cyberattack on Optus. Once again, we are deeply sorry this has happened on our watch.

During analysis as part of our ongoing investigation, we’ve discovered the number on your Australian Passport was exposed. Please note, a copy of your passport including your image was not exposed.

The Australian Government is working with Optus to safeguard customers from identity crime, including providing advice on actions you can take.

As a result of the government’s rapid response, you don’t need to replace your passport.

If your passport is still current, the Department of Foreign Affairs and Trade has advised it’s safe to use your passport for international travel. The Australian Passport Office has robust controls to protect your identity, including facial recognition.

To prevent the misuse of your identity, we have asked the Department of Home Affairs to block the use of your passport through the Document Verification Service (DVS). This means it can’t be used to verify your identity online via the DVS. You can still use your passport to verify your identity in-person for up to three years past its expiry.

If you’ve renewed your passport since you became an Optus customer, you don’t need to do anything.

If concerned, eligible customers can apply for a replacement passport at passports.gov.au. Visit optus.com.au/support/cyberattack to find out more.

There's also an updated FAQ on the APO site - https://www.passports.gov.au/optus-data-breach-frequently-asked-questions

 

[SYD]

Optus are now issuing promo codes for the free 12 mth subscription to Equifax Protect.

I popped into my local Optus store yesterday and they issued me the code. Which didn’t work initially, so I went back today - turns out the person forget to mention that there‘s a special link and you’ll need to set up a new account with a different email address (if you already have a login).

Optus Equifax Protect 12 month subscription

www.equifax.com.au

Once in, you can a range of financial and identification items for monitoring, as well as the usual credit rating/score plus monthly report.

 

[encryptededdy]

Email sent to NZ passport holders

Dear Customer,

We recently communicated to you that your personal information has been exposed during the cyberattack on Optus. Once again, we are deeply sorry this has happened on our watch.

During further analysis as part of our ongoing investigation, we’ve discovered that the number on your New Zealand Passport was exposed. Please note, a copy of your passport including your image was not exposed.

If you’ve renewed your passport since becoming an Optus customer, or your passport has expired, then you don’t need to do anything.

Otherwise, the New Zealand Department of Internal Affairs have advised it is safe for you to continue to use your current passport for international travel.

You also have the option to ask the New Zealand Department of Internal Affairs to apply a block in the Australia Document Verification Service (DVS) system on your behalf. This block will mean that your passport number cannot be used for digital verification, but it can still be used to verify your identity in-person as required, such as for the purposes of taking out a loan.

With these steps in place, you should not need to replace your passport.

If you have not renewed your passport since becoming an Optus customer and you still have concerns, please contact the New Zealand Department of Internal Affairs to discuss your options at www.passports.govt.nz/optus.

 

[exceladdict]

Optus are now issuing promo codes for the free 12 mth subscription to Equifax Protect.

I popped into my local Optus store yesterday and they issued me the code. Which didn’t work initially, so I went back today - turns out the person forget to mention that there‘s a special link and you’ll need to set up a new account with a different email address (if you already have a login).

Optus Equifax Protect 12 month subscription

www.equifax.com.au

Once in, you can a range of financial and identification items for monitoring, as well as the usual credit rating/score plus monthly report.

Received my code when I asked for one via messaging in the app

 

[Daver6]

Add VinoMofo to the list of recent breaches. Just received an email from them. Seems to be contact details etc that have been exfiltrated

Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website.

Testing platform using their real customer database. Somehow adding that it's not linked to their live website is now meant to make me feel better?!

 

[prozac]

Add VinoMofo to the list of recent breaches. Just received an email from them. Seems to be contact details etc that have been exfiltrated



Testing platform using their real customer database. Somehow adding that it's not linked to their live website is now meant to make me feel better?!

Not happy given every organisation should now be aware it is duck season.

 

[love_the_life]

Nice to get an email from Optus confirming our data was not stolen.

 

[Pushka]

Nice to get an email from Optus confirming our data was not stolen.

Wow. A First! New Drivers licence received the other week. A new number to remember.

 

[prozac]

Nice to get an email from Optus confirming our data was not stolen.

Same. Wondering if business accounts were not affected.

 

[Sprucegoose]

I meant to mention “Credit ban” in my first post. I haven’t done it yet (I wasn’t entirely sure of the consequence but will do it shortly).

That’s good advice and I am not sure if it has been officially sanctioned, however it ought to be.

You are entitled to be upset with Optus since they appear to have done little or nothing to prevent this. There are suggestions that the lack of preventative controls in place even translates to encouragement for this data leak breach (allegedly).

As we live in a commercial world, feel free to vote with your feet. Businesses scream when Governements intervene and legislate during periods of market failure. Despite my laissez-faire leaning I would be circumspect to oppose any further data security legislative intervention.

 

[OZDUCK]

Another data theft dating back to January with some pretty unconvincing explanations, to me at least, why it hadn't been disclosed earlier. It appears that the only way to get companies to take Cyber security seriously is to ensure that the fines for sloppy IT security far exceed the costs of putting proper defences in place. Hopefully the currently proposed bill will have sufficient teeth to be effective.

Sensitive healthcare information posted to the dark web, as another cyber attack is revealed

Australian Clinical Labs will today start contacting 223,000 people whose data was stolen when the company was the target of a cyber attack in February.

www.abc.net.au