What to do about the Optus and future data breaches?

Yep, my DL # is still there but no home address (did anyone else see their address?). Pity they didn’t just enter the card number, I’ve renewed my DL since opening the Optus account….
My name is incomplete (only middle initial but it wouldn’t be hard to guess - in my case). Looks like DoB isn’t correct (it doesn’t even look like a computer coded version but I’m might be wrong)?
I‘ve since changed my email address. The one I used has been pretty well Spam free for years. If i start getting random cough, I’ll know why.
My name is there without middle name, no address, DOB illegible, U gender 😆 mobile number, and company name.
 
My name is there without middle name, no address, DOB illegible, U gender 😆 mobile number, and company name.
I’m slightly relieved that home address is missing but that could turn up in a Google search…

But DL being included is a PITA.

Edit: see subsequent post….☹️
 
Last edited:
Bit late for optus to be coming out now saying they will pay for credit-monitoring services. That should have been stated on day one. Why the delay?

They were working on it early in the piece, but it takes time to put in place the agreement.
 
Did you query both of the URLs? Home address is leaked in the second URL where you provide the contact ID from the first URL for me
No, I didn't get that far. I've now just cranked up the PC and did it again (much more readable than on my iPad).

The bad news, DoB and address are there in full :mad: (along with name, number and email)
 
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

Th

The last sim I ordered my account manager said they didn't store the licence on file. Just do their checks and delete
Thanks for that - unfortunately my licence appears. As well as my full name.

Edited to add that the further check on the updated url in this article also shows date of birth and address. What a disaster as I'm going OS for an extended period on Wednesday!
 
Last edited:
No, I didn't get that far. I've now just cranked up the PC and did it again (much more readable than on my iPad).

The bad news, DoB and address are there in full :mad: (along with name, number and email)
Just saw my DOB too. 😤 I took screenshots of both. Now to see who the 2 million significant people are.
 
Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this? In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.

Perhaps now is a good time for Australia to consider implementing GDPR like regulations! The onus should really be on the business for collecting any personal information like that, especially given how difficult it is to update said details.

-RooFlyer88
 
Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this?
Yes, there is.

No different to most places in the world.

But they’re not supposed to hang on to it.
 
Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this? In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.

-RooFlyer88

I believe this is a government requirement. Probably related to anti-terrorism laws. Should you use that prepaid SIM card for naughty activities, they want to be able to find out who is using it. As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.
 
I believe this is a government requirement. Probably related to anti-terrorism laws. Should you use that prepaid SIM card for naughty activities, they want to be able to find out who is using it. As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.
I'm not so sure about that. I've bought prepaid SIMs here where I didn't need to provide such details. Indeed, there are very few countries where one's right to purchase a burner phone is curtailed!

-RooFlyer88
 
Check your junk mail. That's where mine went.
I've now put a 21 day ban on accessing my credit file which means I will receive an email if someone tries to access it. With Equifax.

I have renewed my DL in last 12 months but the number used doesn't change. I've never been asked for expiry date on DL so 🤷‍♀️
Nothing in junk either so I've been spared it would seem 🤞
 
As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.
This is true, but at the same time Optus has seemingly decided that this info needs to be served up every time user info is requested by some UI component rather than appearing to treat sensitive PII significantly more sensitively than a name or email address.

There is a big difference between holding PII data and serving it up unprompted via an unsecured API over the internet. I would say the blame might be apportioned 95% to Optus for this abomination of a privacy violating fire hose and 5% to the Government for providing the water.

The truth is they should probably never have sent it at all. A lot has been made about the lack of security which caused this whole breach but why on earth would any API reveal this info at all? The prevailing theory on the internet is to pre-fill forms but if the point is identity verification and you already have the verified identity doco, why would you pass the verified identity data to the client to pass back to the server? You would surely either just acknowledge that the data was already verified or challenge the customer to enter it again.

It really makes no sense to take this approach for anything public facing. For internal systems sure, but if that was the issue (ie if the suggestion was revealing this data was in error) why is the "fixed" platform now just enforcing authentication but still serving our sensitive document numbers up to us? It still today means if someone gets your Optus password they can get your passport number or driver's license number and I still don't see that as appropriate.

Banks have to retain info and they don't seem to do it this way. If commbank started tweeting out our transactions and then blamed it on AML regulation I am sure we would be pretty unhappy about it.

Optus absolutely deserve the derision they are getting and more.
 
Last edited:
I'm not so sure about that. I've bought prepaid SIMs here where I didn't need to provide such details.
See earlier link. You probably did provide something that met the ID check requirement.

Either way, going OT on what to do now.
 
In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.
Seems like I spoke too soon:
Screen Shot 2022-09-26 at 22.10.42.png

Yes, there is.

No different to most places in the world.

But they’re not supposed to hang on to it.
In other parts of the world you pick up a SIM add a couple of bucks and you are golden. No need to provide any identification. I also don't see the point in all of this. I can just use a burner phone I got from overseas, or activate a burner phone here at a carrier that just ignores the law.

In any event, the good news from the email I received is no ID document details were disclosed. Let's hope that this ends up being the case and they don't later email me saying, "oops!"

-RooFlyer88
 
In other parts of the world you pick up a SIM add a couple of bucks and you are golden
I don't think that's a fair blanket statement. It is certainly not my experience in Taiwan (where I wasn't able to get a second local SIM because I had bought one a year ago which had long since been thrown away), Singapore or Hong Kong but may be in other places.

I've had access to decent roaming packages for the last 5+ years at least so it has been a while for me but in some places it's easy (eg. Thailand) and in some places it is a nightmare.
 
okay so what I have learned from this thread (thanks all, helpful as always) was that optus' email is not generic, as I had supposed, and unfortunately means that the laundry list of my personal info they said may have been exposed is very likely to have been exposed. :(

Holds on credit accounts now, and hoping the free optus monitoring kicks in soon.
 
I believe they're required to hold on to it for 2 years after account closure. (In the metadata rules)
Probably a record / proof that they checked and how. The ACMA link says “visual check” but also mentions using the Gov ID check system. Which ought to allow any service provider to record a Pass or Fail on ID check.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top