What to do about the Optus and future data breaches?

[Pushka]

Yep, my DL # is still there but no home address (did anyone else see their address?). Pity they didn’t just enter the card number, I’ve renewed my DL since opening the Optus account….
My name is incomplete (only middle initial but it wouldn’t be hard to guess - in my case). Looks like DoB isn’t correct (it doesn’t even look like a computer coded version but I’m might be wrong)?
I‘ve since changed my email address. The one I used has been pretty well Spam free for years. If i start getting random cough, I’ll know why.

My name is there without middle name, no address, DOB illegible, U gender mobile number, and company name.

 

[SYD]

My name is there without middle name, no address, DOB illegible, U gender mobile number, and company name.

I’m slightly relieved that home address is missing but that could turn up in a Google search…

But DL being included is a PITA.

Edit: see subsequent post….

 

[33kft]

I’m slightly relieved that home address is missing but that could turn up in a Google search…

Did you query both of the URLs? Home address is leaked in the second URL where you provide the contact ID from the first URL for me

 

[Pushka]

Did you query both of the URLs? Home address is leaked in the second URL where you provide the contact ID from the first URL for me

carp. It's there.

 

[oz_mark]

Bit late for optus to be coming out now saying they will pay for credit-monitoring services. That should have been stated on day one. Why the delay?

They were working on it early in the piece, but it takes time to put in place the agreement.

 

[SYD]

Did you query both of the URLs? Home address is leaked in the second URL where you provide the contact ID from the first URL for me

No, I didn't get that far. I've now just cranked up the PC and did it again (much more readable than on my iPad).

The bad news, DoB and address are there in full (along with name, number and email)

 

[openseat]

Th

The Optus Breach

Actionable Advice

verse.systems

The last sim I ordered my account manager said they didn't store the licence on file. Just do their checks and delete

Thanks for that - unfortunately my licence appears. As well as my full name.

Edited to add that the further check on the updated url in this article also shows date of birth and address. What a disaster as I'm going OS for an extended period on Wednesday!

 

[Pushka]

No, I didn't get that far. I've now just cranked up the PC and did it again (much more readable than on my iPad).

The bad news, DoB and address are there in full (along with name, number and email)

Just saw my DOB too. I took screenshots of both. Now to see who the 2 million significant people are.

 

[kangarooflyer88]

Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this? In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.

Perhaps now is a good time for Australia to consider implementing GDPR like regulations! The onus should really be on the business for collecting any personal information like that, especially given how difficult it is to update said details.

-RooFlyer88

 

[SYD]

Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this?

Yes, there is.

ID checks for prepaid mobiles | ACMA

You must show photo ID before you can buy or activate a prepaid mobile phone. Find out what documents you can use.

www.acma.gov.au

No different to most places in the world.

But they’re not supposed to hang on to it.

 

[Daver6]

Can someone explain why a telco like Optus requires things like driver's license or passport details for a prepaid plan? Is there a Federal law that requires this? In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.

-RooFlyer88

I believe this is a government requirement. Probably related to anti-terrorism laws. Should you use that prepaid SIM card for naughty activities, they want to be able to find out who is using it. As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.

 

[kangarooflyer88]

I believe this is a government requirement. Probably related to anti-terrorism laws. Should you use that prepaid SIM card for naughty activities, they want to be able to find out who is using it. As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.

I'm not so sure about that. I've bought prepaid SIMs here where I didn't need to provide such details. Indeed, there are very few countries where one's right to purchase a burner phone is curtailed!

-RooFlyer88

 

[daft009]

Check your junk mail. That's where mine went.
I've now put a 21 day ban on accessing my credit file which means I will receive an email if someone tries to access it. With Equifax.

I have renewed my DL in last 12 months but the number used doesn't change. I've never been asked for expiry date on DL so

Nothing in junk either so I've been spared it would seem

 

[33kft]

As much as the government is blaming Optus for all of this, they're partially responsibility for creating laws that require this data be held in the first place.

This is true, but at the same time Optus has seemingly decided that this info needs to be served up every time user info is requested by some UI component rather than appearing to treat sensitive PII significantly more sensitively than a name or email address.

There is a big difference between holding PII data and serving it up unprompted via an unsecured API over the internet. I would say the blame might be apportioned 95% to Optus for this abomination of a privacy violating fire hose and 5% to the Government for providing the water.

The truth is they should probably never have sent it at all. A lot has been made about the lack of security which caused this whole breach but why on earth would any API reveal this info at all? The prevailing theory on the internet is to pre-fill forms but if the point is identity verification and you already have the verified identity doco, why would you pass the verified identity data to the client to pass back to the server? You would surely either just acknowledge that the data was already verified or challenge the customer to enter it again.

It really makes no sense to take this approach for anything public facing. For internal systems sure, but if that was the issue (ie if the suggestion was revealing this data was in error) why is the "fixed" platform now just enforcing authentication but still serving our sensitive document numbers up to us? It still today means if someone gets your Optus password they can get your passport number or driver's license number and I still don't see that as appropriate.

Banks have to retain info and they don't seem to do it this way. If commbank started tweeting out our transactions and then blamed it on AML regulation I am sure we would be pretty unhappy about it.

Optus absolutely deserve the derision they are getting and more.

 

[SYD]

I'm not so sure about that. I've bought prepaid SIMs here where I didn't need to provide such details.

See earlier link. You probably did provide something that met the ID check requirement.

Either way, going OT on what to do now.

 

[kangarooflyer88]

In any event, thus far I have yet to receive any email from Optus so it looks like (fingers crossed) my passport details haven't been exposed.

Seems like I spoke too soon:

Yes, there is.

ID checks for prepaid mobiles | ACMA

You must show photo ID before you can buy or activate a prepaid mobile phone. Find out what documents you can use.

www.acma.gov.au

No different to most places in the world.

But they’re not supposed to hang on to it.

In other parts of the world you pick up a SIM add a couple of bucks and you are golden. No need to provide any identification. I also don't see the point in all of this. I can just use a burner phone I got from overseas, or activate a burner phone here at a carrier that just ignores the law.

In any event, the good news from the email I received is no ID document details were disclosed. Let's hope that this ends up being the case and they don't later email me saying, "oops!"

-RooFlyer88

 

[33kft]

In other parts of the world you pick up a SIM add a couple of bucks and you are golden

I don't think that's a fair blanket statement. It is certainly not my experience in Taiwan (where I wasn't able to get a second local SIM because I had bought one a year ago which had long since been thrown away), Singapore or Hong Kong but may be in other places.

I've had access to decent roaming packages for the last 5+ years at least so it has been a while for me but in some places it's easy (eg. Thailand) and in some places it is a nightmare.

 

[exceladdict]

okay so what I have learned from this thread (thanks all, helpful as always) was that optus' email is not generic, as I had supposed, and unfortunately means that the laundry list of my personal info they said may have been exposed is very likely to have been exposed.

Holds on credit accounts now, and hoping the free optus monitoring kicks in soon.

 

[oz_mark]

Yes, there is.

ID checks for prepaid mobiles | ACMA

You must show photo ID before you can buy or activate a prepaid mobile phone. Find out what documents you can use.

www.acma.gov.au

No different to most places in the world.

But they’re not supposed to hang on to it.

I believe they're required to hold on to it for 2 years after account closure. (In the metadata rules)

 

[SYD]

I believe they're required to hold on to it for 2 years after account closure. (In the metadata rules)

Probably a record / proof that they checked and how. The ACMA link says “visual check” but also mentions using the Gov ID check system. Which ought to allow any service provider to record a Pass or Fail on ID check.