What to do about the Optus and future data breaches?

TheRealTMA said:
Well, it’s been in place since the MyGov site and my health record was implemented some years ago. Optus should have followed best practice guidelines. They should not have stored such information against national guidelines. No excuse.
Click to expand...
Not arguing with you over what they should have done, just saying that many current and past customers would have been registered in their system before DVS came along. Best practice on privacy always starts with a question along the lines of Do I need to record this information and in this case they certainly needed to record much of the leaked information although it is not clear whether passport/DL numbers were needed or just the result of the ID check. Then comes a second question Have I ensured that the information is protected and will remain private and this is clearly a fail.
 
Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
To view which details relating to you were available to the hacker, follow the instructions outlined in the blog linked at post #5 earlier in this thread:

What to do about the Optus and future data breaches?

Quite a few of us have or used to have Optus via a range of deals and promos but rather than clog some of the related threads: https://www.australianfrequentflyer.com.au/community/threads/optus-new-50-sim-only-with-roaming.93987/...
www.australianfrequentflyer.com.au www.australianfrequentflyer.com.au
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
Log into your account then copy the first link in the article and paste it in the address bar and hit enter. You’ll receive a whole lot of text where you’ll find “contact I.d”09189223-2566-4C47-AF1E-2A302CB8D6A8.jpeg
 
Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
The short answer is that Customer ID is a system-level record from when the account is created. No short cuts, you have to go through the steps set out in the Whirlpool thread.
 
For my account, the information that was available to be accessed was:

  1. Firstname Lastname
  2. Phone Number (mobile and home, though home phone number no longer used)
  3. Residential address
  4. Date of Birth
  5. Email address

No identity document was included.

Of that information, the only one that I can change easily is the email address, and I have changed that for my Optus account (both the contact email address and the login email address). I will steadily change any other services that use that same previous email address.
 
NM said:
For my account, the information that was available to be accessed was:

  1. Firstname Lastname
  2. Phone Number (mobile and home, though home phone number no longer used)
  3. Residential address
  4. Date of Birth
  5. Email address

No identity document was included.

Of that information, the only one that I can change easily is the email address, and I have changed that for my Optus account (both the contact email address and the login email address). I will steadily change any other services that use that same previous email address.
Click to expand...
You didnt have this line?
"indentType" : "Driving Licence"
 
This won't do much to help those affected (to whom I'd echo suggestions to pay extra close attention to your financials and credit monitoring for the foreseeable future) but as a privacy lawyer, I'm "at least" more confident than ever before now that the inertia in our government (regardless of who's in charge) to develop meaningful privacy laws is finally about to end. That will help reduce the risk going forward.

The response from both the government and Optus has been an absolute shambles; total amateur hour. If this had happened in Europe, Optus would be staring down the barrel at an absolutely extraordinary potential fine in addition to claims from individuals affected.

In Australia, we have none of that, and given some of the details we're now learning about Optus' practices leading up to this, I'd say it's safe to say the threat of "reputation damage" and "loss of public trust" wasn't a good enough incentive to establish better practices going into this.

I suspect that'll change, and quick.

As an additional aside, please humour me as I plug one piece of unsolicited advice: where possible, don't save your credit card details to individual websites. If you're going to save them somewhere, do it once to your Google or Apple account and rely on auto-fill. Even the best security practices in the "best"-regulated environments can be thwarted, but the fewer places you've added your details, the less widely you spread your risk.
 
All this talk about putting a stop to credit checks is a bit distracting. While useful, it ignores the bigger problem. The ability for anyone with your leaked data to identify as you over the phone to other companies.

Eg, if I have your info I could call up QF and say I've forgotten my password or stuffed up my MFA token. While I'm at it, I'd like to change my email address on file. You can see where this is going. This is going to be a nightmare of other companies too.

TheRealTMA said:
There’s absolutely no reason for Optus to have kept drivers licence or passport details. Identity checks are done through third party / government agency.

btw: just bought two £10 sims in Edinburgh so as not to pay the extortion of Optus $10 day roaming pass. No identification needed. Just walk in and say two sims please. Here you are Sir, three bags full.
Click to expand...

You don't need ID to purchase SIM cards here either. Registering here requires ID though.
 
I am also in the unfortunate position of getting an email from Optus saying everything including my ID has been leaked, but does the 21 day ban do anything? I thought if someone has your name, DOB, address and drivers license, they can easily ask Equifax to remove the ban before applying for credit?

At least it appears to be the case based on here: Credit Savvy - How can i remove a ban with Equifax and illion?

Edit: A lot of people including myself have been trying to find ways to protect ourselves, but it appears we are stuffed no matter what and we won't be able to claim anything meaningful from Optus even if fraud occurs because it would be impossible to prove conclusively that the fraud are a direct result of the data breach (ie. Optus can always claim the criminal got your data elsewhere), so did Optus gets away with murder and it's up to the Optus customers to bear the consequence?
 
Last edited:
glasszon said:
I am also in the unfortunate position of getting an email from Optus saying everything including my ID has been leaked, but does the 21 day ban do anything? I thought if someone has your name, DOB, address and drivers license, they can easily ask Equifax to remove the ban before applying for credit?

At least it appears to be the case based on here: Credit Savvy - How can i remove a ban with Equifax and illion?
Click to expand...

It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.
 
FlyingKangaroo said:
It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.
Click to expand...

Thanks, that's what I was afraid of. Hopefully the Victorian government will change their stance and will at least allow us to change the driver license number, I am definitely not moving my property just to have a new address!

The worst part is no doubt this will cause significant consequence to people, either in the form of identity theft or worse still, venerable people such as crime victims who cannot afford their details becoming public, and I am not a lawyer, but it doesn't appear anyone would have much luck suing Optus and we all know only lawyers win in a class action.
 
glasszon said:
so did Optus gets away with murder and it's up to the Optus customers to bear the consequence?
Click to expand...

Yes, that's the delightful status quo in which we find ourselves here in Australia given our current privacy protections (and lack thereof).

Unless you are an EU or UK citizen, I would note, in which case, technically the EU GDPR (and the Data Protection Act in the UK) applies to you even in Australia which does provide for far better protection in these situations, so there could in theory exist an individual right of action against Optus. There is still some uncertainty about what this looks like in practice in terms of proof and also in which EU country the person is a citizen of given the legal system in each can still vary a bit, but at its base, an affected individual would be able to make a claim against Optus for actual damages suffered.
 
FlyingKangaroo said:
Yes, that's the delightful status quo in which we find ourselves here in Australia given our current privacy protections (and lack thereof).

Unless you are an EU or UK citizen, I would note, in which case, technically the EU GDPR (and the Data Protection Act in the UK) applies to you even in Australia which does provide for far better protection in these situations, so there could in theory exist an individual right of action against Optus. There is still some uncertainty about what this looks like in practice in terms of proof and also in which EU country the person is a citizen of given the legal system in each can still vary a bit, but at its base, an affected individual would be able to make a claim against Optus for actual damages suffered.
Click to expand...

Thanks, I am a UK citizen but hopefully it won't comes down to that. Identity theft is really costly even if you are compensated afterwards, plus Optus can simply ignore the ruling given Optus doesn't have a presence in UK/EU.
 
glasszon said:
Thanks, I am a UK citizen but hopefully it won't comes down to that. Identity theft is really costly even if you are compensated afterwards, plus Optus can simply ignore the ruling given Optus doesn't have a presence in UK/EU.
Click to expand...

I do doubt that they would ignore the judgment if it came to that as Optus/Singtel are global organisations, but the reality is that it's not an easy road to get there, and as you say, you don't want to find yourself actually incurring the damages you'd have to suffer to start going down it. 🤞
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 209 (members: 34, guests: 175)
Back
Top