Pushka
Veteran Member
- Joined
- Jan 26, 2011
- Posts
- 29,111
- Qantas
- Platinum
- Virgin
- Red
And more to this.Well, the original thread and post with the 10,000 names has been removed. On the hack site.
And more to this.Well, the original thread and post with the 10,000 names has been removed. On the hack site.
Not arguing with you over what they should have done, just saying that many current and past customers would have been registered in their system before DVS came along. Best practice on privacy always starts with a question along the lines of Do I need to record this information and in this case they certainly needed to record much of the leaked information although it is not clear whether passport/DL numbers were needed or just the result of the ID check. Then comes a second question Have I ensured that the information is protected and will remain private and this is clearly a fail.Well, it’s been in place since the MyGov site and my health record was implemented some years ago. Optus should have followed best practice guidelines. They should not have stored such information against national guidelines. No excuse.
Interesting…….I received an email almost immediately with a case numberI also did Equifax yesterday and while the website stated it was completed I never received an email. I did with experian.
I just did it again. Still no email.Interesting…….I received an email almost immediately with a case number
Optus September 2022 Cyberattack & Data Breach
whirlpool.net.au
You can work out what data was leaked on your particular account with the above instructions.
Also apparently only customer IDs in the range of 1 to 8,000,000 and 40,000,000 to 48,000,000 were leaked
To view which details relating to you were available to the hacker, follow the instructions outlined in the blog linked at post #5 earlier in this thread:By customer ID, is this referring to your "account number" which is shown when logging in?
The short answer is that Customer ID is a system-level record from when the account is created. No short cuts, you have to go through the steps set out in the Whirlpool thread.By customer ID, is this referring to your "account number" which is shown when logging in?
You didnt have this line?For my account, the information that was available to be accessed was:
- Firstname Lastname
- Phone Number (mobile and home, though home phone number no longer used)
- Residential address
- Date of Birth
- Email address
No identity document was included.
Of that information, the only one that I can change easily is the email address, and I have changed that for my Optus account (both the contact email address and the login email address). I will steadily change any other services that use that same previous email address.
AFF Supporters can remove this and all advertisements
Nope. And the email I received from Optus also confirmed that there was not an identity document linked to my account.You didnt have this line?
"indentType" : "Driving Licence"
There’s absolutely no reason for Optus to have kept drivers licence or passport details. Identity checks are done through third party / government agency.
btw: just bought two £10 sims in Edinburgh so as not to pay the extortion of Optus $10 day roaming pass. No identification needed. Just walk in and say two sims please. Here you are Sir, three bags full.
I am also in the unfortunate position of getting an email from Optus saying everything including my ID has been leaked, but does the 21 day ban do anything? I thought if someone has your name, DOB, address and drivers license, they can easily ask Equifax to remove the ban before applying for credit?
At least it appears to be the case based on here: Credit Savvy - How can i remove a ban with Equifax and illion?
It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.
so did Optus gets away with murder and it's up to the Optus customers to bear the consequence?
Yes, that's the delightful status quo in which we find ourselves here in Australia given our current privacy protections (and lack thereof).
Unless you are an EU or UK citizen, I would note, in which case, technically the EU GDPR (and the Data Protection Act in the UK) applies to you even in Australia which does provide for far better protection in these situations, so there could in theory exist an individual right of action against Optus. There is still some uncertainty about what this looks like in practice in terms of proof and also in which EU country the person is a citizen of given the legal system in each can still vary a bit, but at its base, an affected individual would be able to make a claim against Optus for actual damages suffered.
Thanks, I am a UK citizen but hopefully it won't comes down to that. Identity theft is really costly even if you are compensated afterwards, plus Optus can simply ignore the ruling given Optus doesn't have a presence in UK/EU.