What to do about the Optus and future data breaches?

[Pushka]

It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.

I'd hope that cancellation requires the insertion of the original claim number?

 

[FlyingKangaroo]

I'd hope that cancellation requires the insertion of the original claim number?

No, you can authorise the credit reporting agency to release your report to a third party during the ban with written permission specifically referring to which party you're authorising the release.

It doesn't matter much anyway. None of the risk is going to go away within 21 days nor does the risk materially decrease after that time. Some hackers might even wait until the storm dies down a bit. Likewise, Optus is hoping that 3 weeks from now when the arbitrary ban comes off, this will be out of the news cycle -- and for the most part, it will be.

 

[Pushka]

No, you can authorise the credit reporting agency to release your report to a third party during the ban with written permission specifically referring to which party you're authorising the release.

It doesn't matter much anyway. None of the risk is going to go away within 21 days nor does the risk materially decrease after that time. Some hackers might even wait until the storm dies down a bit. Likewise, Optus is hoping that 3 weeks from now when the arbitrary ban comes off, this will be out of the news cycle -- and for the most part, it will be.

I'd expect to have it ongoing for some time. I'm past the loan and credit card churning. And if no consent is given to a third party then I don't see it as a problem for me.

 

[FlyingKangaroo]

I'd expect to have it ongoing for some time. I'm past the loan and credit card churning. And if no consent is given to a third party then I don't see it as a problem for me.

You can place a hold or extend an existing hold whenever you like.

Not a bad idea for those affected, as it's possible some hackers might not bother trying to get the hold released if it fails on first attempt.

 

[Pushka]

You can place a hold or extend an existing hold whenever you like.

Not a bad idea for those affected, as it's possible some hackers might not bother trying to get the hold released if it fails on first attempt.

I guess they have 10 million to choose from

 

[drron]

Apparently they got my passport number. they have a problem as that number has been changed when i got my new passport this year.

 

[Pushka]

Apparently they got my passport number. they have a problem as that number has been changed when i got my new passport this year.

Do you remember using your passport at Optus?

 

[drron]

For some reason I used it instead of my D/L. Probably because Tasmanian hospitals require it to work. Optus worked better in Latrobe. That was the only time I used Optus.

 

[MelMel]

Apparently Medicare Card numbers are also involved

 

[AIRwin]

That was the only time I used Optus.

And final time?

 

[Pushka]

Apparently Medicare Card numbers are also involved

That would be for the 100 identity check I guess. We got a new one a month ago.

 

[AIRwin]

QLD - If you've received an Optus data breach notice, you can change your driver licence number and receive a new driver licence free of charge:

Change your customer reference number

Your customer reference number is used for a lot of products and documents with us, such as your driver licence. If you need to change it find out how.

www.qld.gov.au

 

[Pushka]

SA is also replacing licences for no charge. Channel 7 apparently downloaded the list of 10,000 and called up a few.

 

[MelMel]

https://www.news.com.au/technology/online/hacking/states-reveal-plan-to-replace-licence-numbers-for-aussies-in-optus-hack/news-story/e1b4f2a27ba08177f752ac24bbbfbfd1

Some more information about replacing licenses

 

[Pushka]

https://www.news.com.au/technology/online/hacking/states-reveal-plan-to-replace-licence-numbers-for-aussies-in-optus-hack/news-story/e1b4f2a27ba08177f752ac24bbbfbfd1

Some more information about replacing licenses

And crickets for the SA announcement which I believe was the first state.

 

[AIRwin]

https://www.news.com.au/technology/online/hacking/states-reveal-plan-to-replace-licence-numbers-for-aussies-in-optus-hack/news-story/e1b4f2a27ba08177f752ac24bbbfbfd1

Some more information about replacing licenses

"The state has yet to detail exactly how residents can receive the new licence, but those concerned can call (07) 3097 3108 for help."
QLD has already published info on the site:

Home (Department of Transport and Main Roads)

Department of Transport and Main Roads website home page

www.tmr.qld.gov.au

 

[exceladdict]

So hacker has now apologised to optus and said data all deleted

Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office

Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

www.theguardian.com

Sounds like a great ploy to get it out of the news and stop people taking preventative measures which could reduce the value of the stolen data

Not arguing with you over what they should have done, just saying that many current and past customers would have been registered in their system before DVS came along. Best practice on privacy always starts with a question along the lines of Do I need to record this information and in this case they certainly needed to record much of the leaked information although it is not clear whether passport/DL numbers were needed or just the result of the ID check. Then comes a second question Have I ensured that the information is protected and will remain private and this is clearly a fail.

Absolutely. Why wasn't it deleted, why wasn't it encrypted, behind 2FA, etc.

 

[oz_mark]

Sounds like a great ploy to get it out of the news and stop people taking preventative measures which could reduce the value of the stolen data


Absolutely. Why wasn't it deleted, why wasn't it encrypted, behind 2FA, etc.

I don't think it is a ploy. I am coming to the view that there was nothing sophisticated in any of this. It was just an opportunistic play, when someone saw an open door. Probably thought it would be easier to sell.

As to the second point, why wasn't it behind any form of authentication seems to be the real question

 

[kangarooflyer88]

Sounds like a great ploy to get it out of the news and stop people taking preventative measures which could reduce the value of the stolen data

Franky there is nothing anyone can do now that the data is leaked out. Even if Optus pays the million dollarydoos (which I doubt they'll do), how do we know for certain that was the one and only copy the criminal had? For all we know it has already been sold to someone on the dark web?

With most data breaches like this, the actual identity theft doesn't happen immediately overnight. Smart criminals know that folks will lock their credit and set up credit monitoring for a year. What is more than likely to happen is they use these pieces of identification in a couple years time when everyone has let their guard down. This is why I get my free credit report annually from the credit bureaus just to make sure everything is on the up and up.

Absolutely. Why wasn't it deleted, why wasn't it encrypted, behind 2FA, etc

Incompetence? No doubt a number of developers at Optus did not take a single security training course to realize such common sense things as you don't publish an end-point to the public without authentication or anything else. The fact that this lack of training is happening at a telco which should have a security culture given the type of information that passes through their networks is worrisome.

-RooFlyer88

 

[JohnK]

Very confusing. Very disappointing.

This will be very interesting. I have problems obtaining credit so good luck to anyone with my details.