What to do about the Optus and future data breaches?

Currently queued as Services SA for replacement licence. 30 minutes so far and I’d say another 20. Queue outside is growing steadily.
 
No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?
 
No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?
In fairness it does take them some time to determine what specific information was leaked for each user since it seems that the data leak wasn't a one-size fits all affair (i.e. my passport details weren't leaked).

However, I do wonder how much credit Optus will give its customers for this stuff up? Perhaps a free month of service? 🤔

-RooFlyer88
 
In fairness it does take them some time to determine what specific information was leaked for each user since it seems that the data leak wasn't a one-size fits all affair (i.e. my passport details weren't leaked).

However, I do wonder how much credit Optus will give its customers for this stuff up? Perhaps a free month of service? 🤔

-RooFlyer88
Accept that, but there could have been a generic email to say ‘yup, there was a breach… you’ll be notified in the next five days if you have been impacted… here’s what you can do in the meantime’… or words to that effect.

If my other banks have reached out, how come optus can’t?
 
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?
I just received the email today, no i.d documents leaked (I had already worked that out) “just” name, address, dob and email.
 
I've had some Optus services in the past, but probably with a previous email address. I'll have to trawl through a couple to see if it turns up
 
After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.

Still waiting for Optus to email me formal notification so that I can officially apply to have my NSW driver license number (rather than just card number) changed
 
The Opposition didn’t want optus to pay… saying the government should waive passport fees instead.

Glad the taxpayer isn’t going to have to foot the bill for this one.
Yeah Optus should bear all the costs (and then some in fines) to learn a valuable lesson here. Putting sensitive customer information unprotected on the web is downright reckless. There is no excuse for it from a small business never mind a major corporation that is supposed to have cyber-security as one of their core competencies.

After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.
Which is all fine and good but what happens after 12 months time when criminals will likely be using the information they harvested from the leak? I suspect if companies were forced to provide lifetime credit monitoring to customers impacted by a breach these events would be very rare occurrences indeed! Then again, credit monitoring by definition is reactionary, responding to identity theft issues after the fact. What seems obvious now is the systems used in the 80s and 90s to verify identity and provide credit are wholly inappropriate for today's OpSec environment.

-RooFlyer88
 
After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.

Still waiting for Optus to email me formal notification so that I can officially apply to have my NSW driver license number (rather than just card number) changed
In SA it’s really quick and they don’t ask for evidence. In the SA gov app it’s already changed. But I had my old one for almost 50 years!
 
The lack of follow-up by Optus is abysmal.

Got the 'news' early on Sept 24th:

"The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number."

No contact since. So what ID documents are they exactly?

Yesterday rang our health fund and the four security questions were among the data hacked from Optus. I mentioned this to the CSA and got the response - 'That is nothing to do with us, we aren't Optus'.

I suggested that anybody could call up and say change the banl account details for benefit payments, again no understanding. So Iasked whether any discussion had been held at the call centre over any additional measures - "Why would there be, nothing to do with us."

I had been thinking of changing health funds as yesterday was time for rollover premium, decision made, new health fund with additional question for ID.

Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).

Many places allow you to change your date of birth (for the security question).

Update: No, neither of those suggested answers are anything near what my bogus place of birth answer is!
 
Last edited:
Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).
That's a smart idea.
 
Yeah Optus should bear all the costs (and then some in fines) to learn a valuable lesson here. Putting sensitive customer information unprotected on the web is downright reckless. There is no excuse for it from a small business never mind a major corporation that is supposed to have cyber-security as one of their core competencies.


Which is all fine and good but what happens after 12 months time when criminals will likely be using the information they harvested from the leak? I suspect if companies were forced to provide lifetime credit monitoring to customers impacted by a breach these events would be very rare occurrences indeed! Then again, credit monitoring by definition is reactionary, responding to identity theft issues after the fact. What seems obvious now is the systems used in the 80s and 90s to verify identity and provide credit are wholly inappropriate for today's OpSec environment.

-RooFlyer88

The 12 months offered by Optus is a pathetic joke, like the company they are and have been for the last decade.

I'm submitted a TIO complaint asking for $500 credit to cover close to 5 years of credit monitoring.
 
I am struggling to find out how I know what data was leaked? I got the generic email on 24th but nothing since. I have had my Optus account for decades so know no DL or current passport but I use direct debit payment and other details will be on file.
 
The lack of follow-up by Optus is abysmal.

Got the 'news' early on Sept 24th:

"The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number."

No contact since. So what ID documents are they exactly?

Yesterday rang our health fund and the four security questions were among the data hacked from Optus. I mentioned this to the CSA and got the response - 'That is nothing to do with us, we aren't Optus'.

I suggested that anybody could call up and say change the banl account details for benefit payments, again no understanding. So Iasked whether any discussion had been held at the call centre over any additional measures - "Why would there be, nothing to do with us."

I had been thinking of changing health funds as yesterday was time for rollover premium, decision made, new health fund with additional question for ID.

Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).

Many places allow you to change your date of birth (for the security question).

Update: No, neither of those suggested answers are anything near what my bogus place of birth answer is!
You need to go into your account and paste the 2 links provided in this article The Optus Breach
which was on page 1 of this thread and that tells you what has been taken.
Post automatically merged:

I am struggling to find out how I know what data was leaked? I got the generic email on 24th but nothing since. I have had my Optus account for decades so know no DL or current passport but I use direct debit payment and other details will be on file.
Same.

Pasted here.

First log-in here: https://www.optus.com.au/ and then once logged-in, visit this link and you should see a JSON encoded response that contains your personal information. Check in particular the indentType [sic] field, which should tell you what kind of document has been exposed; and the indentValue [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.

Updated 2022-09-26 4:05 PM: If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric contactId value from the JSON response you got above. Then take the following URL https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS and copy and paste it into the address bar of your browser. Manually replace the part that says {contactId} with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the documentType and documentNumberfields, plus (worryingly) information that would seem to pertain to the expiration date of the document.
 
I note that ServiceNSW advises as follows:

"enhanced protections which came into effect in NSW on 1 September 2022 requiring both the licence number and the card number to pass a Document Verification Service (DVS) check.

A DVS check is used by institutions such as banks to verify a person’s identity.

Both the licence number and the card number are required to pass a DVS check for NSW licence holders.
"

So I am guessing that unless Optus advise that the DL card Number was exposed, then DL will not be replaced as a matter of course.
 
I note that ServiceNSW advises as follows:

"enhanced protections which came into effect in NSW on 1 September 2022 requiring both the licence number and the card number to pass a Document Verification Service (DVS) check.

A DVS check is used by institutions such as banks to verify a person’s identity.

Both the licence number and the card number are required to pass a DVS check for NSW licence holders.
"

So I am guessing that unless Optus advise that the DL card Number was exposed, then DL will not be replaced as a matter of course.
Trouble is that it’s only NSW (or SA etc) Governments who know to ask for the actual card number and not just the license ID card number for verifying ID. This is just passing the buck. Just issue new licenses. If SA can do it why not NSW?
 
You need to go into your account and paste the 2 links provided in this article The Optus Breach
which was on page 1 of this thread and that tells you what has been taken.
Post automatically merged:


Same.

Pasted here.

First log-in here: https://www.optus.com.au/ and then once logged-in, visit this link and you should see a JSON encoded response that contains your personal information. Check in particular the indentType [sic] field, which should tell you what kind of document has been exposed; and the indentValue [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.

Updated 2022-09-26 4:05 PM: If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric contactId value from the JSON response you got above. Then take the following URL https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS and copy and paste it into the address bar of your browser. Manually replace the part that says {contactId} with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the documentType and documentNumberfields, plus (worryingly) information that would seem to pertain to the expiration date of the document.
thank you! All very confusing
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top