What to do about the Optus and future data breaches?

[Amanad78]

I still haven't had an email from Optus but can see my DL info is out there.
Need an email for QLD transport to issue new licence.
Optus chat says just wait and in the meantime they gave me a code for the 12 month credit monitoring.

 

[tgh]

I wonder just how relevant all this brouhaha is to the average Optus customer.
So they may have given someone my driving licence #.. what use is that to a thief ?
I don't plan to pay their speeding fines….
If we are eventually skimmed of anything.. the service providers will both indemnify and compensate us.

 

[MEL_Traveller]

Just to follow up on the links to view our personal data… in theory it is possible to see what information is being held, but that that information has not been hacked? My customer ID falls outside the range, even though I can see DL and DOB and all the other stuff?

 

[daft009]

Equifax themselves have been hacked numerous times over the last few years.

I'm not a fan of signing up with them and then do 100 points of ID again lol

Post automatically merged: Sep 29, 2022

Just to follow up on the links to view our personal data… in theory it is possible to see what information is being held, but that that information has not been hacked? My customer ID falls outside the range, even though I can see DL and DOB and all the other stuff?

Did you receive any email from Optus?

If not I think you're fine, same situation as me

 

[MEL_Traveller]

Did you receive any email from Optus?

If not I think you're fine, same situation as me

No email. My customer ID is outside the range, and calling optus they advised I wasn’t impacted.

 

[Ade]

The Optus Breach

Actionable Advice

verse.systems

The last sim I ordered my account manager said they didn't store the licence on file. Just do their checks and delete

I'm a little late to this party ... I was notified of the Optus cyber attack and Optus emailed me earlier this week. I just used the details from Toby's website to verify and I'm (happy?) to note that the my license & address details exposed were both not my current ones. The license was a Learners that I acquired from a state that I no longer reside in, however, I assume that the Learners is still valid, meaning not expired? I need to check this.

And the address, again is in a state that I no longer live in. But those that were living with me around the time I signed up with Optus are still living in the same address - will this be an issue?

What's not clear to me is - will someone be able to use this "no longer current/expired" information of mine to access any of my current/existing details ?

 

[Pushka]

I wonder just how relevant all this brouhaha is to the average Optus customer.
So they may have given someone my driving licence #.. what use is that to a thief ?
I don't plan to pay their speeding fines….
If we are eventually skimmed of anything.. the service providers will both indemnify and compensate us.

Listening to a story yesterday of someone whose ID was stolen. Loans issued in their name. Couldn’t open accounts themselves. It is taking them years and so much stress. That’s why it’s an issue.

 

[tgh]

someone whose ID was stolen

Perspective :
How many personal ID's are stolen and used fraudulently in Au pa ?
What % of the populace per annum have had their ID's stolen and used fraudulently?
What is the current total cost ( to individuals) of ID theft in Au ?

 

[Pushka]

someone whose ID was stolen

Perspective :
How many personal ID's are stolen and used fraudulently in Au pa ?
What % of the populace per annum have had their ID's stolen and used fraudulently?
What is the current total cost ( to individuals) of ID theft in Au ?

Perspective. Did you get vaccinated for Covid? What is the percentage of Australian population who died from it?

 

[RAM]

someone whose ID was stolen

Perspective :
How many personal ID's are stolen and used fraudulently in Au pa ?
What % of the populace per annum have had their ID's stolen and used fraudulently?
What is the current total cost ( to individuals) of ID theft in Au ?

True.

However, if you are one of those people then your life can turn into a living hell.

In 2016 a local resident in my neighbourhood had their ID stolen (mail theft from locked mail box). Police suspected either a resident who could see mail deliveries or someone living in the same block of 1960s units. Various bills 'did not turn up in the mail' over about a 6 or 7 month period but apparently occasionally missing mail was not uncommon at that unit block.

Two personal loans taken out with different banks totalling $27,000, and one CC used to buy items online and then shipped to a DHL office for pre-paid (cash in envelope with story of having to leave as visa expired but online purchases had not shown up yet so please ship to...) onward shipment. Seems quite a common occurance which the delviery companies appear not to question very closely even if onward address is Russia.

One bank grudgingly believed his pleas & stat dec etc after some months, the other did not and launched an investigation into him that went on for nearly a year. Meanwhile his credit record was adversely marked by the 2nd bank which led to other adverse issues for him.

Not something I would like to go through.
_________________________________________________

It was bad enough when in 2009/10 Citibank lost millions of CC details covering around 15 different countries (including Australia). Never publicly announced BTW nor people contacted.

Doing some digging, I uncovered that a processing house used by Citi in the US got hacked and it went from there.

In my case, the CC details belonged to a CC I had never asked nor applied for but Citi had upgraded me without asking. When I found I could not pay the annual fee using points (how uneducated I was back then) - I asked to cancel it & had never even activated it let alone done a single transaction. I specificially stated I wanted the card completely cancelled (as USCiti Head of CCs had eductated me in the 1990s about).

Important to use the word 'completely' rather than just 'closed' or 'cancelled'.

Turned out CSA or someone did not do as I requested.

Time passes, I am away and get a call from better half asking whether I'd had a rush of blood and bought an expensive new toy...

Turns out that Citi links(ed?) all live & 'cancelled' cards together - so that statement dates are common for an upgraded card - even if cancelled more than a year earlier. At just one minute past midnight of auto DD being processed on existing CC to zero outstanding balance, transactions began using the 'cancelled' CC number & spent all but under $50 of the full credit limit of our existing CC.

Citi did/would not reveal the account number when talking with us (two separate CSAs at around the same time with each of us, & subsequently Aust-based fraud dept). Only when the faxed each transaction on a special form we had to complete was the closed CC # revealed.

Citi fraud dept then adopted a different tone when I challenged them & their illegal activity (as I confirmed CC 'competely cancelled' by email).

My credit was impacted for around 4 months before finally being fixed.

Meanwhile, the system then (but maybe no longer) for CC fraud with Mastercard or Visa was NOT to notify any of the merchants but to simply notify either MC or V (depending on card issuer). Then MC or V notifies each merchant at the END of that billing period, not immediately. So in my case, that was nearly a month away.

As all purchases were online and mostly for expensive specialised items (such as custom made smash repair tools around $10k worth) which I had never purchased anything like in the previous approx 20 yrs with Citi CC, or massive purchases from such as Peters of Kensington ($7k worth IIRC) - it turned out that most were not shipped to a freight forwarder for up to three weeks later. Turned out that none were shipped within 2 days of us discovering the fraud.

So all could have been stopped & merchants face minimal to zero losses. I discovered this when subsequently contacted by the various merchants in the ensuing months.

 

[daft009]

Still no email but did receive a SMS recently..

 

[CMA222]

Still no email but did receive a SMS recently.

Given the Optus update on 26 September said:
"Optus has now sent email or SMS messages to all customers whose id document numbers, such as licence or passport number, were compromised because of the cyberattack."
and texts are still going out 3 days later relating to the ID documents (and all the other information accessed) they are obviously struggling to get the notifications out. They appear to want the record to reflect everyone was notified by 26/09, even though it is clear they were not.

 

[Anna]

Why is the Optus breach getting so much more media attention and panic than other previous breaches?

Eg the SA govt payroll breach - everyone's personal information who gets paid anything by the SA govt - nowhere near this much publicity. The SA Law Society breach - all the personal info of every lawyer in SA - no media attention at all as far as I know. Various airline and hotel chain breaches - nowhere near this much media attention, hardly any attention at all outside of travel media. I don't get why Optus is copping this much flak when others have escaped it.

 

[33kft]

Why is the Optus breach getting so much more media attention and panic than other previous breaches?

Because ~40% of the adult population of Australia were impacted, I would say.

I was hit and I know many people who were hit. It's the closest thing to a universal data breach that the country has seen. Sure, Uber had many more people affected but not exclusively from a single country. It's all about the dimensions of it, it's enough of an impact to materially financially impact departments who are replacing the compromised IDs.

I can't think of any comparable breach, certainly none of those listed have comparable dimensions in terms of the number of Australians affected, and of that, the scale of the ID compromise is huge, this isn't just names and emails and password hashes, it's document IDs which are reasonably rare when it comes to leaks (obviously the SA govt payroll is an exception to that rule).

 

[Pushka]

Why is the Optus breach getting so much more media attention and panic than other previous breaches?

Eg the SA govt payroll breach - everyone's personal information who gets paid anything by the SA govt - nowhere near this much publicity. The SA Law Society breach - all the personal info of every lawyer in SA - no media attention at all as far as I know. Various airline and hotel chain breaches - nowhere near this much media attention, hardly any attention at all outside of travel media. I don't get why Optus is copping this much flak when others have escaped it.

As the Optus breach involves 'everyone' then it's more impactful across society. Heard today also that ABS suffered a breach a while ago and didn't tell anyone for around 6 months.

Optus must be bleeding. Their stores are devoid of people. And just now received an email offering us an upgraded plan for all the Business phone lines we have with them. If I agree then I need to fill in paperwork. Yeah. Nah. Just got my new licence thanks.

Collected son from Hospital this morning after small procedure. He lives in the country. He's with Optus. There are no service SA branches within less than 45 minutes one way where he lives. He couldn't think how he was going to get his licence. So on the way home we dropped into a metro centre. I lined up for him and explained to staff why I was doing that. Staff were brilliant. He went to the counter after being seated just as I got to the front of the queue.

 

[Daver6]

Why is the Optus breach getting so much more media attention and panic than other previous breaches?

Eg the SA govt payroll breach - everyone's personal information who gets paid anything by the SA govt - nowhere near this much publicity. The SA Law Society breach - all the personal info of every lawyer in SA - no media attention at all as far as I know. Various airline and hotel chain breaches - nowhere near this much media attention, hardly any attention at all outside of travel media. I don't get why Optus is copping this much flak when others have escaped it.

Both due to size and the fact ID info has been lost. However, you're right about the lack of attention paid to breaches.

Only a month or two ago UWA had a breach of their student records. Data for all past students including courses and grades are now in the public domain. I received an notification which basically alerted me to it and said bad luck. I've said it before and I'll say it again. Until their is legislation that forces those who have breached to compensate those whose data has been exposed, there is no good reason to take it seriously.

 

[drron]

But all the reports have stated that not all accounts were hacked. Also the hacker said they released 10200 account details and then wiped the only copy they had. So at present we know 10200 are definitely at risk or 0.05% of the Australian population.
There are different versions of how many accounts were accessed with reports I have seen ranging from 120000 to 1.2 million. So at worst 5% of Australians are at risk.
I have not seen any reports that all optus accounts were accessed so saying that this affects 40% of the Australian population is a little OTT. But journalists like a little sensation.

 

[OATEK]

Optus have enjoyed a perfect storm because of the potential impact (which may not reveal itself for a long time). In the case of many others such as the SA payroll blunder, the actual impact may well have been greater, it certainly was initially.

So yes, Optus is being hammered for the potential impact, and as one of those customers affected quite upset and joining in the baying.

 

[NM]

But all the reports have stated that not all accounts were hacked. Also the hacker said they released 10200 account details and then wiped the only copy they had. So at present we know 10200 are definitely at risk or 0.05% of the Australian population.
There are different versions of how many accounts were accessed with reports I have seen ranging from 120000 to 1.2 million. So at worst 5% of Australians are at risk.
I have not seen any reports that all optus accounts were accessed so saying that this affects 40% of the Australian population is a little OTT. But journalists like a little sensation.

Not sure I would trust the statement from the hacker regarding deleting the information. The "value" of the information would be very significant in the wrong hands, and anyone willing to undertake such a hacking process is certainly not worthy of my trust.

 

[MEL_Traveller]

But all the reports have stated that not all accounts were hacked. Also the hacker said they released 10200 account details and then wiped the only copy they had. So at present we know 10200 are definitely at risk or 0.05% of the Australian population.
There are different versions of how many accounts were accessed with reports I have seen ranging from 120000 to 1.2 million. So at worst 5% of Australians are at risk.
I have not seen any reports that all optus accounts were accessed so saying that this affects 40% of the Australian population is a little OTT. But journalists like a little sensation.

But statistics are of little consolation if you happen to be impacted

The other elephant generated by your post is the lack of information put out by optus on the exact numbers. It wouldn’t be open to speculation if optus was transparent.

The lessons learned from this:

• get out communications as early as possible
• communications should set a forward timetable for further information
• dont quibble about covering consequential costs for those impacted such as credit monitoring services or a new DL.
• write to those not impacted, to provide peace of mind.