What to do about the Optus and future data breaches?

TheRealTMA said:
Well, it’s been in place since the MyGov site and my health record was implemented some years ago. Optus should have followed best practice guidelines. They should not have stored such information against national guidelines. No excuse.
Click to expand...
Not arguing with you over what they should have done, just saying that many current and past customers would have been registered in their system before DVS came along. Best practice on privacy always starts with a question along the lines of Do I need to record this information and in this case they certainly needed to record much of the leaked information although it is not clear whether passport/DL numbers were needed or just the result of the ID check. Then comes a second question Have I ensured that the information is protected and will remain private and this is clearly a fail.
 
Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
To view which details relating to you were available to the hacker, follow the instructions outlined in the blog linked at post #5 earlier in this thread:

What to do about the Optus and future data breaches?

Quite a few of us have or used to have Optus via a range of deals and promos but rather than clog some of the related threads: https://www.australianfrequentflyer.com.au/community/threads/optus-new-50-sim-only-with-roaming.93987/...
www.australianfrequentflyer.com.au www.australianfrequentflyer.com.au
 
Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
Log into your account then copy the first link in the article and paste it in the address bar and hit enter. You’ll receive a whole lot of text where you’ll find “contact I.d”09189223-2566-4C47-AF1E-2A302CB8D6A8.jpeg
 
Mattg said:
By customer ID, is this referring to your "account number" which is shown when logging in?
Click to expand...
The short answer is that Customer ID is a system-level record from when the account is created. No short cuts, you have to go through the steps set out in the Whirlpool thread.
 
For my account, the information that was available to be accessed was:

  1. Firstname Lastname
  2. Phone Number (mobile and home, though home phone number no longer used)
  3. Residential address
  4. Date of Birth
  5. Email address

No identity document was included.

Of that information, the only one that I can change easily is the email address, and I have changed that for my Optus account (both the contact email address and the login email address). I will steadily change any other services that use that same previous email address.
 
Struggling to Redeem Your Frequent Flyer Points?
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

NM said:
For my account, the information that was available to be accessed was:

  1. Firstname Lastname
  2. Phone Number (mobile and home, though home phone number no longer used)
  3. Residential address
  4. Date of Birth
  5. Email address

No identity document was included.

Of that information, the only one that I can change easily is the email address, and I have changed that for my Optus account (both the contact email address and the login email address). I will steadily change any other services that use that same previous email address.
Click to expand...
You didnt have this line?
"indentType" : "Driving Licence"
 
This won't do much to help those affected (to whom I'd echo suggestions to pay extra close attention to your financials and credit monitoring for the foreseeable future) but as a privacy lawyer, I'm "at least" more confident than ever before now that the inertia in our government (regardless of who's in charge) to develop meaningful privacy laws is finally about to end. That will help reduce the risk going forward.

The response from both the government and Optus has been an absolute shambles; total amateur hour. If this had happened in Europe, Optus would be staring down the barrel at an absolutely extraordinary potential fine in addition to claims from individuals affected.

In Australia, we have none of that, and given some of the details we're now learning about Optus' practices leading up to this, I'd say it's safe to say the threat of "reputation damage" and "loss of public trust" wasn't a good enough incentive to establish better practices going into this.

I suspect that'll change, and quick.

As an additional aside, please humour me as I plug one piece of unsolicited advice: where possible, don't save your credit card details to individual websites. If you're going to save them somewhere, do it once to your Google or Apple account and rely on auto-fill. Even the best security practices in the "best"-regulated environments can be thwarted, but the fewer places you've added your details, the less widely you spread your risk.
 
All this talk about putting a stop to credit checks is a bit distracting. While useful, it ignores the bigger problem. The ability for anyone with your leaked data to identify as you over the phone to other companies.

Eg, if I have your info I could call up QF and say I've forgotten my password or stuffed up my MFA token. While I'm at it, I'd like to change my email address on file. You can see where this is going. This is going to be a nightmare of other companies too.

TheRealTMA said:
There’s absolutely no reason for Optus to have kept drivers licence or passport details. Identity checks are done through third party / government agency.

btw: just bought two £10 sims in Edinburgh so as not to pay the extortion of Optus $10 day roaming pass. No identification needed. Just walk in and say two sims please. Here you are Sir, three bags full.
Click to expand...

You don't need ID to purchase SIM cards here either. Registering here requires ID though.
 
Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

I am also in the unfortunate position of getting an email from Optus saying everything including my ID has been leaked, but does the 21 day ban do anything? I thought if someone has your name, DOB, address and drivers license, they can easily ask Equifax to remove the ban before applying for credit?

At least it appears to be the case based on here: Credit Savvy - How can i remove a ban with Equifax and illion?

Edit: A lot of people including myself have been trying to find ways to protect ourselves, but it appears we are stuffed no matter what and we won't be able to claim anything meaningful from Optus even if fraud occurs because it would be impossible to prove conclusively that the fraud are a direct result of the data breach (ie. Optus can always claim the criminal got your data elsewhere), so did Optus gets away with murder and it's up to the Optus customers to bear the consequence?
 
Last edited:
glasszon said:
I am also in the unfortunate position of getting an email from Optus saying everything including my ID has been leaked, but does the 21 day ban do anything? I thought if someone has your name, DOB, address and drivers license, they can easily ask Equifax to remove the ban before applying for credit?

At least it appears to be the case based on here: Credit Savvy - How can i remove a ban with Equifax and illion?
Click to expand...

It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.
 
FlyingKangaroo said:
It's sadly more of an optical illusion designed for PR and the image of being seen as "doing something" than reason for anyone to stop being very vigilant about their account data during those 21 days. That's because there are several ways to get around the ban, and anyone with the right information would be able to do it, which is precisely the problem here. That information has been improperly accessed.
Click to expand...

Thanks, that's what I was afraid of. Hopefully the Victorian government will change their stance and will at least allow us to change the driver license number, I am definitely not moving my property just to have a new address!

The worst part is no doubt this will cause significant consequence to people, either in the form of identity theft or worse still, venerable people such as crime victims who cannot afford their details becoming public, and I am not a lawyer, but it doesn't appear anyone would have much luck suing Optus and we all know only lawyers win in a class action.
 
glasszon said:
so did Optus gets away with murder and it's up to the Optus customers to bear the consequence?
Click to expand...

Yes, that's the delightful status quo in which we find ourselves here in Australia given our current privacy protections (and lack thereof).

Unless you are an EU or UK citizen, I would note, in which case, technically the EU GDPR (and the Data Protection Act in the UK) applies to you even in Australia which does provide for far better protection in these situations, so there could in theory exist an individual right of action against Optus. There is still some uncertainty about what this looks like in practice in terms of proof and also in which EU country the person is a citizen of given the legal system in each can still vary a bit, but at its base, an affected individual would be able to make a claim against Optus for actual damages suffered.
 
FlyingKangaroo said:
Yes, that's the delightful status quo in which we find ourselves here in Australia given our current privacy protections (and lack thereof).

Unless you are an EU or UK citizen, I would note, in which case, technically the EU GDPR (and the Data Protection Act in the UK) applies to you even in Australia which does provide for far better protection in these situations, so there could in theory exist an individual right of action against Optus. There is still some uncertainty about what this looks like in practice in terms of proof and also in which EU country the person is a citizen of given the legal system in each can still vary a bit, but at its base, an affected individual would be able to make a claim against Optus for actual damages suffered.
Click to expand...

Thanks, I am a UK citizen but hopefully it won't comes down to that. Identity theft is really costly even if you are compensated afterwards, plus Optus can simply ignore the ruling given Optus doesn't have a presence in UK/EU.
 
glasszon said:
Thanks, I am a UK citizen but hopefully it won't comes down to that. Identity theft is really costly even if you are compensated afterwards, plus Optus can simply ignore the ruling given Optus doesn't have a presence in UK/EU.
Click to expand...

I do doubt that they would ignore the judgment if it came to that as Optus/Singtel are global organisations, but the reality is that it's not an easy road to get there, and as you say, you don't want to find yourself actually incurring the damages you'd have to suffer to start going down it. 🤞
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and enjoy a better viewing experience, as well as full participation on our community forums.

AFF members can also access our Frequent Flyer Training courses, and upgrade to enjoy lots of other benefits and discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

... and 10 more.
Total: 1,312 (members: 60, guests: 1,252)
Back
Top