What is the Optus data breach

2022 - 9 - 29

Post cover
Image courtesy of "ABC News"

What does the Optus data breach reveal about corporate ... (ABC News)

The Optus data breach "should strike fear in the hearts of all directors and senior managers" in Australia, says Governance Institute of Australia chief ...

"Cyber security is right there in the top echelon of issues which face corporate Australia … not knowing where to start." "With the Optus case, we have highly sensitive data and effecting a third of Australians," Ms Motto told The Drum. "Issues such as data governance need to be brought back into the spotlight as a matter of urgency." "But the pandemic accelerated the use of technology, and in many respects increased the risk of data and privacy breaches." "A confirmation bias (it won't happen to me) leading to apathy in seeking to understand and mitigate the risk of an attack, or … [d](https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-regulations-incentives) [iscussion paper](https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-regulations-incentives) that highlighted weaknesses in Australian cyber security regulations and incentives. Megan Motto agrees that the Optus data breach is a massive wakeup call for Australian companies big and small and it "should strike fear in the hearts of all directors and senior managers." "Company directors need to assess cyber security just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders," said Nigel Phair, Director (Enterprise) for the UNSW Institute for Cyber. "Boards need to realise that the new digital landscape is something they have to be prepared for," CEO of the Governance Institute of Australia Megan Motto told The Drum. "Responsibility for the security breach rests with Optus, and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country," Home Affairs Minister Clare O'Neil told question time on Monday. [the company is not "the villain" and urged customers to be on high alert](/news/2022-09-27/online-account-claims-to-have-released-optus-customer-data/101476232).

Post cover
Image courtesy of "Drive"

Optus data breach: Australian states and territories issuing new ... (Drive)

All Australian states and territories are offering new driver licence numbers for motorists affected by the Optus data breach.

Tasmanians can go to any Service Tasmania Shop where they will be issued a new licence. The Tasmanian Government will replace the driver's licences for motorists "who can demonstrate that they have had both the licence number and the card number disclosed been impacted by the Optus data breach". Those who have had both numbers compromised will be contacted by Optus, where they will then be allowed to cancel their licence and apply for a re-issued licence and card number. [ACT Government](https://www.accesscanberra.act.gov.au/s/article/Information-about-the-Optus-data-breach) has announced motorists will only be able to apply for a new driver’s licence number if they are a victim of fraud from the Optus data breach. Western Australia's Premier, Mark McGowan, has announced the state government will set up a new system which will allow motorists to apply for a new licence number. [Department of Transport and Main Roads](https://www.qld.gov.au/transport/licensing/update/change-your-customer-reference-number) says motorists who have been notified by Optus of an exposed driver’s licence number can apply for a new card at one of the state’s customer service centres, requiring evidence of identity and communication of the data breach from Optus. In the Australian Capital Territory, driver’s licences have a licence number (which remains with the holder throughout their life) and a card number (which changes every time a licence card is replaced). [The Guardian](https://www.theguardian.com/australia-news/2022/sep/27/optus-data-breach-australians-will-be-able-to-change-their-drivers-licence-with-telco-to-pay), motorists in New South Wales will be able to apply for a new driver’s licence number through the Service NSW app after receiving confirmation from Optus that their data has been breached. “Customers who have had both their driver licence number and associated card number compromised are expected to be contacted by Optus in coming days and are strongly advised to apply for a replacement licence as soon as possible,” Service NSW told The Guardian. In an unprecedented move, all of Australia’s states and territories will allow motorists affected by the Optus data breach to request a new driver’s licence number. However, with almost 10 million Australians affected by the Optus data breach, all Australian state and territory governments are allowing motorists to apply for a new driver’s licence number – on strict conditions. All Australian states and territories are offering new driver licence numbers for motorists affected by the Optus data breach.

Post cover
Image courtesy of "The Guardian"

Optus tells former Virgin Mobile and Gomo customers they could ... (The Guardian)

Identification repair service receives a month's worth of complaint calls in three days as government pressures telco to pay for replacement ID documents.

“We know that fraudsters [and] scammers are already on to it, whether they’ve got the Optus data or not, they’re attempting to impersonate Optus, they’re attempting to … [Optus to compensate customers,](https://www.theguardian.com/business/2022/sep/28/anthony-albanese-says-optus-should-pay-for-new-passports-for-data-breach-victims) not the government, and that every company in the country should be on heightened alert. Some state transport authorities have indicated customers will need to get compensated from Optus directly for licence replacements, but the company hasn’t communicated how that will occur.

Post cover
Image courtesy of "The Guardian"

'There's one email': worried Optus customers outraged by lack of ... (The Guardian)

Optus customers have been left feeling vulnerable and outraged by the company's poor communication a week after it announced a massive cyber-attack affecting ...

Connie Quinn, also a 20-year Optus customer, has received a single email from the company. But it isn’t just current customers struggling to find clear information about their stolen data. You feel so vulnerable, it’s like going into your office naked.” Tricia Smythe was an Optus customer 13 years ago and received an email five days after the hack to notify her that her information was compromised. Optus has emailed some customers alerting them to the cyber-attack, including general information about what data might have been exposed. On 22 September, Optus revealed a data breach in which the personal information of millions of customers was stolen, including names, email and postal addresses, phone numbers and dates of births.

Optus data breach scams (Scamwatch)

Scamwatch is urgently warning Australians to be on the lookout for increased scam activity following the recent Optus data breach and to take steps to ...

[online form](https://www.vic.gov.au/victorian-drivers-licence-record-flag-optus-breach)to flag your licence and request a replacement. See: [Service NSW - Optus breach](https://www.service.nsw.gov.au/optus-breach-faqs) - You can apply to Credit Reporting Agencies for a credit ban to stop people getting credit or loans in your name. - By changing either of these you will have more protection because it will make it harder for criminals to use your old one to take out loans or credit in your name. - ACT – Dedicated phone line for ACT residents - Resolution and Support Team can be contacted on 13 22 81 and selecting option one. Including this in data matching criteria minimises the risk of identity theft using a stolen or lost driver licence. - When a bank or credit provider is checking your suitability for credit, they check with Credit Reporting Agencies. [online form](https://www.nsw.gov.au/id-support-nsw/contact-id-support). [IDCARE](https://www.idcare.org/optus-db-response)has a dedicated support page to assist Optus customers impacted by the data breach. If you receive demands to pay money with a threat that your information will be released, delete the message. - Be wary of new communications and don’t just accept what you’re being told. Serious damage can occur when your information winds up in the wrong hands, but there are steps we can take to protect ourselves.

Post cover
Image courtesy of "The Strategist"

New approaches needed to prevent another Optus-level data ... (The Strategist)

Last week's Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, ...

Perhaps this incident will provide the encouragement needed to take on this thorny subject and find a way forward that could genuinely stop a repeat. One example already in operation is obtaining a tax file number online, where the Australian Taxation Office (the relying party) communicates with myGovID, which in turn uses a phone app to verify the physical presence of the individual. In order to be useful, the API would probably have been set up to automatically decrypt the requested data before sending it out to the requestor. This is unsurprising if, as it has been suggested, the attacker got authorised access to a standard application programming interface to the data, known as an API. The standard response of armchair commentators is to recommend encrypting the data, which Optus claims to have done. However, telecommunications companies operating in Australia are required to verify the identities of those they provide services to, as part of regulations to prevent many other types of crimes.

Post cover
Image courtesy of "The Canberra Times"

Shahriar Akter | Optus data breach was bound to happen. We need ... (The Canberra Times)

The business models of Australian corporate houses encourage them to skimp on security at the cost of both...

While the message and the actions seem immature, there is no guarantee of the involvement of a sophisticated criminal group or a state actor to mask the real purpose. Although Optus offer a year's subscription to credit monitoring service Equifax to track suspicious financial activity for affected customers, customers have a right to know the extent of the data breach and potential compensation. Assuming contingency, companies should have a strategic communications plan on when, what and how to communicate with stakeholders. Because, the hacker knew that a large telco giant like Optus was never going to pay the ransomware. It's high time to reform cyber security protection regulations for commercial and customer data and reforms to fines for companies that have lax policies to protect Australians. I see Australian companies, large and small, skimp on security measures, cutting corners in the business models at the cost of millions of customers' private information.

Post cover
Image courtesy of "SBS"

Companies don't need to keep identification data after it's been ... (SBS)

A pile of medicare cards. Companies often require customers to supply details such as Medicare numbers for identification checks. Source: AAP. Attorney-General ...

ensure any cost arising out of this is compensated by Optus and not the government," he said. "Our number one focus is dealing with the problems we have in front of us. "Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. "For too long we have had companies solely looking at data as an asset they can use commercially ... "Overwhelmingly, this is Optus' mistake, this is Optus' stuff-up and it's up to Optus to rectify the customers and ... "It really is hard to overestimate the impact and the extent to which this is affecting Australians and Australian households, over 40 per cent of Australians are impacted by the Optus breach, either directly or indirectly," he said. In addition to current and former Optus customers, the range of people impacted by the breach has grown to include customers of Optus subsidiaries. we need to have them appreciate very, very firmly that Australians' personal information belongs to Australians, it's not to be misused, it absolutely has to be protected and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act." Mr Dreyfus said Australians need to be assured that when their data is asked for by a private company or by the government, it will only be used for the purpose for which it has been collected. "Obviously, the more data that's kept, the bigger the problem there is about keeping it safe, the bigger the problem there is about the potential damage that's going to be done by a huge hack that's occurred here." "We need to get in place something that [encourages] companies to dispose of data safely, to not keep data when they no longer have a purpose for it," he said. "We are all familiar with this 100-point identity check; if a company says 'we need to see your driver's licence' or 'we need to see your passport number' that is for the purpose of establishing that you are who you say you are but that should be the end - one might think - of the company keeping all that data."

Post cover
Image courtesy of "InDaily"

VIDEO: Scammers target victims of Optus data breach - InDaily (InDaily)

The Federal government says scammers are already at work after the Optus cyber hack with a massive increase in alerts to the national identity agency.

Please click below to help InDaily continue to uncover the facts. Your contribution goes directly to helping our journalists uncover the facts. Seek Forward→

Post cover
Image courtesy of "Cyber Security Hub"

IOTW: Everything we know about the Optus data breach | Cyber ... (Cyber Security Hub)

This increase in phishing attacks led to Optus warning customers that no communication from them would include hyperlinks, and that if they received a ...

They offered an apology also to the 10,200 people who had their data exposed via their posts on Breached, and to Optus itself, saying “hope all goes well with this”. Prime Minister Anthony Albanese said the breach should be “a huge wake-up call for the corporate sector”. Using the alias optusdata, the hacker demanded that Optus pay them US$1 million ransom, or they would leak the data of all 11 million customers affected by the breach. [how the breach happened](https://www.cshub.com/attacks/news/samsung-warns-us-customers-of-data-breach), as Optus has only confirmed that it involved someone gaining unauthorized access to its servers. [phishing attacks](https://www.cshub.com/threat-defense/articles/what-is-social-engineering) and fraud attempts against those who had been directly affected by the cyber-attack. [announced](https://www.slatergordon.com.au/media/slater-and-gordon-investigating-potential-data-breach-class-action-against-optus) that they would be "investigating a possible class action against Optus on behalf of current and former customers who have been affected by the unauthorised access to customer data". [claiming to be the hacker](https://www.cshub.com/attacks/news/iotw-hacker-allegedly-hits-both-uber-and-rockstar) responsible for the data breach posted a small sample of the customer data stolen to the hacking forum Breached on September 23. In Australian parliament on September 26, Home Affairs Minister Clare O’Neil blamed Optus for the attack, saying that the “breach is of a nature that we should not expect to see in a large telecommunications provider in this country”, and so “responsibility for the security breach rests with Optus”. Victims of the breach reported on September 27 that they had been contacted with demands that they pay AU$2,000 (US$1,300) or their data will be sold to other hackers. [confirmed](https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack) that it has now contacted all customers to notify them of the cyber-attack's impact, beginning with those who had been affected by the breach and finishing with those who had not had their data accessed. [told Australian journalist Jeremy Kirk](https://twitter.com/Jeremy_Kirk/status/1573652991496048640) that they had “accessed an unauthenticated API endpoint” meaning that they did not have to log in to access the data and that it was “all open to internet for any one[sic] to use”. [devastating data breach](https://www.cshub.com/attacks/news/revolut-data-breach-exposes-information-for-more-than-50000-customers) on September 22 that has led to the details of 11 million customers being accessed.

Shahriar Akter | Optus data breach was bound to happen. We need ... (South Coast Register)

The business models of Australian corporate houses encourage them to skimp on security at the cost of both...

While the message and the actions seem immature, there is no guarantee of the involvement of a sophisticated criminal group or a state actor to mask the real purpose. Although Optus offer a year's subscription to credit monitoring service Equifax to track suspicious financial activity for affected customers, customers have a right to know the extent of the data breach and potential compensation. Assuming contingency, companies should have a strategic communications plan on when, what and how to communicate with stakeholders. Because, the hacker knew that a large telco giant like Optus was never going to pay the ransomware. It's high time to reform cyber security protection regulations for commercial and customer data and reforms to fines for companies that have lax policies to protect Australians. I see Australian companies, large and small, skimp on security measures, cutting corners in the business models at the cost of millions of customers' private information.

Post cover
Image courtesy of "ABC News"

Optus data breach raises questions about how best to protect ... (ABC News)

As the extent of the Optus data breach emerges, a past victim of identity fraud urges people to more tightly guard their online security, as a cyber ...

to people whose data hasn't been leaked yet, scammers will take advantage of the fact that we're in a confusing situation," he said. "One of the biggest things for me was always thinking, this sucks, but I can deal with this … "[Scams] will increase throughout the population in the coming days and coming weeks. "We don't have those rights within Australia for data. "I knew it was coming … "I've had multiple bank accounts opened in my name …

Post cover
Image courtesy of "The Australian Financial Review"

Optus data breach UPDATES LIVE: Business may be forced to ... (The Australian Financial Review)

NSW Infrastructure Minister Rob Stokes has announced he will quit politics at the March state election. “I've had a great go, and now is the time to give ...

“Regrettably the minister is unable to meet, but the department would be pleased to meet with you in the coming weeks to discuss these matters. It was the lack of any sense of when, or how, he planned to pay for his bout of fiscal extravagance. “The minister values your invitation to meet with your chief counsel,” the letter said. On Monday as markets reeled, he said he would stump up a plan for keeping the public debt load in check – but not until November 23. On Tuesday afternoon in the City of London, a helicopter circled repeatedly overhead. The pound hit a record low, bounced back, dropped again. The markets were on fire. Markets in Britain, the world’s fifth- or sixth-largest economy, were I always held the view we need to get to the point where if you are sick you simply stay at home. Anne, the Princess Royal was with her mother in her final 24 hours. “It has been over 900 days where we have had these public health orders in place. Hours after weakening to a tropical storm while crossing the Florida peninsula, Ian regained hurricane strength Thursday evening over the Atlantic.

Post cover
Image courtesy of "The Singleton Argus"

'White hot anger' over Optus data breach (The Singleton Argus)

Opposition Leader Peter Dutton has criticised the government for not introducing new privacy legislation to parliament following the...

The opposition has called for the government to unfreeze "critical" cyber security funding, which is being reviewed along with other industry grants given by the former Morrison government. "It should have been in the parliament this week, the government was aware of this problem," he told Nine on Friday. Attorney-General Mark Dreyfus earlier this week said the government is seeking to put legislation to the lower house by the end of this year.

Post cover
Image courtesy of "The Guardian"

Optus data breach: federal police launch 'Operation Guardian' to ... (The Guardian)

AFP assistant commissioner Justine Gough said force wanted to 'supercharge' protection from identity crime and financial fraud.

Gough declined to confirm reports that the breach occurred when Optus left open an application programming interface (API) to its customer database without requiring authorisation. It will involve co-operation with law enforcement from across the globe, potentially, given that we are talking about a type of crime that is borderless.” Gough said Operation Guardian will “supercharge” the protection of those 10,000 people and provide “multi-jurisdictional and multilayered protection from identity crime and financial fraud”.

Post cover
Image courtesy of "SBS"

Optus to pay for new passports, taskforce set up to help affected ... (SBS)

A federal taskforce has been set up to help Optus customers who were affected by the data breach, and Prime Minister Anthony Albanese says the telco will ...

The opposition has called for the government to unfreeze "critical" cyber security funding, which is being reviewed along with other industry grants given by the former Morrison government. "Cybercrime is the break-and-enter of the 21st century and we encourage all Australians to be extra vigilant about their online security at this time." It's entirely appropriate," he said. "It should have been in the parliament this week, the government was aware of this problem," he told Nine on Friday. Cybercrime is the break-and-enter of the 21st century and we encourage all Australians to be extra vigilant about their online security.AFP Assistant Commissioner of Cyber Command Justine Gough. "Optus has responded to my request that I made in parliament and that Senator Wong made in writing to Optus and they will cover the costs to replace affected customers' passports.

Explore the last week