On Thursday 22nd September 2022 at 2:00 pm Optus published a media release stating that they were investigating the possible unauthorised access of current and former customers’ information. This was later confirmed as a legitimate and major data breach.
Information, which was accessed includes people’s names, dates of birth, phone numbers, email addresses, addresses and ID document numbers such as driver’s licenses, Medicare and passport numbers.
This means that if you’ve ever been an Optus customer, it is very likely you’ve been caught up in this. The data included in this breach is enough to steal the identity of the affected people.
Australian government representatives and cyber experts have confirmed this was not a sophisticated attack. Instead, an API was open to the internet for anyone to reach. Using the API the cybercriminal was able to pull out the records of these customers. No exploits or account credentials were required.
Frustrated with no communication or payment, the cybercriminal updated their original post to include another sample from the breached data. This time 10,000 records were included, in addition to the first 200 they posted to prove the data’s legitimacy.
Shortly after that link was taken down. But it has been reposted multiple times across criminal forums.
Cybercriminals are also bundling trojans in with both false and real data sets as “reposts”. Everyone wants a cut of this data right now to check if they or their families/friends are in it so criminals are taking the opportunity to try and spread malware.
Australian media reports this data as being shared “On the Dark web” though I’m sure it is, the original post source is on the clear net. The same part of the internet where Facebook and Google live. These 10,200 records are highly accessible so it’s important to take action if you’ve been advised your ID has been exposed.
After the additional data was posted it was revealed that Medicare numbers were also included in the data exposed. Optus is facing a serious backlash as this was not initially communicated when they were advising customers specifically what data was stolen, despite knowing what records they hold on customers. It is a legal requirement of the OAIC to report such things.
Optus announced that affected customers would receive free credit monitoring. In a statement, they advised that:
“Optus will be getting in touch with these customers with information on how to start the Equifax subscription over the coming days. These communications will not include links. If you get an email or SMS claiming to be from Optus with a link, do not click – it’s a scam.”
In a turn of events on the 27th of September, the cybercriminal declared that they would not be publishing the data and that it had been deleted.
Regardless of this statement, we’re not entirely sure if it is true. Therefore, anyone affected should be moving forward with the personal protection methods now being made available to Optus customers.
Here are some of the popular speculations for the redaction of the data, though no one truly knows why:
– Optus secretly paid the cyber criminal to not release the data. This has been denied formally by Optus.
– The Government paid the ransom to protect civilians, affected gov personnel and government infrastructure.
– There is too much attention on the data and the criminal will wait until it dies down to sell later.
– The criminal is spooked by the full force of multiple government agencies focusing on them, has deleted the data and gone into hiding.
How To Protect Yourself
1. Get visibility on your credit rating
You should check your credit reports for your own understanding and visibility of what your credit looks like to quickly detect any anomalies. We suggest ordering your credit report from each of these organisations, since some may compile credit data that the other two have overlooked.
Equifax: Go to Placing a ban with Equifax and fill in and submit the form. Once submitted, Equifax will email you to let you know the ban is in place.
Illion: Go to Placing a ban with illion and fill in and submit the form. Once submitted, illion will email you to let you know the ban is in place.
Experian: Complete the ban request form on the Experian website.
A credit ban means that when a business is issuing you with credit, and they conduct a credit check a process will trigger causing any new applications that aren’t authorised by you in writing, to decline. Be sure to select the option to make this ban across all other credit services
You can find further information on credit bans here.
A credit ban is valid for 21 days, extensions may be granted with evidence supporting that you are, or are at risk of becoming, a victim of fraud. In most cases, this will require you to show that you have either a police report number or a www.cyber.gov.au report number.
2. Change your license number, if possible
South Australia: https://service.sa.gov.au/news?a=1112633
Northern Territory: at the time of writing, there is no available information for the NT
Australian Capital Territory: https://www.accesscanberra.act.gov.au/s/article/Information-about-the-Optus-data-breach
Western Australia: WA Premier Mark McGowan confirmed on Wednesday anyone whose licence number was involved in the leak, will be able to get a new licence and number free of charge. McGowan said the government and Department of Transport were working to get a new system built “as quickly as we can”.
3. Medicare & Passport Numbers
The government is now looking into providing new Medicare & passport numbers for anyone affected. Health Minister Mark Butler told the ABC today:
“We are very concerned about the loss of the data and are working hard to deal with the consequences, but we are particularly concerned we were not notified earlier and consumers were not notified earlier about the breach of Medicare data as well”.
3. Change Your Email Address
If possible, change your email address and update all of your accounts to the new address. Or create separate email addresses for separate categories of accounts. For example:
Have one email address for your online banking and myGov, another email address that is used for online shopping, another for social media etc. That means if one site has a data breach, all of your accounts aren’t at risk.
4. Enable Multifactor Authentication
This adds a crucial layer of protection to your accounts. It means if a cybercriminal obtains your login details, they still can’t access your account because you have multifactor or 2FA protection on your account.
5. Other Measures
This situation is still unfolding, we will continue to update this blog post as additional information comes to light. If you would like to learn more about cybersecurity and how to protect your business, get in touch.