On September 22, 2022, Australia’s second-largest telco Optus was targeted in a cyber attack. The personal information of current and former Optus customers was obtained in the data breach, impacting up to 9.8 million individuals.
According to Australia’s minister for Home Affairs and Cyber Security, Clare O’Neil, 9.8 million people have had their private data stolen, including names, dates of birth, phone numbers and email addresses.
A subset of these individuals, around 2.8 million, have also had their identity data exposed in the Optus hack, including licence, passport and Medicare numbers. Optus says that payment details and account passwords were not compromised in the data breach.
What the risk is
- Identity theft
- Fraud attempts
- Heightened risk of phishing
For the 2.8 million people who've had their identity data compromised (that’s licence, passport and Medicare numbers), there is an increased risk of identity theft and fraud, according to O’Neil. This is because these types of identity documents amount to 100 points for an ID check in Australia.
This means that an individual or group that has fraudulently obtained these identity documents can open new bank accounts, withdraw superannuation and otherwise commit fraudulent acts under the name of the person whose identity they have stolen.
Who’s affected (and how to check if that includes you)
- 9.8 million records stolen
- 2.8 million records included sensitive identity data
- 10,000 records claimed to have been leaked online
- Check Have I Been Pwned? (opens in new tab)
Optus says it has contacted its customers who have had their identity data compromised in the breach. At the time of writing, the telco says it’s still in the process of contacting other impacted customers who have had different data hacked.
On Tuesday, September 27, 2022, an anonymous online account, using the screen name 'optusdata', posted on a forum with an extortion attempt. A screenshot of the post, shared on Twitter (opens in new tab) by cybersecurity journalist Jeremy Kirk, shows the self-proclaimed hacker making a ransom demand of US$1 million.
While neither the Australian Federal Police (AFP) nor Optus have verified the legitimacy of the ransom demand, some cybersecurity experts such as Kirk do believe that the ransom demand was legitimate. In the post, the self-purported Optus hacker claims to have released the data of 10,000 users, and says they’ll continue to do so until the ransom has been paid.
However, in a bizarre turn of events on Tuesday afternoon, the same anonymous account appeared to take back their ransom demand, claiming they no longer intended to sell or leak the stolen data. In a new post, they wrote they had deleted the only copy of the data they had, and apologised to affected Optus customers.
With that said, neither the original ransom demand nor the subsequent take back was verified, so if you’re a current or former Optus customer, you should still assume that you’re at risk. If the details of 10,000 users were in fact released, unfortunately there is no way of checking if you were part of that group… at least right now.
There’s a probability that the details of those who had their data breached will appear on the website ‘Have I Been Pwned? (opens in new tab)’ further down the line. Have I Been Pwned? allows individuals to check if their data has been exposed in breaches.
What to do if you suspect you’re affected
- Sign up for Equifax Protect (opens in new tab), Optus’ free credit monitoring service
- Be vigilant of suspicious emails, calls and SMS
- Enable multi-factor authentication
- Visit the Australian Cyber Security Centre (ACSC) (opens in new tab) and IDCare (opens in new tab) websites
Optus is offering its “most affected current and former customers” the ability to sign up for a free 12-month subscription to Equifax Protect. Equifax Protect (opens in new tab) is a credit monitoring and identity protection service which can be used to help protect your credit profiles and identity.
At present, the telco has yet to provide details as to which customers are deemed “most affected”, and only stated that the “most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost”. You should absolutely sign up to the credit monitoring service if you’re given the option.
Additionally, we recommend visiting websites such as the Australian Cyber Security Centre (ACSC) (opens in new tab) for a complete list of resources, while the Office of the Australian Information Commissioner (OAIC) (opens in new tab) is an Australian Government website which details how to respond to a data breach. You should also visit IDCare (opens in new tab), a national identity and cyber support service — all of these websites have detailed advice for what to do if your data’s been hacked.
If you’re a current or previous Optus customer, be vigilant to scammers trying to contact you via phone call, email and SMS. Optus has advised that it is not sending links in its email or SMS communication, so do not click any links from someone claiming to be Optus.
Beware of phishing emails, and consider signing up for one of the best antivirus software (opens in new tab) suites to better protect your digital devices. You may also want to update your passwords and enable multi-factor authentication on your accounts. The Conversation (opens in new tab) has a valuable step-by-step guide you can reference in this process.
Should you switch from Optus?
- Other telcos may be vulnerable to similar cyber attacks
- You’ll need to pay out the remaining cost of your mobile if you want to switch
- You’ll need to pay out the remaining cost of your modem, or pay exit fees
- Check out TechRadar’s recommended best NBN plans (opens in new tab) and best SIM-only plans (opens in new tab)
If you’re a current Optus customer, you may understandably be looking to switch providers. But the truth is, there’s no way of knowing if other mobile and NBN providers are also vulnerable to similar data breaches.
You should also know that costs and exit fees may be required if you decide to switch from Optus. For instance, while Optus’ mobile plans come with a no lock-in contract, you’ll be required to pay out the remaining cost of your mobile phone if you’re currently paying it off in 12-, 24- or 36-month instalments. Furthermore, if you've signed up to a plan while the device was discounted, you’ll lose that discount by cancelling the contract early, and will need to pay out the full cost of the phone.
You may also face cancellation fees if you have an Optus NBN plan (opens in new tab). While its current NBN plans come with no lock-in contract, you’ll need to pay out the remaining cost of your modem if you decide to leave within 36 months of signing up. The same goes for its 5G and 4G plans.
If you’re a long-time Optus NBN customer, then you may be on a grandfathered plan that comes with exit fees — speak to an Optus representative to find out what these terms are, and if any costs are involved with cancellation.
If you’re looking to switch from Optus, refer to dedicated guides to the best phone plans (opens in new tab), best SIM-only plans (opens in new tab) and best NBN plans (opens in new tab) available on our colleague’s site TechRadar.
How was Optus hacked?
- Reports suggest Optus left an API exposed
- Little verified detail available at this stage
Optus has not released to the public how it was hacked, but its CEO, Kelly Bayer Rosmarin, told the media it was a “sophisticated attack”.
In contrast, Australia’s minister for Home Affairs and Cyber Security, Clare O’Neill, described the breach as a “basic hack” when speaking to the ABC’s 7:30 program (opens in new tab). She went on to say, “we should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
There has been speculation online that Optus left an API exposed and unsecured, and the hacker found it and sequentially downloaded almost 10 million records. We don’t yet know the truth of the matter, and there’s a chance we never will.
What’s the fallout?
- Slater and Gordon (opens in new tab) are looking into a class action
- Australian Government announced plans to tighten privacy laws
- Calls for Optus to pay for new passports and driver’s licences
The fallout for Optus has been drastic. Law firm Slater and Gordon (opens in new tab) has already launched a class action investigation, and those affected can register their interest in any updates.
The federal government has also been highly critical of Optus following the data breach, and calls to toughen privacy laws are already on the table. When speaking to 4BC radio (opens in new tab), Prime Minister Anthony Albanese said, “we want to make sure, as well, that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well.”
In addition to footing the bill for impacted customers who need to change their driver’s licence number, Prime Minister Albanese is also calling on Optus to pay for those who now need to update their passports. With the telco also covering the cost of one year of credit monitoring service Equifax Protect (opens in new tab), the cost of the Optus data breach continues to grow.