The telco said that while no financial information or passwords were accessed, the breach has seen customers’ names, dates of birth, email addresses, phone numbers, addresses associated with their account, and details of ID documents such as drivers licence numbers or passport numbers compromised.
Optus has not revealed how many of its subscribers in Australia were compromised by the breach, but the home affairs minister, Clare O’Neil, told parliament on Monday it involved 9.8 million people, of whom 2.8 million had lost “significant amounts of data”.
If you are among those affected, you are probably wondering about what your next steps should be. Guardian Australia has asked experts for their advice.
The executive director of digital forensics and incident response at CyberCX, Nick Klein, says “there’s no need to panic, don’t go out and change everything straight away.”
Klein advises Optus customers to use strong passwords and multi-factor authentication on all online accounts (especially important ones like banking and email).
Toby Murray, an associate professor in cybersecurity at the University of Melbourne, is among those whose data has been breached.
As a first step to protect against fraud, Murray recommends calling up your bank and asking them to put in place additional verification methods (like an extra security challenge question) on your accounts, particularly for over-the-phone authentication.
Murray says Optus customers might consider asking the same from other valuable accounts such as superannuation providers or Centrelink.
Optus has indicated that it’s the numbers on ID documents such as passports and driver’s licences that have been compromised, rather than the copies of the photo IDs themselves.
Should Optus customers affected change passport and licence numbers?
"We are working with state governments and with part of the federal government that manages passports to try and manage how this can be made possible" - @ClareONeilMP tells @Raf_Epstein
— ABC Melbourne (@abcmelbourne) September 26, 2022
Klein says “just because someone knows your driver’s licence number is not a reason to rush out and change your driver’s licence”.
He says without other details such as expiry dates or the address on the card, there is a limit to what anyone can do with the information.
However, Murray believes it’s “worthwhile thinking about” changing your passport or driver’s licence numbers.
“There is still a risk with exposing those numbers because, depending on the context, different organisations will ask you just for your driver’s licence number or just for your passport number,” Murray says.
If you want to make the change
The Department of Foreign Affairs and Trade have released advice in response to the Optus breach saying passports will still be safe to use for travel but that the decision to get a new document to avoid identity fraud is a personal one.
“If you feel concerned about your current passport, you can renew it at any time in the usual way,” the statement said.
Murray says the catch of course is being slapped with the usual application fees, as well as the longer than usual wait times as Covid delays persist. However, he says if you don’t need to travel urgently, cancelling your passport is a cheaper option.
Drivers licences may be more tricky to change than passports, Murray says, as not all states actually allow you to apply to get a new driver’s licence number.
In Victoria, it’s not possible to apply unless the fraud has already taken place. VicRoads tells drivers: “If you’ve been notified by an organisation that a data breach may have exposed your licence details, but no fraud has taken place, VicRoads will NOT be able to change a driver licence number.”
In NSW it seems possible, Murray says, if the security of your licence has been compromised, but you need to “report the incident to police and obtain a police event number or a ReportCyber Receipt (CIRS) number.”
Guardian Australia has been contacted by Queenslanders trying to get new ID numbers who say they are being told by Queensland transport they are not allowed to apply without police reports saying their identity has been breached, meaning they cannot change their number until their details are used.
What about phone number and email addresses?
Klein says phone numbers and email addresses are “categories of information where their disclosure isn’t necessarily a security risk” because they are more often shared and accessible.
The main risk, Murray says, is the potential to target Optus customers for further scams.
“As a scammer, I might decide, if I’ve got all the mobile numbers of all these Optus customers whose data has been exposed, I might send them all a fake text message pretending to be Optus, including a link to find out more about what data has been exposed or steps that you could take. And then of course, the link is fraudulent and might request extra personal information,” Murray says.
Optus has said it will not send out any emails or texts with links.
Klein says if you are unsure about the correspondence you have received, contact the sender through another means to verify it.
How can the less tech savvy protect themselves?
Klein says that less technologically literate Optus customers may be more vulnerable to the breach.
“Criminals go for the low hanging fruit – whoever is easier to compromise, they will – and unfortunately, that can be elderly people in the community or those that aren’t tech literate,” Klein says.
He recommends anyone who has a family member or friend who is not as tech savvy, to help them to implement technical controls.
“Sit down with them, go through their various online accounts, particularly the important ones like online banking, government sites, and make sure that they have multi factor authentication in place.”
Klein recommends reminding those people in your life to be careful about emails and clinking on links, and to tell them to reach out for a second opinion if they are suspicious.
Murray says Optus customers could consider identity theft monitoring and insurance services to help protect themselves. He says commercial options in Australia include Norton Identity Advisor and Equifax Identity Protect, but there are also free services like Troy Hunt’s HaveIBeenPwned.
On Monday Optus said it would provide access to Equifax to millions of customers and would inform those who had their passport or driver’s licence numbers compromised via email or SMS.
Customers could expect to receive an email about how to start the service in the coming days.
Murray says to protect himself against a scammer using his information to create an account taking out a loan in his name, he intends to set up a regular service with the three main credit reporting bodies in Australia: Equifax, Illion and Experian.
He says you can also apply for a credit ban, which will stop anyone setting up an account for 21 days, and that after those 21 days it can carry over if you supply extra evidence in the form of a police report or a cyber report incident number.