Optus Australia has suffered a major data breach, in which sensitive personal information about both past and present customers was stolen by cyber attackers. Here are some simple steps you can take to understand if you were impacted and protect yourself if you were.
Update: As of the 27th of September, the attacker has claimed to have deleted all copies of the data. Unfortunately, there is no way to verify this, and may simply be a tactic to slow people in protecting their identity. We still strongly recommend that you take appropriate steps to protect yourself in case the data has been sold or re-emerges in the future.
1. Check if you were impacted
Use the chat in the My Optus app to confirm if your details were exposed. Ask them to check each email address that is associated with your account.
Optus is in the process of informing customers however they may not have current contact details, and many customers are reporting Optus emails being caught in spam and junk filters. The best thing to do is speak to Optus directly via the My Optus app and ask them to check each email address you have associated with your past or present Optus account.
2. Apply for a credit ban
If ANY of your identity documents or ID numbers were exposed, apply for a credit ban with Equifax, illion, and Experian. Credit bans prevent new credit facilities from being fraudulently taken out in your name. Fraudulent credit applications can negatively impact your credit rating, cause significant stress, and take many hours to evidence as fraudulent to businesses and debt collectors.
By default, credit bans last for 21 days and can be removed or extended if needed.
More information about credit bans can be found here.
3. Monitor your credit
If ANY of your identity documents or ID numbers were exposed, consider regularly checking your credit report and using a credit alerting service to alert you to fraudulent credit applications in your name
Monitoring your credit report and using free or paid credit alerting services will ensure you quickly become aware of fraudulent credit applications and can begin the process of preventing them early before too much damage is done.
4. Replace your Driver’s Licence
If your Driver’s Licence number was exposed, check your state rules for replacing your Drivers Licence with one with a new licence number. Its important to ensure you don’t just get a new card but that the licence number that was exposed is changed. Eligibility for this varies depending on the state in which your licence was issued, and unfortunately, this is not possible in every state.
Optus is currently working with state licence providers for a solution for all customers.
5. Replace, Renew or Cancel your passport
If your passport details were exposed, consider a replacement or renewed passport via the Australian Passport Office. Again, ensure the new type of passport you select has a new passport number to replace the one that was exposed. Eligibility criteria for each type of new passport apply.
6. Enable Multi-Factor Authentication wherever possible
If any of your details were exposed, ensure you have Multi-Factor Authentication (MFA) in place on all your accounts, starting with the most important ones.
The details exposed in this, or other, breaches may be enough for the attacker to access your online accounts or reset your passwords, depending on the security questions each account provider has in place. MFA is a great way to prevent other people from accessing your accounts with websites and online services.
7. Be vigilant of future scams
If any of your details were exposed, be vigilant for future attempts to scam you. Exposure of your email address, physical address and phone number lets scammers know how to contact you, and exposure of your full name and date of birth allows scammers to appear to know you or appear to be contacting you from a legitimate company that holds details about you.
Be wary of anyone contacting you unexpectedly. If in doubt, ask for a reference number, hang up, find the business’s phone number on google and call them back to ensure you are speaking to a legitimate person.
8. Increased security for moving providers
To reduce the risk of an attack known as SIM swapping, where an attacker steals your phone number to bypass SMS-based MFA, Optus has implemented increased security measures for porting numbers.
If you are planning to move providers, be aware that current increased security measures mean you will need to visit a store in person with your ID to have services moved to a new provider.
9. Watch for updates
The situation is still very new, and details are emerging every day. Optus has advised they will be providing free identity monitoring services to those “most affected” by the breach but are yet to provide full details.
Optus is providing regular updates via its Media Centre, and most media outlets are following updates very closely at present.
10. Contact IDCARE for further assistance
IDCARE is Australia’s free identity and cyber support service. They have an Optus Data Breach Response Fact sheet available and can support you through this time.