The OPTUS Cyber Breach
What happened, how you can be affected by it as an individual and the aftermath of the cyber attack.
On Wednesday 21st of September 2022, Optus notified the public of a cyberattack on its systems. Hackers managed to access the data of up to 9.8 million people including names, addresses, phone numbers and email addresses for many, along with driver’s license and passport numbers for a smaller group. Luckily, the hackers’ access has been removed, but just how much data was stolen and why, is not yet known.
On the 24th of September, Optus contacted their customers to notify them of the previously announced cyberattack’s impact, if any, on their personal details. They began with customers whose ID document number may have been compromised, followed by customers with little to no impact.
How did this happen?
The Optus hacker has stated online that they accessed an unauthenticated API endpoint.
As crazy as it sounds, this means no authentication was needed, as the API was open to the internet for anyone to use.
An API is basically an interface that we use for different systems to talk to each other, which these days are commonly for a myriad of reasons. The mass use of Web 2.0 platforms meant that applications – which we all love – became cloud hosted. The downside of having all this data cloud hosted is that these applications need to communicate with each other via the worldwide web through API’s, which can be secured on different levels and through different cyber security methods (tokens, security keys, granular level permissions).
It is understood that Optus had been progressively updating and rolling out their API which is intended for customer facing applications, this endpoint had shockingly never been secured.
This allowed the hacker to find the endpoint and do a whole bunch of queries to grab information that Optus held in this database of 9.8M individuals. That’s 40% of Australia’s population, making this the largest data breach in Australia’s history.
You may be able to understand a bit better now the basic mistake Optus made. But what are the consequences and what does this mean to you as an individual?
Thanks to an article published on Whirlpool, we now know that Optus account holders can login on the Optus Website and get a good indication of what personal data is stored in their cloud. Just follow the steps here.
Luckily for us, we’ve seen that some of the information they store is incorrect or not longer relevant. But there’s still plenty of room for scammers to utilise the correct information to create legit-looking scams impersonating our bank entity, our Xero account (or other accounting softwares), and even our own next of kin and family members.
Once a hacker has gained access to one of your accounts they can escalate access and reset other accounts through lateral movement, meaning they can start by logging into your email account, and continue to login to your net-banking, accounting platforms, social media accounts, among others.
What to do
- Be wary. Keep an eye out for offers, customer support calls or even scam warnings that ask for approvals or passwords. Even if these use your real name or phone number and appear to come from a company that isn’t Optus, they could be exploiting data from the hack.
- Verify any communications by independently contacting the company that appears to have sent them.
- Never click on suspicious links and do not give out passwords. Phishing emails are very likely to land in your Inbox.
- If the email address Optus has stored is not highly used, it might be worth deleting it and updating any other accounts you’ve opened under this email for a new one.
- Secure your personal information by changing online account passwords and enabling multi-factor authentication for banking, gmail, social media platforms and any others that could provide relevant information about you.
- The Australian Consumer and Competition Commission (ACCC) said any Optus customers who suspect they are victims of fraud should request a ban on their credit records and be highly sceptical of unexpected calls from people claiming to represent banks or government agencies.
- If your driver’s licence number has been exposed, you can request to renew your licence in QLD and NSW free of cost.
The aftermath of the breach and what we will likely see as a result
It’s all about lateral movement. As mentioned above, this information that’s now available will be utilised across all different kinds of systems that can be used for malicious or financial advantage, including government websites that store sensitive information on criminal records and AVOs. If this information is accessed by others, the affected individuals and their families may be at serious risk to potential harm.
In an attempt to protect Australians who are affected by this breach, the government has committed “hundreds” of public servants from several agencies – including Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police – to the aftermath of the Optus hack and data breach, with the law enforcement effort codenamed ‘Operation Hurricane’.
As expected from the major financial cost this data breach will have on the government, new data breach notification rules are being prepared in the wake of the Optus hack, while a policy drafting process is understood to be underway. If adopted, it would mean companies involved in a breach of customer data will have to pass on the details of affected individuals to banks as soon as possible.
In the meantime, set up multi-factor authentication for all of your accounts that store relevant personal data, and if you think you may be at potential risk from any leak of information, don’t hesitate to call 000 immediately.
IDCARE’s Optus Data Breach Response Fact Sheet
Credit Bans (When a ban is put in place it ‘freezes’ access to your credit file).
Australian Government Resources
Australian Passport Office – Optus Breach Info
Office of the Australian Information Commissioner (OAIC) – Identity fraud
MoneySmart – Identity Theft
Credit Reporting Bureaous
Equifax Credit Reporting
Illion Credit Reporting
Experian Credit Reporting
Free Credit Score & Credit Reports
OAIC – Access Your Credit Report
New South Wales
- Optus breach – FAQs
Transport for NSW
- Changing your licence or customer number
- Replace a NSW driver licence online (note this will not change your licence or customer number, only issue a new card with a new card number)
Department of Customer Service
- Anyone who has been notified by Optus that their licence details have been involved in the breach can contact VicRoads to have their Victorian driver licence record flagged here.
- If you’ve received an Optus data breach notice, you can change your driver licence number and receive a new driver licence free of charge. Learn more here.
- If you have been advised that your driver licence details have been compromised by the recent Optus data breach, you are eligible to request a new driver licence number. Learn more here.
Australian Capital Territory
- If you have been notified by Optus that a data breach may have exposed your licence details, but no fraud has taken place, Access Canberra is able to replace your licence card, but not the licence number. Learn more here.