Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

    • whatwasherproblem on 22/09/2022 - 14:38
      +6

      but is it just recent past customers, or every customer Optus has had ever?

      That is an excellent question. I suspect the latter. So as much as I want to laugh at this as one of the uncompromised neverOptus chads in the peanut gallery, the fact that I had an Optus phone a decade and a half ago means that I'm probably in the leaks somewhere too. RIP.

      • HardQuiz on 22/09/2022 - 14:42
        +31

        Most of us here who unashamedly participate in sim-slutting will probably be on the list of affected customers.

        • baskinghobo on 22/09/2022 - 23:48

          Ahh shit. And here I was thinking I was safe.

        • postform on 23/09/2022 - 12:20

          sim-slutting???? What does that mean?

          • wangasm on 23/09/2022 - 13:54
            +1

            @postform: Means changing mobile providers every month/few months to take advantage of introductory offers & deals.

      • kiitos on 23/09/2022 - 08:30
        +2

        Same here, 11 years ago. So frustrating, especially as being past customers we don't have access to all the contact channels current customers have.

      • subwoofer on 23/09/2022 - 10:23
        +3

        Previous customer data retention is legal requirement but only for the past 7 years. Older Data is destroyed

        • kiitos on 23/09/2022 - 11:49
          +3

          That would be reassuring (if they've done that).

        • RubyShoes on 26/09/2022 - 15:06

          It is a legal requirement, but if you have ever worked anywhere near data governance, there is a lot of stuff that gets overlooked or put on the backlog.

    • TheRealCJ on 22/09/2022 - 23:04
      -1

      They said the drivers license/passport was for "a subset of customers," my guess is that means new customers who hadn't had their ID information deleted yet.

      • RSmith on 23/09/2022 - 07:02

        Could be the ones who signed up for the Samsung tablet ac few months back

      • c64 on 23/09/2022 - 12:14
        +4

        optus don't delete the id information. in fact, they display the drivers license number in your online account

        • TheRealCJ on 23/09/2022 - 12:23

          Uh… No they don't. Where exactly do they show that?

        • c64 on 23/09/2022 - 12:43
          +13

          they used to display it because i immediately noticed it and wondered why. anyway, sniffing myaccount login traffic reveals:

          "contact" : {
   "contactId" : "...",
   "dateOfBirth" : ...,
   "email" : "....",
   "emailStatus" : "Verified",
   "firstName" : "...",
   "gender" : "Please Specify",
   "indentType" : "Driving Licence",
   "indentValue" : "<LICENSE_NUMBER>",
   "lastName" : "....",
   "phone" : "..."
},

          anyone who gets access to your login account can also get your drivers license and dob (besides phone, name, emails, etc). very poor security/privacy from optus passing all those unnecessary details. the id is permanently retained by optus

          • bjdchwr on 23/09/2022 - 23:03
            +9

            @c64: Yes I had a sniff and it has the link to the following page:

            JSON

            Once you login to your account, you can click this link and it reveals all those details.
            It's very sad…

            If you remove the suffix string you will get even more information:
            JSON more detailed version
            All the service numbers are even included. I wonder if they can port the number using the details provided.

            UPDATE: there is another link for billing which reveals all the services, including the description.
            JSON Billing
            You will get 401 error if you are not logged in so this is not critical but I am a bit shocked about their privacy handling procedures.

            {
            "subscriberId": #########,
            "primaryInd": ##,
            "subscriberActivationDate": #############,
            "subscriberStatus": "A",
            "subscriberStatusChangeDate": #############,
            "recontractionDate": #############,
            "subscriberType": "MB",
            "subscriberName": {},
            "subscriberAddress": {
            "isUnstructAddressX#": #,
            "isInternationalAddressX#": #,
            "isUnvalidatedAddress": #
            },
            "subscriberCustomerId": "#######",
            "serviceId": "##########",
            "productId": "#########",
            "plan": {
            "catalogId": "########",
            "catalogName": "5GB Optus Choice Data Plan(May ##)",
            "offerFamily": "Data Plan ####",
            "planFamily": "MP#",
            "catalogItemID": "########",
            "catalogItemName": "#GB Optus Choice Data Plan(May ##)",
            "id": "##########"
            },
            "lob": "WS",
            "shared": true,
            "isSubscriptionPlan": false,
            "productType": "Mobile Broadband"
            }

          • 7cal on 23/09/2022 - 23:07

            @c64: Is there any chance you could Dm me how you do this?

            edit: nevermind, just saw @bjdchwr's comment

      • cerealJay on 25/09/2022 - 15:37
        +3

        my guess is that means new customers who hadn't had their ID information deleted yet.

        You guessed wrong.

        I closed my Optus account in 2019 and received the email from Optus yesterday that my details were leaked including my drivers license number.

        • T3J on 25/09/2022 - 17:16

          Thanks for that post, I had an Optus account in 2021 and I haven't heard jack from them yet… None of my details they had on record have changed so I'm wondering if they haven't got to me yet, I'm not included or something in-between.

        • TheRealCJ on 25/09/2022 - 18:35

          What was the wording? Because from the email it got it said "Your details (including DL) may be affected"

          Nothing specific to any individual

          • cerealJay on 25/09/2022 - 22:11
            +2

            @TheRealCJ:

            Nothing specific to any individual

            I got the following very specific email:

            Subject: "Urgent update from Optus about your personal information"
            Dear [my name],
            It is with great disappointment I’m writing to let you know that Optus has been a victim of a cyberattack.
            [Notice how they make it about them. They are the victim!]
            As a former Optus customer this has resulted in the disclosure of some of your personal information…. The information which has been exposed is your name, date of birth, email, phone number, address associated with your former account, and the numbers of the ID documents you provided such as drivers licence number or passport number.

            • TheRealCJ on 25/09/2022 - 22:34
              -1

              @cerealJay: Yeah, I guess they're sending it to people specifically who they know have had their data harvested.

              Also, why are you being so dang rude to me about it? I'm not optus.

    • Mozzmanau on 25/09/2022 - 18:31
      +3

      Optus fought against consumers right to have their data deleted from companies databases. They've obviously been holding on to customers data for some reason and this is the consequence of it.

      Here the article about it. https://www.news.com.au/technology/online/hacking/optus-oppo…

    • Associatedvchar @ Optus Accessories on 26/09/2022 - 15:16

      I was a former Optus customer, I received an email from Optus yesterday advised me what personal info of mine has been compromised. It seems they do this to every affected customers but the process probably takes a bit of time for everyone to get it.

    • bradl822 on 28/09/2022 - 15:02

      I haven't been with Optus for over 10 years and just received there email informing me of the breach. Thankfully my licence has changed states,I have changed address, but it's crazy they accessed from that long ago.

  • Hybroid on 22/09/2022 - 14:34
    +7

    That sounds like a very worrying major breach of personal information. They should inform people that have had their details leaked as this could have major identity fraud repercussions down the line as seen in previous leaks…

    • Nugs on 22/09/2022 - 15:33
      +1

      "For customers believed to have heightened risk, Optus will undertake proactive personal notifications and offering expert third-party monitoring services"
      .

      • Lord Fart Bucket on 23/09/2022 - 08:25
        +6

        How are they planning to do this? I no longer live at the address where I had my optus connection, and i have a new phone number.

        • Maxxiz on 24/09/2022 - 06:58

          email

      • Mozzmanau on 25/09/2022 - 18:33
        +2

        Anyone can do this for free now through one of the 3 credit reporting agencies. Optus don't care.

        Optus fought against consumers right to have their data deleted from companies databases. They've obviously been holding on to customers data for some reason and this is the consequence of it.

        Here the article about it. https://www.news.com.au/technology/online/hacking/optus-oppo…

        • chartparker on 28/09/2022 - 15:07

          I called them several times over the years to have my account deleted and they kept saying they won't/can't do that. And then this happens

          • resisting the urge on 08/10/2022 - 13:57

            @chartparker: Our glorious Gubmint requires them to collect and store. Never were they required to actually delete.

            Seriously, And they actually can't.

            Even if your request was magically acted upon and a team of techs sat down to manually remove your records from all of the CRM databases, call centre systems, email PII-laden test systems, dev and test environments in Oz and Singapore, India, Philippines, backups, MS Exchange servers, Sharepoints, Azure and AWS instances, Excel spreadsheets, wherever it spread to- let alone their 'third party partners… it'd take years to do and they may not get it all.

  • Ryk on 22/09/2022 - 14:38
    +36

    the unintended consequences of requiring ID for a sim card

    • HumbleCat on 22/09/2022 - 23:27
      +22

      Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised

      I am glad my password wasnt compromised. 'Optusaretwats' holds a very dear place in my heart and I am glad that aside from my name, dob, phone, email, address, passport number, nothing of consequence was leaked. So happy. Optus is holding my credit card details next to their heart, bless them.

      • Ryk on 23/09/2022 - 15:19
        +3

        I suspect this isn't Optus caring more for your card numbers, it's the card schemes/industry inc. banks ensuring their merchants are responsible with those details. Clearly the requirements for holding other personal details, such as addresses, email, DL# or passport numbers are not held to the same standards by the relevant bodies.

        • Blakus on 24/09/2022 - 07:53
          +1

          Spot on. For payment cards all they hold is a token which means nothing except to their payment provider which I believe is a company called Bambora.

          Our government needs to do the same for driver license and passport numbers.

          I got the email last night that all my details were exposed. In the short term are keeping an eye on my credit through the credit simple app.

          • Mozzmanau on 25/09/2022 - 18:35
            +1

            @Blakus: Optus fought against consumers right to have their data deleted from companies databases. They've obviously been holding on to customers data for some reason and this is the consequence of it. Optus don't give a rats. They're a horrid company that I ditched years ago. I'd love to know why they still held on to my info though

            Here the article about it. https://www.news.com.au/technology/online/hacking/optus-oppo…

    • resisting the urge on 08/10/2022 - 14:05

      Hacks began around the same time as the first internet connection.

      The unescapable outcome of creating a honeypot of useful information has been proven for decades.

      As such, the assurance of this can only mean this was entirely intentional. If purely bureaucratic misadventure, there was plenty of time to do something about it. But look at the legislation changes made to data governance, a lot of it makes the chances of this happening more likely.

  • HairyChickens on 22/09/2022 - 14:38
    +32

    Fix it Gladys!

    • ribze1 on 22/09/2022 - 20:51
      +10

      Coincidence on her watch…

    • poboy on 23/09/2022 - 00:01
      +5

      Integrity.

    • Mozzmanau on 25/09/2022 - 18:36
      +1

      Wtf has it got to do with Gladys?

        • c64 on 28/09/2022 - 16:48

          kelly is quoted as saying "Optus has set its vision to become Australia’s most loved everyday brand with lasting customer relationships by redefining what customers should expect from their communication provider through our relentless pursuit of best-in-class service, greater innovation, better value and connectivity for all Australians."

  • HairyChickens on 22/09/2022 - 14:39
    -5

    Also thoughts on the GTA VI leak and UBER hack?

  • AndyC1 on 22/09/2022 - 14:45
    +5

    Got to love the spin and lack of real details

  • Wiadro on 22/09/2022 - 14:48
    +21

    it is weird they actually have passport and licence numbers on file?
    i thought it was just to verify the identity and not to actually keep.

    • whatwasherproblem on 22/09/2022 - 14:53
      +4

      it is weird they actually have passport and licence numbers on file?

      Weird? Yes.

      Unexpected? No. Companies see the Federal Privacy Act and the laws against 'data enrichment' as being more guidelines than actual rules.

      • Switchblade88 on 22/09/2022 - 16:43
        +3

        being more guidelines than actual rules

        This company is the worst pirate I've ever heard of!

        • mrhugo on 22/09/2022 - 18:40
          +8

          But you have heard of them have you ;-)

      • Jabba the Hutt on 22/09/2022 - 18:50
        +12

        Unexpected? No. Companies see the Federal Privacy Act and the laws against 'data enrichment' as being more guidelines than actual rules.

        One of the more depressing things to do as a citizen with a privacy concern is to read the Australian Privacy Principles, expecting it to have your back, only to find it's so vague and full of exceptions that it'll hardly ever provide a clear, definitive idea of whether an entity's practices breached any rules. After a while it dawned on me that while it ostensibly sets out our privacy rights, in reality it's a subtle prescription for self-regulation, geared toward providing businesses flexibility to handle customer data in ways that suit their purposes.

        Consumers need a more protective, proactive system.

  • Jimothy Wongingtons on 22/09/2022 - 14:50
    +16

    Optus: ok guys we’ll give you … a $5 discount off your Optus sport subscription to put all this business behind us.

    ( I feel that’s more than anything we’re actually going to get even though the damage is well and truly already done )

    • Kangal on 23/09/2022 - 00:06
      +7

      If ever there was a time for a US-style Class Action Lawsuit with Punitive Damages….

  • happydude on 22/09/2022 - 15:04
    +1

    Has anyone got an email from Optus?

    I would like to know if I am in this.

    • Foxxster on 22/09/2022 - 15:23
      +42

      No, and I am BLOODY FURIOUS about this. I wonder if it is an overseas data centre. And having drivers licence or passport numbers as well as name, date of birth, all someone needs to clone your ID. As for the press release by Optus. Utterly bs. Typical corporate speak saying nothing. And complete with grammatical and spelling errors. May be not maybe just for a start.

      The CEO needs to go along with many others.

      • Sleeqb7 on 23/09/2022 - 13:31
        +12

        It's really disparaging that the first I've heard about this leak is from this thread. I've had my phone with Optus for over a decade and the first I'm hearing about a MAJOR SECURITY BREACH is from an OzBargain thread?!

        That's beyond pathetic.

    • Mozzmanau on 25/09/2022 - 18:37
      +3

      Yep. Got mine today and I haven't been a customer of theirs for years

  • dust on 22/09/2022 - 15:10
    +10

    Big yikes. Those personal details are not super easy to change/update!

    • happydude on 22/09/2022 - 15:13
      +5

      Some are impossible, in WA you can't change your DL number.

      • HardQuiz on 22/09/2022 - 15:52
        +2

        Same in NSW and majority of states/territories.

        My understanding only VIC and one other state/territory allows changing of DL number, but I could be wrong.

        • SolidlyIrresponsible on 22/09/2022 - 22:38
          +5

          You can change your DL in NSW, but:

          However, a new licence number will not necessarily stop your previous licence number and associated licence details from being used for fraudulent activities. Unfortunately, Transport for NSW cannot prevent an external organisation from accepting your previous licence without checking its validity. 

          source

          • Kangal on 23/09/2022 - 00:07
            +4

            @SolidlyIrresponsible: Nice, do they let you change your DOB ?

            • SolidlyIrresponsible on 23/09/2022 - 00:21
              +4

              @Kangal: I believe that at this point in time, your DOB is essentially a public record.

              • Scrooge McDuck on 23/09/2022 - 20:08
                +2

                @SolidlyIrresponsible: I want to be 5 again. :(

                • Kangal on 24/09/2022 - 13:01
                  +2

                  @Scrooge McDuck: It makes more sense to change your DOB than your Gender. And we allow changing of Gender.

                  I will be 40 some day, but won't ever become pregnant. We have laws/rules around age (6, 13, 16, 18, 21, 25, 67). On the surface level, it is not logically consistent.

                  I think we should give everyone a permanent barcode, and refer to each other in pure binary.

        • Miss B on 23/09/2022 - 21:13
          +3

          Vic won't if it's a data breach, you have to wait until someone actually uses it.

          Also has the same disclaimer as the NSW one.

          • Grish on 24/09/2022 - 08:30
            +2

            @Miss B: So the one reason you need to change your DL is the one reason you are not allowed to change your DL.

            Bloody hell life has to be difficult sometimes.

        • Mozzmanau on 25/09/2022 - 18:38

          You can change it in Vic but not until they actually try and use your ID somewhere. Set up a credit alert through one of the 3 credit reporting agencies. One of them offer it for free

          • bluedufflecoat on 26/09/2022 - 08:29

            @Mozzmanau: Can you provide further detail please?

            Are you saying you can't change your DL number, unless you have a reason to, and that would only apply if there has been evidence of fraudulent activity, not before? Are there any other circumstances that might apply?

            Also, could you please list the 3 credit reporting agencies and which one is free? Thanks!

            • Mozzmanau on 26/09/2022 - 09:36

              @bluedufflecoat: Yes that's correct. Google credit reporting agencies Australia and change my driver's licence number Victoria. Not sure about the other state

  • franco cozzo on 22/09/2022 - 15:15
    +2

    what the actual (profanity)??

    seems like they wanted to up their numbers on past 'ef ups
    https://www.itnews.com.au/news/optus-admits-to-three-big-dat…

    • Mozzmanau on 25/09/2022 - 18:40

      Optus fought against consumers right to have their data deleted from companies databases. They've a horrid company.

      Here the article about it. https://www.news.com.au/technology/online/hacking/optus-oppo…

      • resisting the urge on 08/10/2022 - 14:20

        Consumer PII is a commodity resource, like sheep, cattle, uranium, and coal.

        Australia is a mining colony.

        A corporation's primary purpose is to make money and/or influence for shareholders.

        Under Oz legislation, Customer PII is their resource to use and abuse, mostly as they see fit.

        Until we do something to Oz something it more than a mining colony, PII will continue to be commoditised, and abused.

  • mapax on 22/09/2022 - 15:28
    +4

    So I guess the equivalent of nothing will happen to Optus because “we” can’t have such a big company going bankrupt?

  • c64 on 22/09/2022 - 15:58

    nice! :(

  • [Deactivated] on 22/09/2022 - 16:01
    +7

    this is why ID should not be required for phone numbers..

    • EightImmortals on 22/09/2022 - 16:09
      +7

      But…but …'criminals'….

    • c64 on 22/09/2022 - 16:13
      +2

      i think it would be much worse with no id requirements

      • [Deactivated] on 22/09/2022 - 16:14
        +1

        how so?

          • [Deactivated] on 22/09/2022 - 17:22
            +7

            @DoctorCalculon: you can call triple 0 without a sim card…

    • Subada on 23/09/2022 - 11:08
      +18

      Verifying ID makes sense from crime prevention etc. However after they've verified your ID they should delete all non-essential info like passports, drivers licenses etc from their servers. No reason to keep it. This is best practice under our privacy regulations but clearly those regs aren't strong enough with shit like this happening.

      Optus should be fined and forced to pay for ongoing credit protection for all its effected customers.

      • [Deactivated] on 23/09/2022 - 14:52
        +3

        it doesn't really make sense for crime prevention any more, you can just buy a sim card with data, and use the data to access a messaging app, rather than using texts, i understand there are several encrypted messaging apps.

        the government, and private companies such as optus, clearly cannot be trusted to keep your id safe, or delete it when they shouldn't have it anymore, so it should not be required at all, whatever the consequences, if any.

        best practice is far too often the lowest priority, if it's a priority at all. people would be shocked at how little care is taken when it comes to the privacy of others.

      • Mozzmanau on 25/09/2022 - 18:41

        Optus fought against consumers right to have their data deleted from companies databases. They've obviously been holding on to customers data for some reason and this is the consequence of it.

        Here the article about it. https://www.news.com.au/technology/online/hacking/optus-oppo…

    • Quantumcat on 23/09/2022 - 11:43
      +2

      Or it should be used to validate your identity then the information deleted/ not stored

      • [Deactivated] on 23/09/2022 - 14:52
        +1

        the problem is that they cannot be trusted to do that

  • Ocker on 22/09/2022 - 16:09
    +24

    Understatement of the year -
    "We are very sorry and understand customers will be concerned"
    Yeh, all 9 million of them, about 1/3 of the population of Australia

    • Yummy on 22/09/2022 - 16:13
      +13

      Hit em with class action. They'll be really very sorry & concerned.

      • freefall101 on 22/09/2022 - 16:49
        +14

        There was a $40m class action when data for 50,000 people leaked from them. So this one should be at least $7.2b

        • thatonethere on 22/09/2022 - 17:34
          +29

          About 50 lawyers will be happy. Everyone else will get $90

          • timle on 22/09/2022 - 18:42
            +5

            @thatonethere: $90? You’re optimistic!

          • slowmo on 25/09/2022 - 12:44
            +1

            @thatonethere: "best we can do is a zooper dooper " — lawyers setting expectations

            we need regulations that makes it a criminal offence for exec leadership teams when breaches on this scale happens.

          • Mozzmanau on 25/09/2022 - 18:42

            @thatonethere: Who cares as long as Optus pays. This is the 3rd time this has happened. They deserve to go broke

    • Ghost47 on 23/09/2022 - 16:45

      Their market share in Australia is actually around 30%. So this sounds like the personal data of all their customers has been accessed to a degree.

  • c64 on 22/09/2022 - 16:27
    +4

    changed my login/contact email addresses, phone, password. however, optus also had name, drivers license, medicare, address

    i hope i'm not in the 2.8m that had all their details swiped. the 7m with dob, email and phone number is less of a worry

  • penguincat on 22/09/2022 - 16:33
    +2

    I wonder if it was a work from home customer service rep using an malware infected device like the shopback breach?

    • RSmith on 23/09/2022 - 07:18
      +1

      Customer service reps usually don't have access to databases.

Login or Join to leave a comment
Login Join