You’ve probably heard that Optus has suffered a massive data breach, with hackers potentially gaining access to the personal information of millions of Australian customers. It’s one of the largest data breaches in Australia history, and the telco has confirmed that up to 9.8 million customers may be affected. So if you’re an Optus subscriber, you may be wondering what it means for you.
Optus first alerted customers and media to the cyberattack on Thursday afternoon after noticing suspicious activity on its network, which the telco says it shut down “immediately”. In addition to launching its own investigation, Optus has notified the Australian Federal Police and the Office of the Australian Information Commissioner, and is working with the Australian Cyber Security Centre to determine exactly how many customers could be impacted.
“While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” Kelly Bayer Rosmarin, Optus CEO, said.
“Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”
What customer information is at risk?
While it’s currently unclear who or what was behind the attack, Optus has assured customers the breach has been blocked and that its residential and business phone and internet services remain safe to use. However, sensitive customer data, including names, birthdates, phone numbers and email addresses – alongside identifying documents such as passport and driver’s licence numbers – were among the info accessed by the hackers.
Hackers have been known to sell stolen information, particularly if an attack is financially motivated. However, Optus has not yet been able to confirm how much data has been exposed, or where that customer info may be circulating.
Fortunately, financial and payment details, account passwords, and voice calls and messages were not compromised, so data such as direct debit or credit card information remains safe. But both Optus and the Australian Competition and Consumer Commission’s ScamWatch branch have urged customers to watch out for signs of identity theft and, if needed, take extra steps to secure their accounts.
If you are told about a data breach, act quickly to reduce your risk of harm. We recommend keeping a record of what you do.
👉 What to do depending on the information involved: https://t.co/JelWAkld9M
👉 What to do if your identity has been stolen: https://t.co/yvFFYl1HuN pic.twitter.com/czqSnAEyq2
— OAIC (@OAICgov) September 23, 2022
I’m an Optus customer – what should I do?
Optus will notify affected customers directly to alert them that their data has been compromised, and has said it will offer high-risk customers additional resources such as expert third-party monitoring. But for now, Optus customers can take the following steps to protect their personal information.
- Change your email password and enable multi-factor authentication if available. If you have other important accounts linked to your email, such as banking and financial services, you should change those passwords too.
- Be conscious that scammers may contact you via email or social media, so keep any eye out for any messages that don’t seem right. Never provide passwords or personal details to anyone who may ask for them online and avoid clicking on suspicious or unsolicited links or attachments sent to your email or social media accounts.
- If you receive a call or SMS from someone claiming to be from a financial institution or other organisation, you should hang up or block the sender and contact the organisation by its publicly-available number to confirm the authenticity of the call or message. Do not open any links sent to you by SMS.
- Monitor your bank and credit card statements and any other personal financial accounts and flag any suspicious activity immediately. You can also place transaction limits on online banking.
- You may also want to request a copy of your credit report, and ask for a credit report ban if you’re concerned about scammers applying for loans in your name.
- If you have concerns about your Optus account, you can contact the telco via the My Optus app or on 133 937. Optus has also advised it will not be sending customers links in SMS or email messages, so again, do not open links or attachments purporting to be from the telco.
- For further info, customers can contact IDCARE, Australia’s free identity and cyber support service.
What else is Optus doing to help customers?
Optus said that its SIM-only brands Amaysim and Gomo, and Optus wholesale services (smaller telcos that use Optus’ networks and platforms, such as Aussie Broadband and Southern Phone) were not impacted by the attack.
Ms Bayer Rosmarin, who said Optus was “devastated” by the hack, promised that the company would work closely with Australian authorities and key financial institutions to help mitigate any impact to its substantial customer base.
In addition to contacting at-risk customers, Optus has temporarily halted SIM swaps and change-of-ownership requests from customers through online or call centre channels. However, customers can still change or replace SIMs, and update account ownership details, in person at any Optus store – you’ll just need to bring your ID.
SIM-swap fraud is a common identity theft scam that involves porting a victim’s phone number to a new SIM card in order to intercept texts and phone calls. The Australian Communications and Media Authority (ACMA) has recently introduced new rules to crack down on SIM-swap scammers, but even with tougher restrictions Optus customers should make sure to monitor their accounts in the coming weeks.
“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Ms Bayer Rosmarin said.