Your 7-Minute Briefing on Where We’re at With the Optus Data Breach

Your 7-Minute Briefing on Where We’re at With the Optus Data Breach

On September 22, Optus disclosed it had fallen victim to a cyber attack. At the time, little was really known about what had actually gone down, with many Optus customers concerned about what this data leak meant for their personal data. Now, it’s best to refer to the incident Optus suffered as a data breach, but details are still very scant.

Every week, we hear about data breaches or cyber attacks of some description, but, unfortunately, this one was a little too close to home for it to be swept under the rug like many others are and everyone’s eyes have been on Optus for the eight days following.

Whether or not you agree with the way Optus CEO Kelly Bayer Rosmarin has handled the aftermath of the data breach, or if you take issue with the way the telco chose to tell customers, the long and the short of it is data on millions of Australians, data that can be used for fraudulent activity, is out in the wild.

Optus is yet to provide an analysis of what exactly happened, but what we know is that data on current and former customers such as name, address and date of birth, and in some cases, driver’s licence or passport info and Medicare info is at risk. We also know that branded telcos (Virgin Mobile, Gomo) may have been impacted. MVNOs like Amaysim, Coles Mobile and Catch Mobile customers have not been impacted by the data breach like a previous version of this article mentioned was a possibility.

Let’s break things down a little.

How did the Optus hack happen?

Optus on Friday 23 September held a press conference to answer a number of questions the media had about the data breach, with Bayer Rosmarin saying frequently throughout that she couldn’t divulge details.

“I know people are hungry for details about the exact specificity of how this attack could occur but it is the subject of criminal proceedings so we will not be divulging details about that,” she said.

“Exact mechanics are subject to a criminal investigation and we won’t be divulging that. Safe to say, it’s a sophisticated attack and we will not be divulging further details at this stage,” she said in response to the same question a little later.

It’s a similar story when talking to Optus PR – their hands are tied with what they can say. But that hasn’t stopped speculation. It’s been widely reported that the company left open an API that revealed customer data to anyone who visited the API. The Australian Financial Review pulls this apart a little more, but the crux is it would no longer be considered a “hack” and simply very poor security on Optus’ behalf.

The CEO did not touch on how the data was accessed – as in, why wasn’t it encrypted? Gizmodo Australia reached out for confirmation on whether the actor/s got their hands on encrypted data, or if it was just chilling in a database unprotected. This is what Optus said in response:

“Optus can confirm that the information that was accessed was encrypted and had additional security solutions enabled. Unfortunately, due to the sophistication of the attack, the hackers were still able to gain access.”

Simply, without a proper diagnosis, it seems to be straight up and down theft by leaving the metaphorical side door ajar in your house.

What data has been breached by Optus?

This is where things get a little confusing.

Information that may have been exposed in the data breach includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers. It has also emerged that Medicare details are also included in the batch of breached data.

Payment details and account passwords have not been compromised, Optus said.

As reported by Jeremy Kirk, a person calling themselves “Optusdata” published two samples of the purported stolen data on a well-known data leak forum early Saturday morning. The internet had fun with this one, as the extortion was $1 million, less than the cost of a house in Sydney.

It is believed the hacker had released 10,000 customer records, threatening to release another batch of 10,000 records each day for the next four days until Optus paid the ransom. This was shortly followed up with a screenshot from the alleged hacker essentially saying they were no longer going to be causing Optus customers pain. If the screengrab is legitimate, while the hacker claims to have deleted the rest of info, others have potentially copied it. 

Why would they delete the data? Well, with the AFP and some of Australia’s best cyber minds on the case, it’s likely the hacker is shit scared of being found and wanted to wipe their hands of it and walk away. But, as we said above, this data could have been copied. So there’s still a big threat to the data of everyone that is, or has been, an Optus customer.

How do I know if my Optus data has been breached?

At this stage, it’s safe to assume your data has been breached if you are, or have been previously, an Optus customer. Optus has confirmed approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised. Optus has communicated with these customers and recommended that they take action to change their identification documents. In addition, approximately 900,000 customers have had numbers relating to expired IDs compromised, in addition to personal information.

For now, the focus is on those 10,200 the hacker claims to have leaked. But, you should assume you are one of the 10,200.

The AFP today launched “Operation Guardian“, which is essentially set up to spot abuse of ID info as the result of the Optus data leak. It followed Optus offering the “most affected” current and former customers whose information was compromised the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft.

The Office of the Australian Information Commissioner (OAIC), which oversees Australia’s Notifiable Data Breaches (NDB) scheme, is also looking into the Optus cyber attack/data leak.

Usually, we’d send you to our ‘How to know if you’ve been caught up in a data breach‘ guide, but in this case, with passwords not breached (as we understand it), it’s a little different this time. If your Medicare or Centrelink account has been compromised, you can call Services Australia’s Scams and Identity Theft Help Desk on 1800 941 126. Reach out to your bank, too, if you want to chat with them about anything regarding financial fraud.

Why would Optus have Medicare numbers?

On Wednesday night, Optus confirmed almost 15,000 active Medicare details had been accessed in the data breach. Medicare numbers have been breached before, in 2017. An official inquiry noted trade in stolen Medicare numbers on the dark web. The 2017 breach was apparently much larger, but the Optus numbers may grow as the investigation continues.

Why Medicare numbers? Well, just like driver’s licence/passport info, Medicare details form part of a 100-point ID check, required to obtain many accounts in Australia.

Addressing questions around why passport and/or driver’s licence information was stored by Optus in the first place, let alone caught up in the cyber attack, Bayer Rosmarin said it’s a legal requirement to store it for six years.

Attorney-General Mark Dreyfus says he believes companies should not need to keep customers’ identification on file after checking it, and according to the SBS, has indicated he is seeking to implement reforms to the Privacy Act.

The Optus data leak has become somewhat of a political football, but, state governments are doing a few things to help those in their jurisdiction, offering up replacement driver’s licence/other ID cards. It’s best to check with your local authority. The federal government has also called on Optus to pay the cost of new passports for Australians.

External review

Optus over the long weekend announced it was appointing Deloitte to conduct an independent external review of the cyber attack, as well as the telco’s security systems, controls and processes. As part of the review, Deloitte will undertake a forensic assessment of the cyberattack and the circumstances surrounding it.

That’s it for now, we’ll keep updating this article as we learn more about the Optus data leak.

This article has been updated since it was first published.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.