Optus Data Breach - What should you do?
Being cautious about the amount of “Spin”
GroupSupport are aware of and have been monitoring the details of and fallout from the Optus Customer Data Hack that has recently been disclosed (Sep 2022).
The situation is still evolving and will have a huge impact on the Optus Brand. Its ability to provide customer reassurance in the future depends upon its behaviour during this period. The spin doctors are working full time to find the precarious middle line between full immediate disclosure and saving face.
We are aware that disclosure of breach details has been partial and slow at times, and there are many rumours circulating – some of which are true and some which are not.
It is important to understand that this event will have a wide ranging impact on non-Optus clients, the insurance industry and the Data Sovereignty laws to name a few. We would all do well to observe and learn lest it happen to us.
GroupSupport will continue to monitor the situation – and will issue updates and advice as relevant.
Over-riding principals
From the business point of view, GroupSupport urge clients to keep up to date with firewall and breach deflection technologies, practices and policies. The appetite / budget for such things is often inadequate, however the consequences of a breach are eye-watering. Clients and suppliers also need to ensure internal standards are high enough to naturally reduce system weaknesses.
It may be advisable to seek insurance for cyber threats, however GroupSupport advise clients to seek good advice of an agent who knows where to get good / current / salient policies (unfortunately these gems are often hard to find). There are many policies on the market that have a lot of fine print and caution is urged – if in doubt, look around.
Education, including education of staff, is a major benefit in such situations – having multiple sets of trained eyes being aware often means less “threats” will get through.
On all the above GroupSupport have options and information: contact our team for relevant engagement points.
Standard recommended practices
GroupSupport remind clients of the following list of recommendations:
- Change your Passwords reasonably frequently – like a minimum every 60 days.
- Don’t use the same password for everything (try variants that have to do with the login)
- Ensure two-factor authentication (2FA or Multi-FA ) is switched on where possible.
- Try not to use the same combination of secret questions for each account
- Be cautious releasing personal information. Verify those who ring you first, if in doubt, ring back by looking on the web and finding the office number.
Taking action if you are part of the breach
Based on the current information at the time of writing GroupSupport have compiled the following list of recommendations:
- Change your Optus Password and ensure two-factor authentication is switched on
- Anywhere that you have utilised the same password as your breached Optus Account needs to have its password changed
- Anywhere you have used the same secret questions needs to have the password changed
- If you utilise a credit card to pay your Optus bill approach your bank about reissuing the card with a new number
- If you are advised that your ID document numbers have been leaked your local Department of Transport needs to be contacted to issue a new license. We know that WA DOT is providing free replacement of driver’s licence with new details for those with proof of inclusion in the Optus breach. The email from Optus that specifies your ID document numbers have been leaked is considered to be this proof. (Note that there are two different emails that Optus customers have received as not all customers have had their ID document numbers leaked, only those with leaked ID numbers are eligible for a free licence replacement)
- The Passport Office are not issuing new passports leaving that at the responsibility of the passport holder. They have stated that due to strict processes hackers will not be able to travel under the leaked passport ID number and no photographs of the documentation have been leaked. The Passport ID number could however be used as ID in online applications in conjunction with other stolen data including name and address details. GroupSupport advises affected Optus clients consider undertaking a passport renewal at their own expense
- If you use direct debit to pay your Optus bills monitor for any suspicious transactions. Optus are advising no financial data has been breached however given the scale and breadth of the leak (and at times incomplete disclosure of similar things) it is advisable to be vigilant.
- Optus has advised they are going to lock number porting on affected accounts to avoid numbers from being ported away to other providers by hackers. If, however you were a client of Optus in the past and carried a mobile number to your new provider it is advisable to contact your provider and ask them to restrict number porting on that number to protect yourself.
- Optus are in the process of providing access to a free Equifax credit check locking service. Affected customers will be provided with access to this service for twelve months which can assist with protecting against data leakages and fraudulent use of credit facilities. (Thankyou to Bree from Tend Homeloans for alerting us to this actionable)
- Take extra caution when communicating with companies via phone, do not provide any details over a call that was not initiated by yourself and if in doubt call the company back yourself or attend a physical location.
GroupSupport will continue to monitor the situation and advise on further recommendations as they arise.
