What happened in the Optus cyberattack and data breach?
Reporting by the ABC’s Andrew Greene and BankInfoSecurity’s Jeremy Kirk suggests an anonymous account, “Optusdata”, posted an extortion threat for US$1 million to the telecommunications company via a popular hacking website. The cybercriminal gained access to the data through an open API. An API allows apps to talk or connect with each other. The Optus data breach was a human error, whereby the Optus API did not require someone to log in to access customer data and therefore the window of opportunity was created.
Whilst most up-to-date reports allege the Optus cyberattacked has backtracked on it’s randsom the data breach should be a huge wake up call for every Australian to take cyber security and safety seriously. Building lifelong habits of digital citizenship starts early. The Optus cyberattack and data breach is a great real world learning experience to share with your children.
What might happen to your personal information?
The data will be distributed across the dark web (sold at first, but eventually available for free). Cybercriminals may commit identity theft and fraudulent credit applications, or use the personal information to gain your trust in phishing attacks.
What personal information might have been compromised?
The credentials exposed as part of the Optus data breach, with potential risk include:
- Full Name
- Date of Birth
- Phone Number
- Physical Address
- Passport & Driver Licence Numbers
What are the potential risks of my data being shared?
The personal information which you may have trusted to be securely stored by Optus may now be in the hands of cybercriminals. These pieces of secure information may be used to create fake identities, set up online accounts in your name or to gain access your existing secure online accounts and profiles.
How can I protect my identity and personal data?
We should all be vigilant when handing over any personal information, even to trusted organisations such as Australian banks and telecommunication services. You can protect your personal data by ensuring you have strong password security, and limit who has necessary access to your personal information.
What can I do immediately to protect myself? (today)
Respond to the current threat by putting immediate measures in place.
- Change your passwords on your most vulnerable accounts. Consider a different password for each using a passphrase.
- Set up Multi Factor Authentication for your online accounts including your online banking, email, Apple/Google IDs and work/school logins.
- Do not trust text messages or calls from anyone saying they’re from Optus, subscription services, banking or ATO. If you think it’s legitimate, hang up and call back the official numbers for these suppliers.
What can I do in the longer term?
Over the coming days and weeks, we strongly recommend you take the following actions:
- Reduce the limits on financial transfers and spending on your banking accounts.
- Watch out for phishing attacks (text messages and emails).
- Look out for illegitimate and be suspicious of new social networking profiles of friends.
- Audit your social media profiles and feeds for any other personally identifiable information that may have been shared. Look for posts that include information that could be used as your security questions – such as your mother’s maiden name, schools you attended, first cars, or workplaces. These could be the final pieces of information a cyber criminal needs to gain access and control of your profiles or steal your identity.
- Get a copy of your credit report to check it’s accurate.
Where can I get help and support?
ID CARE: Optus has engaged IDCARE to support customers who have experienced misuse of breached information as a result of the recent Optus Data Breach. Optus DB response (idcare.org)
Additional and further support materials
- Scam Watch: Customers warned to watch out for scams following Optus data breach | Scamwatch
- Money Smart: Identity theft – Moneysmart.gov.au
- Office of the Australian Information Commissioner Respond to a data breach notification – Home (oaic.gov.au)
- Cyber.gov.au: Optus notifies customers of cyberattack compromising customer information | Cyber.gov.au
Looking to level up cyber security for you and your family? Check out our upcoming free webinar series for families.
Author: Trent Ray | Co-founder and Cyber Safety Educator, Cyber Safety Project