The fallout of the catastrophic Optus data breach continues with the alleged hacker now publicly releasing the details of 10,000 customers each day until Optus pays a $US1m ransom.
A cyber security expert says the breach exploited a weak API (application programming interface) which is a way for apps and devices to access data securely.
For example, when you look at your bank account with a smartphone app – that uses an API to grab the information off the company server and present it to you on the app after you’ve logged in securely.
In the case of Optus, the hacker reportedly found a vulnerability in the Optus API and were able to access the data of almost 10 million customers.
So what happens next. Here are all your questions answered.
Will Optus pay the ransom to get the data back?
We don’t think so. A cyber criminal isn’t exactly the most trustworthy person in the world so who’s to say they will honour their word and give back the data if the ransom is paid.
We believe the data has already been offered on dark web marketplaces. And if Optus did pay the ransom, it would send a message to other hackers and make them a target for future breaches.
Optus has sent me an email – what do I make of this?
Optus is beginning to contact customers individually and inform them if any of their ID document numbers or details were part of the breach.
For most customers, ourselves included, the only information exposed was our name, date of birth, email, phone number and/or physical address associated with your account.
If you have received an email telling you that ID document numbers (passport, licence =, Medicare card) have been compromised, Optus says it will help you take further action by providing 12 months of credit report checks to ensure your identity hasn’t been stolen.
I’m an Optus customer, what’s the best thing I can do right now?
If you’re an Optus customer, your details from this breach are already out there.
Thankfully the data harvested did not include passwords or any financial information.
But that doesn’t mean we don’t need to take care.
Our advice is to set up two-factor authentication on not only your Optus accounts but any other accounts including bank accounts and social media accounts.
This provides an added layer of protection to your account. One factor authentication is simply having a username and password.
Two factor authentication includes having a password and a unique code sent to your smartphone to prove it is you logging into your account.
So even if a hacker has your password, they will also need to have your phone in hand to receive that unique code to access your account.
What other precautions can I take?
It’s a good idea to keep an eye on your bank accounts, credit card statements and social media accounts.
The hackers may use your information to guess passwords and try your email address as a username for online accounts.
It also helps to have different passwords for all your online accounts just in case.
If you have the same password for every account – that means the hacker only needs to crack one password to access all your accounts.
I am a customer of a company that uses the Optus network – should I be worried?
No, this is only an issue with Optus customers whose data was stored on the Optus servers.
Customers of Amaysim, Aussie Broadband, Dodo, iPrimus and any other mobile virtual network operators that use the Optus network have nothing to worry about.
Their information is not stored on the Optus servers but on the respective company they are subscribing to which just happens to use the Optus network.
I’m an Optus customer – what can I expect to happen now my data is out there?
Customers whose leaked data included Medicare card numbers, licence numbers and passport numbers are more at risk of identity theft.
But the customers who had just their personal information leaked should still be on guard.
Email addresses will be used to bombard you with spam and phishing emails which try to impersonate your bank, a utility or the post office to direct you to a malicious site and steal your identity.
The risk now with these hackers having even more details about you is they can now use that information to send even more detailed and personalised phishing emails that may fool customers into thinking they’re real.
Unfortunately we’ve reached a point where you need to assume every email you receive asking for your details or offering any kind of help is a phishing scam designed to rob you of your money and your identity.
Check directly with your bank, the post office and the electricity or gas company if an email of this kind arrives in your inbox.
I used to be an Optus customer – does this affect me?
Yes, it does. according to Optus, the customer data hacked in the breach goes back to 2017.
Why didn’t Optus contact me sooner?
Optus chose to communicate to customers through trusted media sources rather than sending emails and text messages with links.
Optus wanted it known that if any customer had received a text or email with a link that it was a scam.
After a few days, Optus began to contact customers based on the severity of the data that had been exposed.
If you were one of the first customers personally contacted via email you are among the most at risk for identity theft.
The last customers Optus contacted were those that had no ID document numbers or details breached.
If I decide to leave Optus – am I still at risk?
Yes, you are.
You are entitled to take your business wherever you want but, in this instance, the horse has bolted and your personal information has been exposed.
Taking your business elsewhere means you’ll have to share that same information with another company to start a new account while your compromised information obtained from the Optus hack is still out there.
