What to do about the Optus and future data breaches?

[Pushka]

Currently queued as Services SA for replacement licence. 30 minutes so far and I’d say another 20. Queue outside is growing steadily.

 

[kangarooflyer88]

Optus says yes to COVID travel relief package, providing Aussies with free passport renewals:

Government calls for Optus to pay for new passports if Australians data breached

www.9news.com.au

How kind of them!

-RooFlyer88

 

[MEL_Traveller]

No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?

 

[exceladdict]

WA breach-ees now able to receive a new license: Advice for DoT customers impacted by the Optus data breach

 

[kangarooflyer88]

No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?

In fairness it does take them some time to determine what specific information was leaked for each user since it seems that the data leak wasn't a one-size fits all affair (i.e. my passport details weren't leaked).

However, I do wonder how much credit Optus will give its customers for this stuff up? Perhaps a free month of service?

-RooFlyer88

 

[MEL_Traveller]

In fairness it does take them some time to determine what specific information was leaked for each user since it seems that the data leak wasn't a one-size fits all affair (i.e. my passport details weren't leaked).

However, I do wonder how much credit Optus will give its customers for this stuff up? Perhaps a free month of service?

-RooFlyer88

Accept that, but there could have been a generic email to say ‘yup, there was a breach… you’ll be notified in the next five days if you have been impacted… here’s what you can do in the meantime’… or words to that effect.

If my other banks have reached out, how come optus can’t?

 

[MelMel]

No communication from optus yet from me… but I have from my other financial institutions (regarding the breach and steps for me to take).

I know I’m not one of the affected ones, but still… how can optus still be pfaffing about even with a generic ‘here’s what to be aware of’?

I just received the email today, no i.d documents leaked (I had already worked that out) “just” name, address, dob and email.

 

[FishFood]

I've had some Optus services in the past, but probably with a previous email address. I'll have to trawl through a couple to see if it turns up

 

[MEL_Traveller]

Optus says yes to COVID travel relief package, providing Aussies with free passport renewals:

Government calls for Optus to pay for new passports if Australians data breached

www.9news.com.au

How kind of them!

-RooFlyer88

The Opposition didn’t want optus to pay… saying the government should waive passport fees instead.

Glad the taxpayer isn’t going to have to foot the bill for this one.

 

[kamchatsky]

After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.

Still waiting for Optus to email me formal notification so that I can officially apply to have my NSW driver license number (rather than just card number) changed

 

[kangarooflyer88]

The Opposition didn’t want optus to pay… saying the government should waive passport fees instead.

Glad the taxpayer isn’t going to have to foot the bill for this one.

Yeah Optus should bear all the costs (and then some in fines) to learn a valuable lesson here. Putting sensitive customer information unprotected on the web is downright reckless. There is no excuse for it from a small business never mind a major corporation that is supposed to have cyber-security as one of their core competencies.

After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.

Which is all fine and good but what happens after 12 months time when criminals will likely be using the information they harvested from the leak? I suspect if companies were forced to provide lifetime credit monitoring to customers impacted by a breach these events would be very rare occurrences indeed! Then again, credit monitoring by definition is reactionary, responding to identity theft issues after the fact. What seems obvious now is the systems used in the 80s and 90s to verify identity and provide credit are wholly inappropriate for today's OpSec environment.

-RooFlyer88

 

[Pushka]

After 4 hours on live chat with Optus, I got the free Equifax Protect code and registered for 12 months. Turned out that I have a pretty good credit score.

Still waiting for Optus to email me formal notification so that I can officially apply to have my NSW driver license number (rather than just card number) changed

In SA it’s really quick and they don’t ask for evidence. In the SA gov app it’s already changed. But I had my old one for almost 50 years!

 

[RAM]

The lack of follow-up by Optus is abysmal.

Got the 'news' early on Sept 24th:

"The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number."

No contact since. So what ID documents are they exactly?

Yesterday rang our health fund and the four security questions were among the data hacked from Optus. I mentioned this to the CSA and got the response - 'That is nothing to do with us, we aren't Optus'.

I suggested that anybody could call up and say change the banl account details for benefit payments, again no understanding. So Iasked whether any discussion had been held at the call centre over any additional measures - "Why would there be, nothing to do with us."

I had been thinking of changing health funds as yesterday was time for rollover premium, decision made, new health fund with additional question for ID.

Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).

Many places allow you to change your date of birth (for the security question).

Update: No, neither of those suggested answers are anything near what my bogus place of birth answer is!

 

[exceladdict]

Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).

That's a smart idea.

 

[lovestotravel]

Yeah Optus should bear all the costs (and then some in fines) to learn a valuable lesson here. Putting sensitive customer information unprotected on the web is downright reckless. There is no excuse for it from a small business never mind a major corporation that is supposed to have cyber-security as one of their core competencies.


Which is all fine and good but what happens after 12 months time when criminals will likely be using the information they harvested from the leak? I suspect if companies were forced to provide lifetime credit monitoring to customers impacted by a breach these events would be very rare occurrences indeed! Then again, credit monitoring by definition is reactionary, responding to identity theft issues after the fact. What seems obvious now is the systems used in the 80s and 90s to verify identity and provide credit are wholly inappropriate for today's OpSec environment.

-RooFlyer88

The 12 months offered by Optus is a pathetic joke, like the company they are and have been for the last decade.

I'm submitted a TIO complaint asking for $500 credit to cover close to 5 years of credit monitoring.

 

[jmacpher]

I am struggling to find out how I know what data was leaked? I got the generic email on 24th but nothing since. I have had my Optus account for decades so know no DL or current passport but I use direct debit payment and other details will be on file.

 

[Pushka]

The lack of follow-up by Optus is abysmal.

Got the 'news' early on Sept 24th:

"The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number."

No contact since. So what ID documents are they exactly?

Yesterday rang our health fund and the four security questions were among the data hacked from Optus. I mentioned this to the CSA and got the response - 'That is nothing to do with us, we aren't Optus'.

I suggested that anybody could call up and say change the banl account details for benefit payments, again no understanding. So Iasked whether any discussion had been held at the call centre over any additional measures - "Why would there be, nothing to do with us."

I had been thinking of changing health funds as yesterday was time for rollover premium, decision made, new health fund with additional question for ID.

Years ago a very knowledgeable security person mentioned that you should never use correct answers. So if say born in Sydney then for all security questions on 'place of birth' make the answer Toyota or October (make sure you write it down & be consistent).

Many places allow you to change your date of birth (for the security question).

Update: No, neither of those suggested answers are anything near what my bogus place of birth answer is!

You need to go into your account and paste the 2 links provided in this article The Optus Breach
which was on page 1 of this thread and that tells you what has been taken.

Post automatically merged: Sep 29, 2022

I am struggling to find out how I know what data was leaked? I got the generic email on 24th but nothing since. I have had my Optus account for decades so know no DL or current passport but I use direct debit payment and other details will be on file.

Same.

Pasted here.

First log-in here: https://www.optus.com.au/ and then once logged-in, visit this link and you should see a JSON encoded response that contains your personal information. Check in particular the indentType [sic] field, which should tell you what kind of document has been exposed; and the indentValue [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.

Updated 2022-09-26 4:05 PM: If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric contactId value from the JSON response you got above. Then take the following URL https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS and copy and paste it into the address bar of your browser. Manually replace the part that says {contactId} with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the documentType and documentNumberfields, plus (worryingly) information that would seem to pertain to the expiration date of the document.

 

[OATEK]

I note that ServiceNSW advises as follows:

"enhanced protections which came into effect in NSW on 1 September 2022 requiring both the licence number and the card number to pass a Document Verification Service (DVS) check.

A DVS check is used by institutions such as banks to verify a person’s identity.

Both the licence number and the card number are required to pass a DVS check for NSW licence holders."

So I am guessing that unless Optus advise that the DL card Number was exposed, then DL will not be replaced as a matter of course.

 

[Pushka]

I note that ServiceNSW advises as follows:

"enhanced protections which came into effect in NSW on 1 September 2022 requiring both the licence number and the card number to pass a Document Verification Service (DVS) check.

A DVS check is used by institutions such as banks to verify a person’s identity.

Both the licence number and the card number are required to pass a DVS check for NSW licence holders."

So I am guessing that unless Optus advise that the DL card Number was exposed, then DL will not be replaced as a matter of course.

Trouble is that it’s only NSW (or SA etc) Governments who know to ask for the actual card number and not just the license ID card number for verifying ID. This is just passing the buck. Just issue new licenses. If SA can do it why not NSW?

 

[jmacpher]

You need to go into your account and paste the 2 links provided in this article The Optus Breach
which was on page 1 of this thread and that tells you what has been taken.

Post automatically merged: Sep 29, 2022

Same.

Pasted here.

First log-in here: https://www.optus.com.au/ and then once logged-in, visit this link and you should see a JSON encoded response that contains your personal information. Check in particular the indentType [sic] field, which should tell you what kind of document has been exposed; and the indentValue [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.

Updated 2022-09-26 4:05 PM: If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric contactId value from the JSON response you got above. Then take the following URL https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS and copy and paste it into the address bar of your browser. Manually replace the part that says {contactId} with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the documentType and documentNumberfields, plus (worryingly) information that would seem to pertain to the expiration date of the document.

thank you! All very confusing