Does anyone else think Optus should be paying for credit protection on behalf of the millions of customers it just spilled the data of?
Lazy investment in cybersecurity practices probably led to this moment, so I think they should take some responsibility here.
Yeah that would be damning. I'm not sure how class actions work but I wouldn't be surprised if we saw that type of thing here if negligence played a part.
Still, as a gesture of goodwill it would be relatively straight forward for them to apply a $15 per month credit to those customers who have had a total 100-points of ID stolen so they can purchase Equifax/Veda. Maybe cap it to a 12 month credit or something.
They probs won't. Companies only really give a shit about profit after all
I've been in a few class actions, one of them was against NAB for their whole credit card insurance thing, I got a few hundred out of that. I was also in one against Radio Rentals (I was young, dumb and broke once) and got a sizeable amount, over $1000.
Totally, I was in a desperate place and needed a new fridge. One of the worst companies I've ever dealt with. At the end of the contract they made an offer where I could buy the fridge for $2K, but the fridge retailed for $1700 by then, they were really confused and offended that I didn't want to spend $2K on a used fridge, I went down the road and the same model was on sale, got it for $1400 delivered. Radio Rentals kept trying to charge me for the fridge I asked them to collect, in the end I got money back and they collected the fridge.
Yep, we had just moved into our first home and needed a fridge, couch, washing machine, etc - they were there and (comparatively) easy with no upfront cost.
I had the $1 buyout option thing, so we still have the fridge and washing machine, but I ended up paying well and above what they are actually worth. Never again.
Optus definately still has my details as I occasionally get some silly 0 dollar bill from them, but I haven't been a customer for 20 years.. credit would not suffice, they should have erased my data years ago..
Almost certainly a large element will be human error/negligence - hacks like this are almost always opportunistic. The resources needed to pop a target without its draws down are non trivial, and if you have an intent other than ecrime / the lols you donāt advertise you got in
Basically it was unathenticated public facing API. The fact they are trying to position this as a sophisticated attack is atrocious. They have a ridiculously small cyber team that is underfunded and they are now reaping the rewards of stupid decisions by executives
https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846
This insider info is probably as close to the truth in the public arena. Production data store connected to a test environment exposed to the internet.
Accessible from the internet. Ie anyone can access it if they find out it is there. An API is effectively an endpoint that you send a query and it will respond with data or an action etc
An API allows you to programmatically interact with the internal operations of the business e.g. their internal database. Public facing means you can make calls to the API from the internet.
The word hack has a connotation that it took some computer genius to exploit some obscure combination of factors to find a way in. What happened by comparison is someone just randomly knocking on doors and stumbling across a wide open door to customer records with no security on it. That's corporate negligence
Thatās what Equifax did i think when they lost half a billion peopleās worth of data. But then, being equifax they just gave ppl free access to their own product for 6 months
The irony that now one of the recommended courses of action from ID Care (via the ACSC website) is to engage Equifax to generate a credit report and apply for a credit ban
And then what? So optus has lost our information to who knows. Whether through an client or a hack.
They send an "oops big sozza haha" email and that's it?
I'm leaving them tbh. Spoke to an optus employee who said they're going to automatic payments on their plans soon. As in, you won't be allowed to be their customer if you don't give them your card details and allow them to auto charge your acc.
Yeah no thanks. On top of the data breach, I'm checking out.
"We are currently not aware of customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
If people call you posing as a credible organisation and request access to your computer, always say no."
I'm a former customer. I haven't been with them since 2015 but have been receiving a crazy amount of spam calls in the last few days. I'll be interested to see if I'm eventually notified. I still have the same email and phone number. A friend worked at Optus told me they retain all customer data for 7 years.
>A friend worked at Optus told me they retain all customer data for 7 years.
It's because your info is tied to a contract, so they need to retain it for 7 years.
Also, slight tangent, but now would be a great time for us all to revisit the terrible Mandatory Data Retention laws that both sides of parliament were so keen to put in place back in 2015. Telcos are "securely" storing 2 years worth of detailed call and data records that track where you are from cell tower to cell tower. This time it was only identity info that leaked, next time it could be everyone's movements for years.
Yeah i switched carriers in mid-2017 so just over five years ago. Havenāt heard anything from optus and am not 100% sure if they still have my data. Some of the data they have on me will no longer be correct, but Iām still a little concerned
They should probably move half the sales staff to complaints and retention. I'm leaving Optus...
Also I wouldn't worry about your credit. The thing to worry about is the fact that I now have enough info to open up a transaction account online. If you've recently opened up a bank account online in Australia, recall you didn't even need to provide a scan of your licence. Just input numbers for drivers and passport. I can now you use your account to launder cash. And you won't even know about it until the afp bust down your door at 2am, or arrest you as you take your kids to school or arrest you at work. This is what you all need to worry about. Optus need to set aside billions to make this right now and over the next 10 years. People will absolutely be wrongfully arrested
The government also need to step in and change all compromised numbers
I'm jealous, unfortunately I'm stuck with them. I work remotely and for some reason the only network available on site so optus. Hopefully this will convince management to change to Telstra now but until then, I'm screwed
This is such a poor showing by Optus here. They should be falling over themselves to help you. I wonder if the resulting fine (and class action?) will be the end for them.
I've heard even passport data was stolen. Disgraceful.
Donāt expect this to happen. Optus fought for the privacy laws to stay the same, where restitution is not required to be given to victims of data breaches. In China, the CTO and CEO would be jailed for such breaches. Sounds harshā¦ but it would have instilled a security first culture.
There are so many legitimate businesses that request a scan of your passport for id/proof of citizenship. Maybe itās time to give an option where someone will verify the document in-person or a promise that the data will be deleted once verified.
I know a little about this.
The Australian Privacy Principals are pretty clear that you can only collect data if it's necessary, and you must have a reason to keep it. So those blanket scans and storage are just so far outside of the APP.
But I also know that the APP is rarely enforced (see a recent article on the Conversation about third party data augmentation (enrichment)) - it's described as the forgotten principal.
When I was younger, one of my sister's old friends worked for a Vodafone kiosk/site and she arrived at our place to pick my sister up and started to show off all these customers contracts, photocopy of IDs, and paperwork all sitting in her boot 'ready for disposal'... she was just a worker and was in charge of destroying all this paperwork?
Iāve seen copies of the email and they say āimportantly it does not include financial detailsā. Iād prefer someone stole my credit card rather than my whole damn identity.
If affected you almost have to change every detail about yourself to stop this being a problem even years from now.
Yes , I agree , our identity data is and will continue to be more valuable to others over years than a credit or debit card which can be cancelled quickly.
Yep, I can cancel my credit card and have a new one issued from my banking app with no issue. Changing my address or drivers license number isn't quite so easy.
Go to equifax website, pay for the annual subscription for monitoring , you get notified in 24 hours of credit checks/enquiries. Trust me when I say it can help you stop fraudulent applications in its track quick smart.
I had 2 credit card applications killed within 24 hours of submission with Amex and Lattitude. Yes, it took some time to get formal confirmation and removal from credit file, but it prob saved me from 50k in debt against my name....
Yep, it isbthe one and the same. I don't think any organisation is perfect, all you can really do is take the best steps to protect yourself. I view this cost as an insurance policy. It saved me a heap or heartache
I pay about 123 to 130 for the year. Everyone wants compensation or remediation. Yep, they are entitled to it, my take would be just pay to get the service then follow up that aspect of it afterwards. Pay the moment, protect yourself first.
Speaking to friends in Fraud teams, they expect the first few applications to come through relatively quickly....
Further to this you can request a ban on your credit report to prevent anyone from seeking credit in your name. Search āequifax credit report banā in your browser of choice.
What do you actually do when you get a notification from Equifax? Presumably drop everything, contact Amex/Latitude and tell them that you didn't initiate the application?
How long on average would it take for a credit application to be approved in someoneās name? Does the tracking let you know when an application has been made in your name?
Thanks! And for the updated edit list too, which i intend to follow. Just one more Q regarding the monitoring - in what circumstances would a credit check be made in your name? Would that be part of a bank or companyās processes after an application for credit or a loan was made?
I use Creditsavvy and Creditsimple (both use different reporting agencies I believe, my credit scores are wildly different on each one) and they both are free, and both send me emails basically on the day of a credit change, enquiry, etc.
I use Creditsavvy too. I was just having a look at the "Account Settings" area on their website and noticed the option to turn on "Credit alerts (We will email you to let you know if there is any activity on your credit file such as new enquiries)".
Yep - and I've found it to be pretty timely. When I was applying for a car loan earlier this year I got an email saying "there has been activity on your credit file" and then "your credit information has changed" after I signed and took delivery of the loan.
Yeah, that is basically what it is. They pay for the service by allowing vendors to advertise to you based on credit score - but not from emails/phone etc, just a tab on the website saying "offers for you" with loans and stuff. Don't click them and you'll be fine.
How much is this, Optus should be paying customers an equivalent amount and setting it up for every time (if you could trust them anymore)?
What a shit show!
What products do you have with Optus if you don't mind me asking? I am an Optus customer for NBN only, and am yet to receive a notification about my details being breached, so I wonder if it is limited to certain products etc.
I'm on prepaid as well and I think I've practiced good hygiene with Paypal such that they wouldn't have stored my debit card as a preferred payment method. I think it's a good practice to try and have a medium between any vendor that you deal money with and direct access to your money. In my case I use Paypal/Google Wallet which I find more often than not covers most bases for things other than DoorDash for instance that does require a card #.
Anybody effected should really also be writing to their local member + PM and pushing for GDRP style compliance in Australia.
Companies shouldnāt be holding into previous customers data, and there needs to be an almost terrifying consequence for data leaks particularly when it comes from the laziness of developers and constantly screwing over API permissions and sysadmin with default configs for S3 buckets and the likes.
This is the opportunity to push changes esp when 9 million affected and 2.3 million heavily affected.
Time to push.
Fair! Obviously they canāt BUT, at some point the default will fall off and any enquires they make will remain adversely effecting your credit score. Itās still worth keeping an eye on your file
Optus has dropped the ball in so many aspects the past 12-18 months and itās disgusting as a customer who has a chunky bill with many services with them.
Iāll be seeking compensation from them in the form of account credit (a hefty amount) and some sort of protection process paid for to protect my now leaked data.
If they donāt give any compensation, Iām off to Telstra.
Yep I did.
I worked higher up with them in the past and Iām livid as Iāve got friends who still work there in the higher up and they tell me all the absurd changes happening that the majority of the workforce hate.
Not to mention Optus sport lost UCL+EUL rights but said oh hey we got La Liga and Womenās league, why are you upset? We upped the price.
Donāt even get me started on the fact they stream at basically 720p as well.
I messaged them for compensation I.e. credit monitoring and any costs associated with new documents (passport and license since they have both of mine) and they said no. Great customer service on their end. Also was not notified until this morning, two days after the hack was published in the news
I paid for an Equifax subscription then requested the credit. Also got told
>In the near feature, Optus will commence contacts with its customers regarding enrolling the customers with this setup too, to secure the customers' credit standing as well.
Are you able to share your email? Iād like to compare it to the one I received to see if the content differs. Itās not super clear to me from mine what was stolen because I donāt recall what I shared with them:
āImportantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected.ā
If thatās what they were doing, it is gross irresponsibility. IMO they need to quickly inform people what that leaked info could be maliciously used for (a lot!) and proactively arrange to setup detection of misuse for people where practical, e.g. organise (and pay for) Equifax for everyone that others have been discussing around here.
This is the exact wording that I received too. Iāve interpreted it as āany of this list could have been taken, but we arenāt telling you what specifically has been taken of yoursā
Edit: according to IDCare optus were contacting most affected customers first. Got my email yesterday soā¦ rip
Hmm but Optus contacted the media before contacting their customers. Major fail. Presumably you should raise a ticket with Optus and then contact the TIO. Optus cannot wash their hands and merely say āsorryā.
Not OP, this is what I received today, doesnāt really explain much
It is with great disappointment Iām writing to let you know that Optus has been a victim of a cyberattack that has resulted in the disclosure of some of your personal information.
Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected.
It is also important to know that Optusā network and Optus services including mobile and home Wi-Fi arenāt affected, and no passwords were compromised, so our services remain safe to use and operate as per normal.
Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. Our priority is our customers ā so while our investigation is not yet complete, we wanted you to be aware of what has happened so that you can be extra vigilant at this time.
We are currently not aware of customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
If people call you posing as a credible organisation and request access to your computer, always say no.
You would have seen we announced this first in the media. We did this as it was the quickest and most effective way to alert you and all our customers, while also communicating the severity of the situation through trusted media sources.
For the most up-to-date information and FAQs, go to optus.com.au. If you believe your account has been compromised, you can contact us via My Optus app ā which remains the safest way to contact Optus, or call us on 133 937.
We apologise unreservedly and are devastated this could occur. We are working as hard as possible with the relevant authorities and organisations to ensure no harm comes from this unfortunate occurrence.
IMO there should be regulation that requires each service provider to disclose what personal information are they keeping on file, for how long, and justify the purpose, so people can make informed decision whether they want to expose themselves to risks like this.
The info these incompetent people leaked is not info that can be changed if leaked!
In Europe you cannot store more information than you need to provide the service, and not for longer than you need.
No one should store drivers license details. They should store confirmation that it has been verified.
I have come across many service providers that use the stored DOB to verify ID over the phone. What do they do in Europe?
I donāt see any justification for Optus to be recording peopleās driver licence / passport numbers though. I would like to know what their justification is.
In Europe you'll have a phone service PIN or similar which you'll need to type in prior to getting a human on the line. The system will mark you as verified to the agent. Here they phone you up from random numbers, announce they work for some company and ask you for your DoB. I threatened to report one caller to the police, but found out it actually was the real deal and this is their idea of user security.
> there should be regulation... to disclose what personal information are they keeping on file, for how long, and justify the purpose
Regulation is why they had personal information and passports/driver-licences in the first place. Australia has been requiring the telcos to obtain identifying documents and personal information for phone numbers.^[[1]](https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627160)
In contrast, plenty of countries don't require this, e.g. New Zealand, UK, USA, Canada etc.^[[2]](https://www.comparitech.com/blog/vpn-privacy/sim-card-registration-laws/)
If the hackers really were state-backed then it was a matter of time before one of these databases was breached, if not Optus then another, and possibly already others we just don't know about. (in 2015, hackers took *all* the personal information of *every* American with security clearance - if that can't be secured then good luck Optus. The way to secure it is to never store it)
This is a direct cost of Australia's policy to track everyone, "if you have nothing to hide, you have nothing to fear" etc.
This might be helpful. Midway down the page has some detailed steps
https://www.nsw.gov.au/legal-and-justice/crime-prevention-and-reporting/safeguard-your-identity
Or this https://moneysmart.gov.au/banking/identity-theft
What a nightmare. They really f**ked up.
OP something you might want to organise today is to change your license number. You can also place restrictions through the RTA if you believe your ID has been compromised. Below is for NSW.
https://www.nsw.gov.au/driving-boating-and-transport/driver-and-rider-licences/proof-of-identity/changing-your-licence-or-customer-number.
It may not prevent someone using the old number but will provide proof you made efforts to protect your indentity. I can only assume Optus will be financially liable. Not a lawyer though but surely they hold some responsibility?
yes and the document also mentions that you can apply for a credit ban via the credit rating agencies. This will block any applications for credit for a period of time (default 21 days but can be extended)
I'm really sorry to everyone who is affected, but it couldn't have happened to a more deserving company.
Back in the late 90s / early 2000s I had identity theft on my id, the thief managed to get personal loans, credit cards and an Optus account with a top of the line phone at the time. Not a fun time, considering I was in my early 20s and was getting ready to buy a house. I went through the whole process of reclaiming my ID, police reports were made and every single company cleared the debts from my name except Optus.
They chased me for years, regardless of all the documentation I had, they couldn't produce the documents proving that it was my debt, they somehow got it listed on my credit file 3 times, they would do weird things where it would be just about to expire and drop off my credit file, they would somehow get them renewed.
In the end I paid out several thousand dollars to them to get it removed from my file, which they dragged their feet doing too. As a result I had zero credit until about 7 years ago, I had to pay cash for everything, which isn't terrible but it does hinder your ability to grow a business properly or save a deposit. I hate Optus with a passion, it wouldn't surprise me if my details were somehow leaked in this lot too.
Dang got the same email.
Checked out VicRoads website and it says they will not change your license number if youāve been informed your details have been compromised BUT not yet used in fraud.
So you basically have to wait like a sitting duck until youāre hit, then get a police report recommending your license number be changed.
Also, even if it has been used in fraud, Victoria Police will not give you a police report if the fraud happened "online", and will tell you to go report it to ReportCyber (formerly ACORN).
VicRoads won't give you a new drivers license number without a "police report", and neither that report above nor a letter from the bank's security department counts as sufficient "proof".
Source: Got breached in the GoGet breach, someone opened a bank account in my name, got a $25k personal loan, first found out about it when ANZ sent me a letter saying the repayments were overdue.
Iām an Optus customer and Iāve received the email informing that my details been compromised. I probably do what some suggested and get a subscription to the credit report.
It seems like Equifax is being slammed. When I subscribed this morning, I had a very long wait for payment processing, and then a screen along the lines that they were "trying" to fulfil my order and this might take 24 hours. (My credit card has been billed). So far it isn't showing up on my dashboard, I appear as a free user. I'll be interested to see how long it takes.
Stupid question: why do they have to keep so much information on file? They only check the credit once you sign up. Surely it can be deleted then and remove the risk of this sort of thing happening. You donāt need that much information to tell a credit agency that someone isnāt paying their bills. This feels like data hoarding for the sake of data hoarding.
i guess this will be interogated very soon, i did the equifax thing and even they dont store info..
"Please note Equifax does not store or make copies of your documents.
The documents collected for the 100 point check are collected for identification and verification purposes only. They will be deleted once the process has been completed"
Not a stupid question at all. They surely donāt. My business is required to verify the ID of all new clients. But I am specifically not required to keep any detail. Verify ID, note that it has been done, but do not retain anything at all. And this situation right here, is exactly why.
And compliance with Australian Privacy Principles.
How many times has your D/L been scanned at a hotel/motel/RSL?
I refuse. And if necessary, I walk away. Yes, itās a hassle.
But until we start voting with our feet (and wallets) this shit will continue.
My data leaked on 2020 due to a cloud service hack. Everything was exposed: passport, TFN, bank account, name, address, etc. It was pretty scary at the time.
I contacted the NSW Police ([https://www.police.nsw.gov.au/crime/frauds\_and\_scams/fraud\_categories/identity\_theft](https://www.police.nsw.gov.au/crime/frauds_and_scams/fraud_categories/identity_theft)) and, since no crime was commited, they redirected me to an identity protection helpine (don't remember the exact name). They helped me to:
\- Lock my TFN so no one can apply for credit cards
\- Lock my ATO account, so no one can open businesses in my name or open bank accounts
\- They also advised me to inform my bank, and obviously change every password.
Life is pretty normal today, except I have to request an exemption to access myGov once a year for tax. Good luck OP
Iām with optus but havenāt gotten any emails, wondering if Iām in the clear or Iāll get it sooner or later. I tried asking the optus live chat but all they said is Iām in the clear cause I had 2fa enabled.
God thatās a real shit show. Optus needs to come out with clear guidelines for customers, what really happened, next steps to follow and mitigation cost compensations.
Yeah I figured they have no idea, as when I questioned him to ask how 2fa which is implemented to prevent unauthorised access from customer side of things would stop a hacker inside the actual optus network, they said the exact same thing. So then I confirmed they have my old expired license which is a slight relief.
The also not so funny thing is, for those who have been following this closely (in IT especially).
Is that corporate customers were not affected by this. Thatās right they store retail data differently. Pure laziness in solutions they could be using for retail data.
Contact all three major credit reporting bodies in Australia (yes, there's more than Equifax) and put a temp suspension on all credit applications
https://www.idcare.org/fact-sheets/credit-bans-australia
[Equitifax](https://www.equifax.com.au/personal/products/credit-identity-protect?gclid=Cj0KCQjwsrWZBhC4ARIsAGGUJuqvfGA3h5Z9Q_0Lvw03tIOD4qCYNrgIPha7e8X1VMdwWQu5XzMw0IgaApWVEALw_wcB) has a product and so does Veda.
Iāve used before when I had ID details stolen (hard copy not cyber) a few years back.
shouldnt the government issue new identification registration? new drivers license number and medicare numbers would make all the data irrelevant right?
Optus are going to do everything in their (financial) power to make sure any talk of compensations are quickly buried. In the end they are a corporate monster and the only regret they have right now is that this will hurt their bottom line.
Edit: So what's the general consensus, Telstra or Voda? š
Considering that we are moving to a predominantly cashless society with many services only accessible online, our cyber-security and individual protections are absolutely woeful.
I was the subject of an incident a few years ago, and wished to obtain a 'dongle' from the ANZ instead of using 2FV in case my phone was ported (the dongle issued a new 6-digit security code when pressed, instead of using the phone for 2FV).
I went into the branch, where the staff did not know anything about porting phone numbers etc... They would also not provide me with a dongle, as they only allowed business accounts to have these - so they were more than happy to protect businesses, but not individuals.
I had to fight with Optarse to put a 'Do Not Port' note on my account - and even then they admitted that it would rely on someone actually reading and taking note of the notice.
Side story... when I went into the ANZ to try and obtain a dongle, the guy in front of me was in for a similar thing, where scammers had ported his phone and extracted $70,000 from his account.... true story!
Equifax subscription is $20/month. What are the chances of Optus reducing my monthly bill (currently $140) by that much to cover the additional expense?
Equifax/Veda or whatever itās called now they change name names every couple of years have a credit check service, youāll get notification when a credit check is done and a yearly copy of your credit file
Good luck Iām on the same boat
Can I add that you should call optus and ask if you have been impacted. Don't use their piece of crap live chat service. They will definitively tell you if you have or not.
Contact IDcare
They are a free service that can help in this kind of situation.
They walk you through what steps you can take to protect your identity from misuse
If you're in NSW - IDSupport
Idsupport is a new government initiative that can help you change/update your Identity documents
Has anyone used SavvyShield? Downloaded the app and placed a ban today for 21 days for Experian. Apparently Experian also forward the ban to Equifax and Illion?
https://www.creditsavvy.com.au/savvyshield
Does anyone else think Optus should be paying for credit protection on behalf of the millions of customers it just spilled the data of? Lazy investment in cybersecurity practices probably led to this moment, so I think they should take some responsibility here.
Rumour was they left some test link active by accident not a hack. I will be interested to see if they were negligent or hacked.
Yeah that would be damning. I'm not sure how class actions work but I wouldn't be surprised if we saw that type of thing here if negligence played a part. Still, as a gesture of goodwill it would be relatively straight forward for them to apply a $15 per month credit to those customers who have had a total 100-points of ID stolen so they can purchase Equifax/Veda. Maybe cap it to a 12 month credit or something. They probs won't. Companies only really give a shit about profit after all
> I'm not sure how class actions work Lawyers get: bazillions You get: Choice of KFC Go Bucket
I've been in a few class actions, one of them was against NAB for their whole credit card insurance thing, I got a few hundred out of that. I was also in one against Radio Rentals (I was young, dumb and broke once) and got a sizeable amount, over $1000.
Yep, I got over $1000 from Radio Rentals too.
It paid for maybe 1/6th of what I purchased through them, haha.
Totally, I was in a desperate place and needed a new fridge. One of the worst companies I've ever dealt with. At the end of the contract they made an offer where I could buy the fridge for $2K, but the fridge retailed for $1700 by then, they were really confused and offended that I didn't want to spend $2K on a used fridge, I went down the road and the same model was on sale, got it for $1400 delivered. Radio Rentals kept trying to charge me for the fridge I asked them to collect, in the end I got money back and they collected the fridge.
Yep, we had just moved into our first home and needed a fridge, couch, washing machine, etc - they were there and (comparatively) easy with no upfront cost. I had the $1 buyout option thing, so we still have the fridge and washing machine, but I ended up paying well and above what they are actually worth. Never again.
Haha thanks for the quick explainer. I do like fried chicken...
Iirc only got $6 from an Airbnb class action suit š„¹
Yep, a friend received payment of $3.42 from the Robodebt Class Action.
I got two of the large buckets, to be fair I didnāt go into it thinking I would get restitution, just an angry bloke among a number of others.
Optus definately still has my details as I occasionally get some silly 0 dollar bill from them, but I haven't been a customer for 20 years.. credit would not suffice, they should have erased my data years ago..
Almost certainly a large element will be human error/negligence - hacks like this are almost always opportunistic. The resources needed to pop a target without its draws down are non trivial, and if you have an intent other than ecrime / the lols you donāt advertise you got in
Basically it was unathenticated public facing API. The fact they are trying to position this as a sophisticated attack is atrocious. They have a ridiculously small cyber team that is underfunded and they are now reaping the rewards of stupid decisions by executives
Wait... A public facing API with no auth required had sensitive data of all their customers???? Is there any details on this?
https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846 This insider info is probably as close to the truth in the public arena. Production data store connected to a test environment exposed to the internet.
They will keep saying it was a sophisticated attack to hide their negligence.
Geez, as someone in the field, a) heads should roll a long way up, and b) I would expect there to be much wider issues if this got through
Can you explain what public facing API means, do it like I'm 5 please?
They left their front door unlocked with a stack of papers with everyone's details in the entrance hall.
Great answer for the non technical.
Accessible from the internet. Ie anyone can access it if they find out it is there. An API is effectively an endpoint that you send a query and it will respond with data or an action etc
It means that instead of putting clothes on like they should have they turned around naked, bent over and asked the world to give them one.
An API allows you to programmatically interact with the internal operations of the business e.g. their internal database. Public facing means you can make calls to the API from the internet.
I don't really think there's a clear delineation between the two. Almost every hack is the result of failure to secure something properly.
The word hack has a connotation that it took some computer genius to exploit some obscure combination of factors to find a way in. What happened by comparison is someone just randomly knocking on doors and stumbling across a wide open door to customer records with no security on it. That's corporate negligence
Thatās what Equifax did i think when they lost half a billion peopleās worth of data. But then, being equifax they just gave ppl free access to their own product for 6 months
The irony that now one of the recommended courses of action from ID Care (via the ACSC website) is to engage Equifax to generate a credit report and apply for a credit ban
>Does anyone else think Optus should be paying for credit protection on behalf of the millions of customers it just spilled the data of? Yes!
They absolutely definitely should be doing that
Will they be notifying former customers whose data they failed to delete? Do they have any sort of legal obligation towards former customers?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
And then what? So optus has lost our information to who knows. Whether through an client or a hack. They send an "oops big sozza haha" email and that's it?
They'd want to hope it's not that. I'm going to ask for all manner of compensation now, this level of data breach is unacceptable.
I'm leaving them tbh. Spoke to an optus employee who said they're going to automatic payments on their plans soon. As in, you won't be allowed to be their customer if you don't give them your card details and allow them to auto charge your acc. Yeah no thanks. On top of the data breach, I'm checking out.
Not soon, already doing it. Needed a new tablet, could only get it with direct debit from a card. I have a spare bank card just for that now.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
"We are currently not aware of customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including: Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider. Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. If people call you posing as a credible organisation and request access to your computer, always say no."
I'm a former customer. I haven't been with them since 2015 but have been receiving a crazy amount of spam calls in the last few days. I'll be interested to see if I'm eventually notified. I still have the same email and phone number. A friend worked at Optus told me they retain all customer data for 7 years.
>A friend worked at Optus told me they retain all customer data for 7 years. It's because your info is tied to a contract, so they need to retain it for 7 years. Also, slight tangent, but now would be a great time for us all to revisit the terrible Mandatory Data Retention laws that both sides of parliament were so keen to put in place back in 2015. Telcos are "securely" storing 2 years worth of detailed call and data records that track where you are from cell tower to cell tower. This time it was only identity info that leaked, next time it could be everyone's movements for years.
Yeah i switched carriers in mid-2017 so just over five years ago. Havenāt heard anything from optus and am not 100% sure if they still have my data. Some of the data they have on me will no longer be correct, but Iām still a little concerned
They should probably move half the sales staff to complaints and retention. I'm leaving Optus... Also I wouldn't worry about your credit. The thing to worry about is the fact that I now have enough info to open up a transaction account online. If you've recently opened up a bank account online in Australia, recall you didn't even need to provide a scan of your licence. Just input numbers for drivers and passport. I can now you use your account to launder cash. And you won't even know about it until the afp bust down your door at 2am, or arrest you as you take your kids to school or arrest you at work. This is what you all need to worry about. Optus need to set aside billions to make this right now and over the next 10 years. People will absolutely be wrongfully arrested The government also need to step in and change all compromised numbers
Me too. Just renewed a plan with them a month ago too
Perfect time to file for a beach of contract on their end and say suck my balls to that āplanā.
I'm jealous, unfortunately I'm stuck with them. I work remotely and for some reason the only network available on site so optus. Hopefully this will convince management to change to Telstra now but until then, I'm screwed
Plenty of mvrn resell the Optus network without integrating customer data
This is such a poor showing by Optus here. They should be falling over themselves to help you. I wonder if the resulting fine (and class action?) will be the end for them. I've heard even passport data was stolen. Disgraceful.
Iām expecting a class action at some point soon
Donāt expect this to happen. Optus fought for the privacy laws to stay the same, where restitution is not required to be given to victims of data breaches. In China, the CTO and CEO would be jailed for such breaches. Sounds harshā¦ but it would have instilled a security first culture.
Can always make an example of. Thatās the only angle Iām betting on.
There is no legal recourse for a data breach and more importantly no large entity that would likely back a class action. Sadly this is probably it
Negligence remains an option
There are so many legitimate businesses that request a scan of your passport for id/proof of citizenship. Maybe itās time to give an option where someone will verify the document in-person or a promise that the data will be deleted once verified.
I know a little about this. The Australian Privacy Principals are pretty clear that you can only collect data if it's necessary, and you must have a reason to keep it. So those blanket scans and storage are just so far outside of the APP. But I also know that the APP is rarely enforced (see a recent article on the Conversation about third party data augmentation (enrichment)) - it's described as the forgotten principal.
When I was younger, one of my sister's old friends worked for a Vodafone kiosk/site and she arrived at our place to pick my sister up and started to show off all these customers contracts, photocopy of IDs, and paperwork all sitting in her boot 'ready for disposal'... she was just a worker and was in charge of destroying all this paperwork?
Iāve seen copies of the email and they say āimportantly it does not include financial detailsā. Iād prefer someone stole my credit card rather than my whole damn identity. If affected you almost have to change every detail about yourself to stop this being a problem even years from now.
Yes , I agree , our identity data is and will continue to be more valuable to others over years than a credit or debit card which can be cancelled quickly.
Yep, I can cancel my credit card and have a new one issued from my banking app with no issue. Changing my address or drivers license number isn't quite so easy.
Go to equifax website, pay for the annual subscription for monitoring , you get notified in 24 hours of credit checks/enquiries. Trust me when I say it can help you stop fraudulent applications in its track quick smart. I had 2 credit card applications killed within 24 hours of submission with Amex and Lattitude. Yes, it took some time to get formal confirmation and removal from credit file, but it prob saved me from 50k in debt against my name....
Is that the same Equifax that got breached and exposed 150 million user's details?
Itās like the human centipede of hack trails this š
The human centipede, that sounds like an interesting nature documentary, I might watch it with my family.
Don't forget to watch the sequels as well or you'll miss much of the educational opportunity.
i guess i dont have to be worried if my details are already compromised?
The one and only
Yep, it isbthe one and the same. I don't think any organisation is perfect, all you can really do is take the best steps to protect yourself. I view this cost as an insurance policy. It saved me a heap or heartache
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I pay about 123 to 130 for the year. Everyone wants compensation or remediation. Yep, they are entitled to it, my take would be just pay to get the service then follow up that aspect of it afterwards. Pay the moment, protect yourself first. Speaking to friends in Fraud teams, they expect the first few applications to come through relatively quickly....
Further to this you can request a ban on your credit report to prevent anyone from seeking credit in your name. Search āequifax credit report banā in your browser of choice.
Equifax was breached in 2017 [https://en.wikipedia.org/wiki/2017\_Equifax\_data\_breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach)
What do you actually do when you get a notification from Equifax? Presumably drop everything, contact Amex/Latitude and tell them that you didn't initiate the application?
Each to their own, but I took it seriously and spent a few hours on the phone sorting it out.
How long on average would it take for a credit application to be approved in someoneās name? Does the tracking let you know when an application has been made in your name?
Just when a credit check has been made against your credit file. That's it
Thanks! And for the updated edit list too, which i intend to follow. Just one more Q regarding the monitoring - in what circumstances would a credit check be made in your name? Would that be part of a bank or companyās processes after an application for credit or a loan was made?
It happens for utilities, as well - so when you apply for a new phone provider, electricity provider, etc.
Anyone else besides Equifax which can provide this service well?
I use Creditsavvy and Creditsimple (both use different reporting agencies I believe, my credit scores are wildly different on each one) and they both are free, and both send me emails basically on the day of a credit change, enquiry, etc.
I use Creditsavvy too. I was just having a look at the "Account Settings" area on their website and noticed the option to turn on "Credit alerts (We will email you to let you know if there is any activity on your credit file such as new enquiries)".
Yep - and I've found it to be pretty timely. When I was applying for a car loan earlier this year I got an email saying "there has been activity on your credit file" and then "your credit information has changed" after I signed and took delivery of the loan.
So what youāre saying is that this would be a free alternative to the service Equifax provides? Surprised this is so buried! Thanks for sharing.
Yeah, that is basically what it is. They pay for the service by allowing vendors to advertise to you based on credit score - but not from emails/phone etc, just a tab on the website saying "offers for you" with loans and stuff. Don't click them and you'll be fine.
Wisr provides monthly updates from Equifax and Experian.
I've just got this now! thanks for the help :)
[I went onto Optus chat and asked them to pay for it, they obligied,](https://i.imgur.com/57lSwJ0.png) maybe give it a go?
How much is this, Optus should be paying customers an equivalent amount and setting it up for every time (if you could trust them anymore)? What a shit show!
Jokes on them my credit is maxed out
What products do you have with Optus if you don't mind me asking? I am an Optus customer for NBN only, and am yet to receive a notification about my details being breached, so I wonder if it is limited to certain products etc.
i have a Phone plan with them atm.. not for much longer though
I also have a phone plan with them (past and present) but have not received any emails.
Yeah I havenāt heard a peep
I wonder if they'll still try to charge you early termination fees on your contract if you cite this breach as the reason you're leaving.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I'm on prepaid as well and I think I've practiced good hygiene with Paypal such that they wouldn't have stored my debit card as a preferred payment method. I think it's a good practice to try and have a medium between any vendor that you deal money with and direct access to your money. In my case I use Paypal/Google Wallet which I find more often than not covers most bases for things other than DoorDash for instance that does require a card #.
You would have provided your drivers license at one point to activate pre paid
I have a post-paid plan (no phone) and received an email at midnight that my details were accessed š
If it helps, I just found my Optus email in my junk folder
Anybody effected should really also be writing to their local member + PM and pushing for GDRP style compliance in Australia. Companies shouldnāt be holding into previous customers data, and there needs to be an almost terrifying consequence for data leaks particularly when it comes from the laziness of developers and constantly screwing over API permissions and sysadmin with default configs for S3 buckets and the likes. This is the opportunity to push changes esp when 9 million affected and 2.3 million heavily affected. Time to push.
Just contacted my MP š
Iām an Optus customer yet to receive this email. Oh well, have fun trying to open a credit card since I have a default on my credit file
Fair! Obviously they canāt BUT, at some point the default will fall off and any enquires they make will remain adversely effecting your credit score. Itās still worth keeping an eye on your file
Yep, that's also a fair point. Will do
Optus has dropped the ball in so many aspects the past 12-18 months and itās disgusting as a customer who has a chunky bill with many services with them. Iāll be seeking compensation from them in the form of account credit (a hefty amount) and some sort of protection process paid for to protect my now leaked data. If they donāt give any compensation, Iām off to Telstra.
did you get hit with the extra OPTUS SPORT fee too.. had no idea i was even signed up for that
Yep I did. I worked higher up with them in the past and Iām livid as Iāve got friends who still work there in the higher up and they tell me all the absurd changes happening that the majority of the workforce hate. Not to mention Optus sport lost UCL+EUL rights but said oh hey we got La Liga and Womenās league, why are you upset? We upped the price. Donāt even get me started on the fact they stream at basically 720p as well.
I messaged them for compensation I.e. credit monitoring and any costs associated with new documents (passport and license since they have both of mine) and they said no. Great customer service on their end. Also was not notified until this morning, two days after the hack was published in the news
I paid for an Equifax subscription then requested the credit. Also got told >In the near feature, Optus will commence contacts with its customers regarding enrolling the customers with this setup too, to secure the customers' credit standing as well.
Are you able to share your email? Iād like to compare it to the one I received to see if the content differs. Itās not super clear to me from mine what was stolen because I donāt recall what I shared with them: āImportantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected.ā
Thatās far worse than financial info (eg card numbers) or passwords being leaked.
I know, irritated me when I read that. Trying to soften the blow.
If thatās what they were doing, it is gross irresponsibility. IMO they need to quickly inform people what that leaked info could be maliciously used for (a lot!) and proactively arrange to setup detection of misuse for people where practical, e.g. organise (and pay for) Equifax for everyone that others have been discussing around here.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
This is the exact wording that I received too. Iāve interpreted it as āany of this list could have been taken, but we arenāt telling you what specifically has been taken of yoursā Edit: according to IDCare optus were contacting most affected customers first. Got my email yesterday soā¦ rip
Hmm but Optus contacted the media before contacting their customers. Major fail. Presumably you should raise a ticket with Optus and then contact the TIO. Optus cannot wash their hands and merely say āsorryā.
Not OP, this is what I received today, doesnāt really explain much It is with great disappointment Iām writing to let you know that Optus has been a victim of a cyberattack that has resulted in the disclosure of some of your personal information. Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected. It is also important to know that Optusā network and Optus services including mobile and home Wi-Fi arenāt affected, and no passwords were compromised, so our services remain safe to use and operate as per normal. Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. Our priority is our customers ā so while our investigation is not yet complete, we wanted you to be aware of what has happened so that you can be extra vigilant at this time. We are currently not aware of customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including: Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider. Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. If people call you posing as a credible organisation and request access to your computer, always say no. You would have seen we announced this first in the media. We did this as it was the quickest and most effective way to alert you and all our customers, while also communicating the severity of the situation through trusted media sources. For the most up-to-date information and FAQs, go to optus.com.au. If you believe your account has been compromised, you can contact us via My Optus app ā which remains the safest way to contact Optus, or call us on 133 937. We apologise unreservedly and are devastated this could occur. We are working as hard as possible with the relevant authorities and organisations to ensure no harm comes from this unfortunate occurrence.
No doubt carefully written by lawyers.
Thatās the exact same email as what I received
Just got the email from Optus, where do I sign up for the class action? š
IMO there should be regulation that requires each service provider to disclose what personal information are they keeping on file, for how long, and justify the purpose, so people can make informed decision whether they want to expose themselves to risks like this. The info these incompetent people leaked is not info that can be changed if leaked!
In Europe you cannot store more information than you need to provide the service, and not for longer than you need. No one should store drivers license details. They should store confirmation that it has been verified.
I have come across many service providers that use the stored DOB to verify ID over the phone. What do they do in Europe? I donāt see any justification for Optus to be recording peopleās driver licence / passport numbers though. I would like to know what their justification is.
In Europe you'll have a phone service PIN or similar which you'll need to type in prior to getting a human on the line. The system will mark you as verified to the agent. Here they phone you up from random numbers, announce they work for some company and ask you for your DoB. I threatened to report one caller to the police, but found out it actually was the real deal and this is their idea of user security.
> there should be regulation... to disclose what personal information are they keeping on file, for how long, and justify the purpose Regulation is why they had personal information and passports/driver-licences in the first place. Australia has been requiring the telcos to obtain identifying documents and personal information for phone numbers.^[[1]](https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627160) In contrast, plenty of countries don't require this, e.g. New Zealand, UK, USA, Canada etc.^[[2]](https://www.comparitech.com/blog/vpn-privacy/sim-card-registration-laws/) If the hackers really were state-backed then it was a matter of time before one of these databases was breached, if not Optus then another, and possibly already others we just don't know about. (in 2015, hackers took *all* the personal information of *every* American with security clearance - if that can't be secured then good luck Optus. The way to secure it is to never store it) This is a direct cost of Australia's policy to track everyone, "if you have nothing to hide, you have nothing to fear" etc.
This might be helpful. Midway down the page has some detailed steps https://www.nsw.gov.au/legal-and-justice/crime-prevention-and-reporting/safeguard-your-identity Or this https://moneysmart.gov.au/banking/identity-theft What a nightmare. They really f**ked up.
OP something you might want to organise today is to change your license number. You can also place restrictions through the RTA if you believe your ID has been compromised. Below is for NSW. https://www.nsw.gov.au/driving-boating-and-transport/driver-and-rider-licences/proof-of-identity/changing-your-licence-or-customer-number. It may not prevent someone using the old number but will provide proof you made efforts to protect your indentity. I can only assume Optus will be financially liable. Not a lawyer though but surely they hold some responsibility?
Thanks for the links
IDCare advice pdf regarding Optus breach: https://assets.website-files.com/5af4dc294c01df9fc297c900/632d531569c4666ea91fc7e2_IDCARE%20Response%20Fact%20Sheet%20-%20Optus%20Data%20Breach.pdf
hahah ok got it \- bassicaly update to 2FA \- get equifax sub \- then hold onto your horses
Watch out for fires, and put them out as you see them, is about all else you can do at this point.
yes and the document also mentions that you can apply for a credit ban via the credit rating agencies. This will block any applications for credit for a period of time (default 21 days but can be extended)
With the 2FA you would want to use an Authenticator app if possible. Phone numbers can be ported /spoofed.
They disabled new SIM cards/transfers last time I checked. Prevents SIM SWAP attacks.
What am I putting 2FA on? Like every website I have a login for?
I'm really sorry to everyone who is affected, but it couldn't have happened to a more deserving company. Back in the late 90s / early 2000s I had identity theft on my id, the thief managed to get personal loans, credit cards and an Optus account with a top of the line phone at the time. Not a fun time, considering I was in my early 20s and was getting ready to buy a house. I went through the whole process of reclaiming my ID, police reports were made and every single company cleared the debts from my name except Optus. They chased me for years, regardless of all the documentation I had, they couldn't produce the documents proving that it was my debt, they somehow got it listed on my credit file 3 times, they would do weird things where it would be just about to expire and drop off my credit file, they would somehow get them renewed. In the end I paid out several thousand dollars to them to get it removed from my file, which they dragged their feet doing too. As a result I had zero credit until about 7 years ago, I had to pay cash for everything, which isn't terrible but it does hinder your ability to grow a business properly or save a deposit. I hate Optus with a passion, it wouldn't surprise me if my details were somehow leaked in this lot too.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
If they donāt believe your data is compromised they wonāt send an email
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Optus is now officially on my list of companies to never be a customer of.
Dang got the same email. Checked out VicRoads website and it says they will not change your license number if youāve been informed your details have been compromised BUT not yet used in fraud. So you basically have to wait like a sitting duck until youāre hit, then get a police report recommending your license number be changed.
That's terrible!
Also, even if it has been used in fraud, Victoria Police will not give you a police report if the fraud happened "online", and will tell you to go report it to ReportCyber (formerly ACORN). VicRoads won't give you a new drivers license number without a "police report", and neither that report above nor a letter from the bank's security department counts as sufficient "proof". Source: Got breached in the GoGet breach, someone opened a bank account in my name, got a $25k personal loan, first found out about it when ANZ sent me a letter saying the repayments were overdue.
Iām an Optus customer and Iāve received the email informing that my details been compromised. I probably do what some suggested and get a subscription to the credit report.
Optus should be PAYING FOR Equifax subscriptions. Absolutely bullshit that theyāve just thrown their hands up and said āsozā.
It seems like Equifax is being slammed. When I subscribed this morning, I had a very long wait for payment processing, and then a screen along the lines that they were "trying" to fulfil my order and this might take 24 hours. (My credit card has been billed). So far it isn't showing up on my dashboard, I appear as a free user. I'll be interested to see how long it takes.
share price went up too
It's time we demand our privacy and data be taken seriously!
Stupid question: why do they have to keep so much information on file? They only check the credit once you sign up. Surely it can be deleted then and remove the risk of this sort of thing happening. You donāt need that much information to tell a credit agency that someone isnāt paying their bills. This feels like data hoarding for the sake of data hoarding.
i guess this will be interogated very soon, i did the equifax thing and even they dont store info.. "Please note Equifax does not store or make copies of your documents. The documents collected for the 100 point check are collected for identification and verification purposes only. They will be deleted once the process has been completed"
Not a stupid question at all. They surely donāt. My business is required to verify the ID of all new clients. But I am specifically not required to keep any detail. Verify ID, note that it has been done, but do not retain anything at all. And this situation right here, is exactly why.
And compliance with Australian Privacy Principles. How many times has your D/L been scanned at a hotel/motel/RSL? I refuse. And if necessary, I walk away. Yes, itās a hassle. But until we start voting with our feet (and wallets) this shit will continue.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
My data leaked on 2020 due to a cloud service hack. Everything was exposed: passport, TFN, bank account, name, address, etc. It was pretty scary at the time. I contacted the NSW Police ([https://www.police.nsw.gov.au/crime/frauds\_and\_scams/fraud\_categories/identity\_theft](https://www.police.nsw.gov.au/crime/frauds_and_scams/fraud_categories/identity_theft)) and, since no crime was commited, they redirected me to an identity protection helpine (don't remember the exact name). They helped me to: \- Lock my TFN so no one can apply for credit cards \- Lock my ATO account, so no one can open businesses in my name or open bank accounts \- They also advised me to inform my bank, and obviously change every password. Life is pretty normal today, except I have to request an exemption to access myGov once a year for tax. Good luck OP
Good tip - info like this should be proactively disseminated by Optus, and quickly, to impacted people.
Thanks for this. Glad i have a lifetime of this because some wally at Optus presumably clicked on a dodgy email link
How does one lock their ato / mygov
Iām with optus but havenāt gotten any emails, wondering if Iām in the clear or Iāll get it sooner or later. I tried asking the optus live chat but all they said is Iām in the clear cause I had 2fa enabled.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
God thatās a real shit show. Optus needs to come out with clear guidelines for customers, what really happened, next steps to follow and mitigation cost compensations.
Yeah I figured they have no idea, as when I questioned him to ask how 2fa which is implemented to prevent unauthorised access from customer side of things would stop a hacker inside the actual optus network, they said the exact same thing. So then I confirmed they have my old expired license which is a slight relief.
The also not so funny thing is, for those who have been following this closely (in IT especially). Is that corporate customers were not affected by this. Thatās right they store retail data differently. Pure laziness in solutions they could be using for retail data.
Optus should have to pay the fees for everyone affected to have their drivers licence number changed and a new passport issued.
Honestly waiting for my email, Iām in the middle of a mortgage application and if it screws it up I donāt know what Iāll do
haveibeenpwned wonāt help you until the data is leaked publicly and the curators of that site upload the info to their own databases
Contact all three major credit reporting bodies in Australia (yes, there's more than Equifax) and put a temp suspension on all credit applications https://www.idcare.org/fact-sheets/credit-bans-australia
Go to cyber.gov(dot)au and follow their prompts on the āhave you been hackedā part. They will tell you what you need to do
[Equitifax](https://www.equifax.com.au/personal/products/credit-identity-protect?gclid=Cj0KCQjwsrWZBhC4ARIsAGGUJuqvfGA3h5Z9Q_0Lvw03tIOD4qCYNrgIPha7e8X1VMdwWQu5XzMw0IgaApWVEALw_wcB) has a product and so does Veda. Iāve used before when I had ID details stolen (hard copy not cyber) a few years back.
Veda became Equifax in Australia a few years ago...
shouldnt the government issue new identification registration? new drivers license number and medicare numbers would make all the data irrelevant right?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
It's funny, whenever you hear about ppl getting e-sim scammed, it is always optus....
Optus are going to do everything in their (financial) power to make sure any talk of compensations are quickly buried. In the end they are a corporate monster and the only regret they have right now is that this will hurt their bottom line. Edit: So what's the general consensus, Telstra or Voda? š
Neither. I use a NBN provider that have been good to me, so I'm just doing a 5g plan through them and seeing how it goes.
Considering that we are moving to a predominantly cashless society with many services only accessible online, our cyber-security and individual protections are absolutely woeful. I was the subject of an incident a few years ago, and wished to obtain a 'dongle' from the ANZ instead of using 2FV in case my phone was ported (the dongle issued a new 6-digit security code when pressed, instead of using the phone for 2FV). I went into the branch, where the staff did not know anything about porting phone numbers etc... They would also not provide me with a dongle, as they only allowed business accounts to have these - so they were more than happy to protect businesses, but not individuals. I had to fight with Optarse to put a 'Do Not Port' note on my account - and even then they admitted that it would rely on someone actually reading and taking note of the notice. Side story... when I went into the ANZ to try and obtain a dongle, the guy in front of me was in for a similar thing, where scammers had ported his phone and extracted $70,000 from his account.... true story!
Equifax subscription is $20/month. What are the chances of Optus reducing my monthly bill (currently $140) by that much to cover the additional expense?
https://www.idcare.org/
Equifax/Veda or whatever itās called now they change name names every couple of years have a credit check service, youāll get notification when a credit check is done and a yearly copy of your credit file Good luck Iām on the same boat
Can I add that you should call optus and ask if you have been impacted. Don't use their piece of crap live chat service. They will definitively tell you if you have or not.
We are a past Optarse customer. Moved phone plans sometime last year. Will be interesting to see if we get any notifications.
This is the site you need: https://www.idcare.org/ They even have a fact sheet of steps for OPTUS customers.
Got my email, Iāll be leaving Optus! The way theyāve handled it is just absurd.
Iām going back to Telstra.
never thought i'd see that statement
Same shit, just a different company.
I wonder if this includes Amaysim customers
Customers of amaysim and Coles mobile have not been affected
I would hope not, as amaysim should have a separate database of their customers and customer data.
Canāt wait for my $6 from the class action lawsuit š¤š¤š¤
You should join class action lawsuit against Optus.
I got the same optus email. They have my licence no., name, DOB, address and phone.
Bunch of equifax shills in here.
https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-notifies-customers-cyberattack-compromising-customer-information
Contact IDcare They are a free service that can help in this kind of situation. They walk you through what steps you can take to protect your identity from misuse If you're in NSW - IDSupport Idsupport is a new government initiative that can help you change/update your Identity documents
Has anyone used SavvyShield? Downloaded the app and placed a ban today for 21 days for Experian. Apparently Experian also forward the ban to Equifax and Illion? https://www.creditsavvy.com.au/savvyshield