The cyber-attack on Optus has left millions of customers with questions about what will happen to the private data that hackers may have obtained, and how they can protect themselves from identity fraud.
Optus announced on Thursday that hackers had obtained data including customers’ names, dates of birth, phone numbers, email addresses, and some customers’ home addresses and ID document numbers such as driver’s licence or passport numbers.
If you are an Optus customer, this is what you need to know.
How do I know if my identity has been stolen?
Optus began contacting customers affected by the breach on Friday afternoon. If Optus has emailed you directly to say your information may have been affected, then identity theft is a risk.
It is not known yet who has the data, where they might use it, or if they have used it yet.
The website HaveIbeenpwned.com is very good at tracking whether your personal information is in a data dump, but we have not yet seen signs that this data has been dumped anywhere online.
Another way to know is if you begin getting suspicious emails requesting your personal information or signing you up to services you haven’t used.
What can criminals do with my data?
The stolen data can be used to create new accounts in your name with other businesses, where they might rack up debts or do other things that can be linked back to you.
This information can also be used to try to crack into your existing accounts, like your bank or email account. Those accounts may have other security measures such as two-factor authentication, which provides a level of protection, but it’s still advisable to change your passwords.
How can I protect myself from future data breaches?
Unfortunately, data breaches like this are becoming an almost daily occurrence, albeit not to the scale of this Optus breach. The best way to protect yourself is to limit the personal information you provide to companies to that which is absolutely necessary.
If you are concerned that a company may be keeping your data unnecessarily, you can request for them to destroy the data, according to the Australian privacy principles, but there is no requirement for them to do so unless they believe that data is no longer required.
Why do I have to change my banking and email passwords?
This is just a basic precaution. If you did not use those passwords anywhere else, and you are sure they are still secure, you are probably safe for now. If you are worried they might use other information they have to try to get into those accounts, make sure you have two-factor authentication set up. If allowed, make sure it’s a non-SMS authenticator like Google Authenticator as this is more secure.
Has Optus broken any laws?
Optus has not yet provided clear answers on how the data was obtained, or whether it was stored insecurely. As long as Optus can demonstrate it actively took steps to protect the data it would not be in violation of the Australian privacy principles.
It will be up to the privacy commissioner to determine whether Optus did take reasonable steps to secure the data.
Can I get compensation from Optus?
There is no legal protection for customers when this kind of breach occurs. Optus may at some point offer compensation or access to other services like IDCare, which supports people who have personal cybersecurity concerns, but it is under no obligation to do so, and has not yet said whether it will.
The Optus chief executive, Kelly Bayer Rosmarin, told reporters on Friday that the company had been engaging with IDCare but given the scale of the breach it was not clear whether they would be able to effectively support all affected customers.
Why does Optus store passport and licence information?
Optus said it stored the data including passport and licence numbers for up to six years as required by Australian law. Companies need to keep a record of licence and passport numbers in order to verify the identity of a customer when they sign up for a new mobile service.
The attack is likely to spark debate about whether asking companies to retain this data for longer than is required for immediate identity verification is an acceptable risk.
The department of the federal attorney general is already in the process of finalising a report recommending changes to Australian privacy law, in part to deal with the growing amount of information companies collect about people online. That report is due out before the end of the year.
As part of that review, Optus argued against giving people a right to request their data be destroyed. The company told the review there were “significant hurdles” to implementing such a system which would come at “significant cost”.
Optus also opposed changes to the Privacy Act to allow individuals to take direct action against companies for privacy breaches.
Should I change my mobile / broadband provider?
You can, and it is likely some Optus customers will. But changing providers will not protect you from the risks of having been exposed in this particular data breach, and there is no guarantee other companies would not also experience a data breach.
Ultimately, it is a personal decision about who you trust with your data.