Cybercriminals may have access to steal the identity details of millions of Optus customers which may be one of the most significant in Australia.
The telco and authorities are now investigating the breach, while customers are being advised to change their online passwords and monitor all accounts for unusual activity.
So what do we know so far, how did it happen and how can you protect yourself from this kind of data breach?
What happened to the Optus data leak?
Optus confirmed on Thursday that users’ names, dates of birth, phone numbers, email addresses, driver’s license numbers, passport numbers or addresses may have been accessed as a result of the serious breach.
This could affect any user who has been with the company since 2017.
The scale of the attack is still being assessed, but Optus said up to 9.8 million customers may have been affected.
Optus said user payment details and account passwords were not compromised and is working with the Australian Cyber Security Center to limit the risk to current and former customers.
The Australian Federal Police, the Australian Information Regulator and other key regulators have also been notified.
Scamwatch has advised Optus customers to protect their personal information by changing their online account passwords and turning on multi-factor authentication for banking services.
Affected customers were advised to limit their bank accounts and monitor any unusual activity.
Who is behind the attack and why is it a concern?
Optus chief executive Kelly Bayer Rosemarin said the telco did not know who was behind the hack or their motivations.
“This one is specific [cyber attack] unlike anything we’ve seen before, and unfortunately, it was successful,” she said.
“It is too early to rule out any possibility. That’s why we keep it all open – it could be criminal and it could be state actors.”
According to Optus, up to 9.8 million customers may have been compromised in the data breach. Source: AAP
Australian Consumer and Competition Commission deputy chair Delia Rickard said the cyber attack was extremely worrying because of the amount of personal information the fraudsters were able to access.
“That’s all you need for identity theft and all you need to personalize the scam and make it that much more convincing,” she told Nine’s Today program on Friday.
Ms Rickard said any Optus customers who suspect they have been the victim of fraud should request a freeze on their credit records and be very skeptical of any unexpected calls from people purporting to be banks or government agencies.
Troy Hunt specializes in security and has created Have I been Pwned, a service that aggregates data leaks to help users check if their data has been compromised.
He told SBS News that there was not yet enough information to give any indication of how the attack might have happened.
“We also haven’t seen any technical details, so we haven’t seen any details about what it was, what went wrong, how it could have gone wrong, and so it’s very difficult for us to make any conclusions about whether it was negligence on the part of Optus or they were just very sophisticated hackers,” he said.
How can you protect your data?
When it comes to protecting your digital privacy and personal data, then recommends setting strong passwords and multi-step authentication whenever possible.
It also suggests updating your apps and systems regularly to keep you up-to-date with security updates, and backing up your files on external devices in case your accounts are ever hacked.
Using browsers with enhanced security settings and disabling browsing history and cookies may also be helpful.
Mr Hunt also recommends using services like identity theft protection with providers that can monitor whether someone is trying to impersonate you to apply for things like financial loans.
What are cybercriminals doing with your data?
In addition to identity theft or attempts to access finances, Mr Hunt says this type of data breach can also lead to targeted phishing.
Phishing is a type of attack in which a criminal impersonates a trusted person or business in order to trick a victim into clicking on a malicious link or revealing sensitive information.
Mr Hunt also says this type of data breach could lead to access to private information and messages.
“The financial one is kind of the obvious one, and even if people say they don’t have money, everybody has a point where some degree of financial compromise hits them and it hurts,” he said.
“The whole invasion of privacy thing is also another big part of it: how would you feel if someone was reading your email, if they were reading your private message to your loved ones, how would you feel if they were your children’s data? which was public to other people?
“The thing about privacy is that it’s very personal, we all have different tolerances, and it’s very difficult to get it back when it starts to be compromised by data breaches.”
How do you know if your data has been hacked?
There are several signs to look out for and ways to check if your data has been compromised.
Mr Hunt says his website is just the “tip of the iceberg” of ways to monitor whether your personal information may have been compromised online.
“We want to look for any requests for money, any requests from parties that you may not recognize or parties that you may know but are communicating in a strange way,” he said.
“And realizing that whether it’s the Optus data breach or the thousands of other data breaches, a huge amount of our personal data has been leaked through security breaches… but a huge amount of our personal data has also been stolen by being deliberately tracked by us through things like social media “.