Australia’s second-largest telco, Optus, has suffered a massive data breach, with the personal information of potentially millions of customers compromised by a malicious cyber-attack.
It is believed the attackers were working for a criminal or state-sponsored organisation.
The government’s Scamwatch, run by the Australian Competition and Consumer Commission, said: “If you are an Optus customer, your name, date of birth, phone number, email addresses may have been released.”
“For some customers identity document numbers such as driver’s licence or passport numbers could be in the hands of criminals. It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm.”
How many people are affected?
On Thursday Optus could not reveal how many of its 9.7 million subscribers in Australia had been compromised, but its chief executive, Kelly Bayer Rosmarin, said the number was “significant”.
“We want to be absolutely sure when we come out and say how many,” she told the ABC’s Afternoon Briefing.
“We’re so deeply disappointed because we spend so much time and we invest so much in preventing this from occurring.
“Our teams have thwarted a lot of attacks in the past and we’re very sorry that this one was successful.”
What information was taken?
Optus confirmed that customers’ names, dates of birth, phone numbers and email addresses may have been exposed.
Street addresses, driving licence details and passport numbers of some customers were also accessed.
Optus said payment details and account passwords had not been compromised and its phone services remained safe to operate.
The Office of the Australian Information Commissioner (OIAC) warns that only a small amount of information is needed to compromise a person’s identity.
“Your identity can be stolen if a thief accesses your personal information, including from any document that contains information about you,” the OAIC website says. “Even if a thief only accesses a small amount of your personal information, they may be able to steal your identity if they can find out more about you from public sources. This includes social media accounts which may include your date of birth, photos and information about your family.
“Identity fraud can result in someone using another individual’s identity to open a bank account, get a credit card, apply for a passport or conduct illegal activity.”
How do I know if I am at risk?
Optus has said it will contact any customers it believes are at heightened risk of being compromised, sending personal notifications and offering third-party monitoring services.
Customers who believe their data may have been compromised, or who have specific concerns, were asked to contact Optus through the My Optus App (the company said this is the safest way to interact with Optus), or by calling 133 937.
Optus said it would not send links in any emails or SMS messages. Users should never click on a link purporting to inform them their personal information has been compromised.
What should I do to protect my details?
Scamwatch has advised Optus customers to secure their personal information by changing online account passwords and enabling multifactor authentication for banking.
Affected customers should also place limits on bank accounts, monitor for any unusual activity and request a ban on credit reports if any fraud is suspected.
“It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm,” Scamwatch said in a statement.
“Scammers may use your personal information to contact you by phone, text or email.
“Never click on links or provide personal or financial information to someone who contacts you out of the blue.”
What is the government doing to help?
The home affairs minister, Clare O’Neil, said the Australian Cyber Security Centre was providing advice and technical assistance to Optus, and that Australian companies and organisations were being consistently targeted by cybercriminals and hostile nations.
O’Neil said: “All Australians and Australian organisations need to strengthen their cyber defences to help protect themselves against online threats.”
The minister advised people concerned they may have been a victim of cyber-attack to visit cyber.gov.au.