Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft

Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Optus customers caught up in a cyber-attack that may have exposed the personal information of 9.8 million people say they are angry and concerned about having been exposed to the risk of identity fraud.

Emails from Optus to customers caught up in the data breach began landing in people’s inboxes about 4pm on Friday, roughly 24 hours after the attack was first reported.

The messages, addressed from the Optus chief executive, Kelly Bayer Rosmarin, were labelled as an “urgent update from Optus about your personal information” and began with Rosmarin expressing her “great disappointment” about the data breach before outlining what information had been taken – and what had not.

“Importantly, no financial information or passwords have been accessed,” the email said. “The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as driver’s licence number or passport number. No copies of photo IDs have been affected.”

The email said Optus was “currently not aware of customers having suffered any harm” but offered a checklist for people to follow to protect themselves. This included suggestions to “look out for any suspicious or unexpected activity across your online accounts, including your bank accounts” and to “never click on any links that look suspicious”.

The email offered a contact number for customers to call with any concerns, but did not offer any way for Optus to be contacted in writing or a means to lodge a complaint with the company.

Some customers who thought they might have been caught up in the breach but had not received a letter on Friday said they had to call the company to confirm their information had been stolen.

I am affected by the breach, but I have not been contacted by Optus at all. I only found out by contacting them to ask them directly. Have not even had an email telling me that a breach OCCURRED.

— Belle Belle (@bellebelle) September 23, 2022

Others who did receive the email said they were angry about what they described as a “condescending” effort at damage control, and frustratedthat they now have to spend time protecting themselves after Optus’ mistake.

Alistair Roberts, an Optus customer and IT professional, said he was a “pretty angry customer”.

“Optus sent me my bill yesterday, but couldn’t get around to informing me I’d been part of the hack,” Roberts said.

“And the letter was terrible. Put the onus back on customer to check everything. Then just a number for a call centre that no doubt is flooded.”

The Optus 133 937 customer service number has a recorded message saying they'll be 'reaching out' to customers whose data has been subject to unauthorised access.

While we wait, it would be good to know how long Optus keeps former customers' data. 1-2 years? Longer?

— Lady Raven (@kity_katz) September 23, 2022

Another customer, who wished to remain anonymous, said their work had required them to maintain a number of “burner phones” over the years and they were now “freaked out” about what information has fallen into the public domain and who may have it.

“There are people who I really don’t want to know where my front door is,” they said. “How do I get one of those shell corporations to give me a new identity to hide behind?”

But they said the responsibility ultimately lay with the government for requiring corporations to collect so much data in order to access a basic necessity of modern life.

“It’s such a lazy, clumsy policy,” they said. “We’re so powerless.”

Electronic Frontiers Australia chair, Justin Warren, said that while Optus was ultimately responsible, the government bore some responsibility for the breach because of laws that require large troves of personal data to be collected by telecommunications companies.

“Government needs to stop passing laws that require government agencies and corporations to collect private information they can’t keep safe and secure,” he said.


Royce Kurmelovs

The GuardianTramp

Related Content

Article image
Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data
In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Guardian Essential poll: one in two Australians want stronger privacy laws after Optus breach
Survey finds 51% of respondents support restrictions on amount of data private companies can collect and 47% are worried about governments harvesting personal information

Katharine Murphy Political editor

03, Oct, 2022 @4:30 PM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Singtel confirms 2020 data breach after cyber-attack on Optus
Parent company of Australian telco says that the personal data of 129,000 customers and 23 businesses was obtained in a cyber-attack two years ago

Josh Taylor

10, Oct, 2022 @3:00 AM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM

Article image
Optus reveals at least 2.1 million ID numbers exposed in massive data breach
Telco says 150,000 passport and 50,000 Medicare numbers have been stolen as it announces independent review

Josh Taylor

03, Oct, 2022 @3:50 AM

Article image
The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle
Government says telecommunications giant ‘left the window open’ for unsophisticated attack that could lead to European-style privacy laws

Tory Shepherd

30, Sep, 2022 @8:00 PM