Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?

After a massive data breach potentially exposed the personal information of millions of people, there are a lot of questions. If you are an Optus customer, this is what you need to know

The cyber-attack on Optus has left millions of customers with questions about what will happen to the private data that hackers may have obtained, and how they can protect themselves from identity fraud.

Optus announced on Thursday that hackers had obtained data including customers’ names, dates of birth, phone numbers, email addresses, and some customers’ home addresses and ID document numbers such as driver’s licence or passport numbers.

If you are an Optus customer, this is what you need to know.


How do I know if my identity has been stolen?

Optus began contacting customers affected by the breach on Friday afternoon. If Optus has emailed you directly to say your information may have been affected, then identity theft is a risk.

It is not known yet who has the data, where they might use it, or if they have used it yet.

The website HaveIbeenpwned.com is very good at tracking whether your personal information is in a data dump, but we have not yet seen signs that this data has been dumped anywhere online.

Another way to know is if you begin getting suspicious emails requesting your personal information or signing you up to services you haven’t used.

What can criminals do with my data?

The stolen data can be used to create new accounts in your name with other businesses, where they might rack up debts or do other things that can be linked back to you.

This information can also be used to try to crack into your existing accounts, like your bank or email account. Those accounts may have other security measures such as two-factor authentication, which provides a level of protection, but it’s still advisable to change your passwords.

How can I protect myself from future data breaches?

Unfortunately, data breaches like this are becoming an almost daily occurrence, albeit not to the scale of this Optus breach. The best way to protect yourself is to limit the personal information you provide to companies to that which is absolutely necessary.

If you are concerned that a company may be keeping your data unnecessarily, you can request for them to destroy the data, according to the Australian privacy principles, but there is no requirement for them to do so unless they believe that data is no longer required.

Why do I have to change my banking and email passwords?

This is just a basic precaution. If you did not use those passwords anywhere else, and you are sure they are still secure, you are probably safe for now. If you are worried they might use other information they have to try to get into those accounts, make sure you have two-factor authentication set up. If allowed, make sure it’s a non-SMS authenticator like Google Authenticator as this is more secure.

Has Optus broken any laws?

Optus has not yet provided clear answers on how the data was obtained, or whether it was stored insecurely. As long as Optus can demonstrate it actively took steps to protect the data it would not be in violation of the Australian privacy principles.

It will be up to the privacy commissioner to determine whether Optus did take reasonable steps to secure the data.

Email: sign up for our daily morning and afternoon email newsletters

App: download our free app and never miss the biggest stories

Social: follow us on YouTubeTikTokInstagramFacebook or Twitter

Podcast: listen to our daily episodes on Apple PodcastsSpotify or search "Full Story" in your favourite app

Can I get compensation from Optus?

There is no legal protection for customers when this kind of breach occurs. Optus may at some point offer compensation or access to other services like IDCare, which supports people who have personal cybersecurity concerns, but it is under no obligation to do so, and has not yet said whether it will.

The Optus chief executive, Kelly Bayer Rosmarin, told reporters on Friday that the company had been engaging with IDCare but given the scale of the breach it was not clear whether they would be able to effectively support all affected customers.

Why does Optus store passport and licence information?

Optus said it stored the data including passport and licence numbers for up to six years as required by Australian law. Companies need to keep a record of licence and passport numbers in order to verify the identity of a customer when they sign up for a new mobile service.

The attack is likely to spark debate about whether asking companies to retain this data for longer than is required for immediate identity verification is an acceptable risk.

The department of the federal attorney general is already in the process of finalising a report recommending changes to Australian privacy law, in part to deal with the growing amount of information companies collect about people online. That report is due out before the end of the year.

As part of that review, Optus argued against giving people a right to request their data be destroyed. The company told the review there were “significant hurdles” to implementing such a system which would come at “significant cost”.

Optus also opposed changes to the Privacy Act to allow individuals to take direct action against companies for privacy breaches.

Should I change my mobile / broadband provider?

You can, and it is likely some Optus customers will. But changing providers will not protect you from the risks of having been exposed in this particular data breach, and there is no guarantee other companies would not also experience a data breach.

Ultimately, it is a personal decision about who you trust with your data.


Josh Taylor

The GuardianTramp

Related Content

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Optus data breach: Australians will be able to change their driver’s licence with telco to pay
Federal opposition wants commonwealth to allow people to get new passports for free too – and quickly

Natasha May

27, Sep, 2022 @10:27 AM

Article image
Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data
In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM

Article image
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

Natasha May and Josh Taylor

27, Sep, 2022 @1:32 AM

Article image
Optus data breach: everything we know so far about what happened
Who is the attacker? How was the data accessed? What was taken? Digital security experts explain

Josh Taylor

28, Sep, 2022 @5:30 PM

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Federal government under pressure to reveal Optus data breach plan as FBI called in to help
Sources say Labor is considering options including a parliamentary review or inquiry into massive cyber-attack

Josh Butler and Ben Butler

27, Sep, 2022 @8:53 AM