Should a company data breach bother you?

On 22 September 2022, Australian telecommunications giant Optus revealed that around ten million customers had personal data stolen in a cyber-attack. The records cover approximately 40% of the adult population. It was undoubtedly the worst ever data breach in Australia.

Optus is Australia's second-largest telecoms business. When it announced the breach, the company said that data from both current and former customers was stolen. The information the hackers took was gold for them because it included:

• names
• dates of birth
• home addresses
• phone numbers
• email contacts

For almost three million of the records stolen, the hackers also got

• passport details
• driving licence details

And for 37,000 customers, the hackers also got Medicare details, government ID numbers.

It was reported that the company claimed that no payment details or account passwords were compromised. But with that list of information now in the hands of hackers and scammers, they can use it to carry out a wide variety of scams. All this information can be combined to identify you and raises the risk for those people who have become victims of this breach of being targeted in phishing scams, by phone, text or email. And for those people who have had their passport and driving licence information stolen, they are at serious risk of identity theft, according to the Australian government.

A week after the data breach, the company received a ransom threat when someone published a sample of the records stolen - just one hundred of the records - and demanded almost £1 million, to be paid in cryptocurrency. The ransomer said the company had one week to pay, or the data would be sold off in batches into the dark web where scammers would be able to buy it.

Optus claim to have strong cybersecurity and their CEO said that the attack had been extremely sophisticated. But, controversially, a reporter contacted the ransmoer who claimed that it wasn’t sophisticated at all and that they had managed to pull the data from a freely accessible software interface. Sounds like someone left the back door open, and maybe it wasn’t a sophisticated hack at all.

The Optus breach raises questions about how Australia handles data and privacy. The event has certainly sparked widespread anger amongst Australia’s population and there is talk of a class-action legal case being brought.

Could something like this affect you?

Well, it could do. The data stolen in the Optus breach included records of people who are no longer even customers of the telecomms giant. Hackers and scammers can still use the data records they’ve found in their attempts to build up a profile of you and use it against you in scams or identity theft.

Scammers move like lightning

Scammers react fast to current affairs and they wasted no time in creating a scam around the Optus breach. People started receiving text messages purporting to be from Optus offering a link to click, it said “because we need to issue new SIM cards, click here to arrange delivery”. This is a classic ‘smishing’ attempt.

There were multiple other attempts at scams on the back of the breach, mostly from scammers not involved in the hack itself. They included ransom attempts on individuals, threatening to sell the victim’s information online unless they paid ASU$2000. There were others that came out around apparent direct debit failure, or password expiry. There was even one pretending to be from the government apparently trying to set up Medicare payments. All false and attempts to scam people.

What can you do if your data is compromised?

What can you do if you find that your data has been in a data breach? It will make you more vulnerable to scams and that means you need to be wary. Here are a few tips:

• Scammers will use the data breach and target you in any way that they can, and every day we hear about new levels of sophistication being employed by scammers to catch people out
• Victims will likely notice an increased number of phishing emails, phone calls, and SMS or social media messages. Don’t click on links you’re not 100% sure about
• Be wary of new communications and don’t just accept what you’re being told. Don’t take ‘Caller ID’ as genuine. Take your time, do your research, and independently contact the purported business or agency communicating with you, using contact details you’ve sourced yourself, for example through searching for the business or agency online.
• Remember, no genuine business will ever text you requesting payment details
• Don’t click any links or open any attachments
• Never provide anyone with your personal or banking information or grant remote access to your device, however persuasive the scammer may seem
• Check the login activity for your accounts and sign out of unrecognised devices (Microsoft, Gmail, Yahoo, AppleID, Facebook)
• Check your social media accounts, update passwords and do privacy and security checks
• If passport or driving licence information has been lost, contact the relevant authorities to cancel them and arrange new ones to be issued
• Secure your bank accounts. Set up two-factor authentication, set transaction limits, add security questions
• Change all your passwords. Use a password manager to help manage them

And report it to Action Fraud.

How can I protect my data in a telco or any other company?

In the Optus breach, there were many many records of people who are not even customers any more. In our online lives, we leave an ever increasing digital footprint and a surprisingly large number of companies have our data. Some of those are companies you may never have heard of, yet they have computer records containing your personal information.

To prevent your data being stolen from companies that no longer need it, you can use Rightly Protect, our free service that will help you identify which companies have your data. Once you know that, in a single click you can get your data deleted from any or all of them.