Australian banks will be informed of attacks such as the Optus data breach more swiftly, as the Federal government prepares to announce a security crackdown to tackle the impact of cyber attacks which expose personal information and put customers at risk.
The recent Optus data breach exposed the personal information of up to 9.8 million Australians, including details such as customers’ names, dates of birth, phone numbers and email addresses. For 2.8 million customers, their home address was also exposed, along with ID document numbers such as their driver’s licence or passport.
The attack appears to impact Optus customers dating as far back as 2017, including former customers. The telco says account passwords were not compromised, and neither were financial and payment details.
One of the largest data breaches in Australian history, the attack leaves affected Optus customers at risk of fraud and identity theft. It also leaves all Optus customers at risk of falling prey to further attacks, as scammers take advantage of people’s concern through bogus emails and text messages.
Customers warned of Optus data breach
Optus first alerted customers and media to the cyberattack on Thursday, September 22, but the full extent of the data breach and those responsible for the attack is still unclear.
“While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” said Optus CEO, Kelly Bayer Rosmarin.
Optus assured customers the data breach has been blocked and that its phone and internet services remain safe to use. The telco says that its SIM-only brands Amaysim and Gomo, along with Optus resellers, were not impacted by the attack.
The attackers claim to have already released the details of 10,000 Optus customers on the dark web and are demanding a $1.5 million ransom. The threat is yet to be confirmed as genuine by Optus, although cyber experts view early customer data released by the alleged hackers as genuine.
Optus has sent emails or text messages to all customers who had their identification documents compromised in the data breach. The telco is offering its “most affected” customers a free 12-month subscription to Equifax Protect, an ID and credit monitoring service to help them detect signs of fraud.
Government response to Optus data breach
Australian Prime Minister, Anthony Albanese, labelled the Optus data breach as a “huge wake-up call”, as the government flags introducing large fines for future breaches and overhauling the nation’s data retention laws.
Home Affairs Minister, Clare O’Neil, laid blame for the attack at the feet of Optus and said the government is looking to work with financial regulators and the banking sector to see what steps can be taken to protect impacted customers.
“One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,” O’Neil said.
“In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”
How Optus customers can protect themselves
As law firm Slater and Gordon announces it is investigating a class action against the telco over the data breach, customers can take several precautions to reduce their risk from the Optus data breach.
The Australian Competition and Consumer Commission’s ScamWatch service has urged Optus customers to take extra steps to secure their accounts, as well as watch out for signs of identity theft and fraud.
Sensible precautions include changing passwords on Optus email accounts and linked services, such as online banking, as well as enabling multi-factor authentication on accounts as an extra layer of defence.
Optus customers should also closely monitor their bank and credit card statements, along with other personal financial accounts, and immediately flag suspicious activity.
Customers should also be on guard for calls, emails or text messages from scammers attempting to take advantage of the situation. This includes bogus messages claiming to be from Optus or other organisations, asking customers to hand over personal information or click on links.
The telco says that no legitimate communications from Optus relating to this data breach will include any links, as it recognises that cyber criminals will be using this incident to conduct phishing scams.