On Thursday 22nd September, Optus announced that their customer records had been hacked and nearly 10 million people are affected. Stolen information includes full names, phone numbers, email addresses, physical addresses, and identity documents such as passport and drivers license information.
Over the last year or so, we've seen data breach hacks from major corporations like LinkedIn, Twitch, Neiman Marcus, and Plex affecting tens of millions to hundreds of millions of people. Still, this one is a bit closer to home for those of us who live in Australia, and I'm getting asked a lot about it.
What can you do if Optus tell you that your data has been taken?
To start with, the data that has been taken isn't going away. It's not like if someone steals your watch and you might be able to get it back. At this point the conversation is about how can you limit risk moving forward.
Unfortunately, the information stolen is enough for a cybercriminal to sign up for services in your name and possibly even steal your phone number or worse (!). Changing your drivers license number / passport number will go a long way to being decreasing the financial risk here, but be aware that process is very time consuming and challenging. Optus have already agreed to give 12 months of credit record protection to affected customers, and that's a normal precaution to take, so it's good that they're doing that. This is effective because if someone applies for financial services in your name, it will usually trigger a credit check, and you will be able to see that on your credit record.
Sounds gloomy - what can we do to prevent this in the future?
If you're a consumer: be aware that once you hand over your data (email address, a password, date of birth, copies of your drivers license etc.), you lose control of it. In the case of Optus, there was really nothing you can do as a consumer, because Australian law requires you to hand over a lot of information to get a mobile phone in the first place. Other times, especially for random online web sites, when they ask for a date of birth, think about if you really need to give that to them, or if you really need to sign up in the first place.
If you're a business owner: be aware that the level of care your customers expect you to take with cybersecurity will continue to increase. Some of you may have been sitting on the fence in regards to reviewing your business cybersecurity, but don't wait until you get hacked before doing this!
If you're a Government official: please look at making a transparent process for people to protect their identity after information is stolen but before it's used for fraud. Most category A identity documents are controlled by the Government (e.g. drivers license, passport, birth certificate, proof of age card), but there's no method for a citizen to contact the Government and say "My identity details have been stolen, can you help me to lock or re-issue them to prevent further damage?".
Update 28th September: The WA Department of Transport is responding to this particular incident by offering to change the license for affected Optus customers.