Financial information

Optus faces customer exodus and seeks compensation amid anger over data breach

Optus customers boiling over the telecoms operator’s massive data breach have pledged to leave the company and seek compensation, while a data security expert says a hack of this magnitude was “inevitable” and that stronger data protection laws are needed to prevent more from happening.
Optus CEO Kelly Bayer Rosmarin confirmed on Friday that the hack, billed as one of the country’s biggest data breaches, could have compromised the personal records of up to 10 million Australians at risk of their usernames, dates of birth, phone numbers, email addresses, driver’s license numbers, passport numbers, or compromised addresses.
No payment information or passwords were taken in the cyberattack, Bayer Rosmarin said.
amid reports hackers are trying to sell millions of Australians’ personal details following the breach, with Optus admitting it’s likely criminals will make claims capitalizing financially on the leak.

Former Optus customers were also affected, with the requiring telecom operators to retain a particular set of data for at least two years to allow law enforcement and security agencies to access the data, subject to strict controls.

However, it seemed that some left Optus more than two years ago.

Many people had previously tried to contact the company but found the response from telephone operators and online bots unsatisfactory, with some saying they would go to the ombudsman for advice.
Longtime Optus customer Kim, who wouldn’t give her last name, said she was angry about the situation her 20-year-old phone operator had put her in.
The Sydney resident was told on Saturday that her data had been exposed, but says when she called Optus to specifically ask what information had been leaked, she received no response.
She’s worried that someone could open a bank account with the potential level of exposure.
When she asked for compensation, Kim was told in an online chat with a client that it wouldn’t happen.
“It’s absolutely ridiculous,” Kim told SBS News. “This is the biggest data breach in Australian history.

“I need them to tell me exactly what information was exposed to me, not just this laundry list.”

Kim says Optus would have to pay to cover the cost of replacing passports and driver’s licenses or waive future bills or she will no longer remain a customer.
“They should provide us with a… fixed amount of money so that we can go and get the new driver’s license and go and get a new passport and you know, set up this stuff on the three credit bureaus and all that .

“God knows how long we have to wait for this.”

Current and former Optus customers are furious over a data breach that could have affected up to 10 million people. Source: SBS News

An online exchange between longtime Optus customer Kim, who did not want to give her last name, and the telecom operator following a massive data breach.

Many Optus customers say they will leave the telecom operator as a result of the data breach. Source: SBS News

SBS News has asked Optus for comment on whether it will compensate customers for losses resulting from the data breach.

In an earlier statement on Saturday morning, the company said: “The attack is being investigated by the Australian Federal Police, and they have advised Optus not to comment on certain aspects of the investigation, including verification the authenticity of customer information published on the Internet.

“A Chess Combination”

Justin Warren, president of Electronic Frontiers Australia and managing director of PivotNine Consulting, told SBS News that the Optus breach was “a bit inevitable, not surprising but disappointing”.
He said it appears the breach was due to “a combination of failures”.
Firstly, it appears that Optus stores its contact details in the same place as “quite sensitive” information such as driving license and passport details, he said.
“It should have been separate, it shouldn’t have been so readily available. The API endpoint shouldn’t have been publicly visible on the internet, it shouldn’t have been accessible without some sort of authentication. You shouldn’t have been able to go through it room by room for customer ID records. You shouldn’t be able to do that at the scale it’s come to be able to extract data outside the secure environment.

“There are several things that happened here that shouldn’t have happened, each of which, if done differently, would have changed the outcome.”

Mr Warren said other telecom operators were most likely threatened by similar breaches.

“The optimist in me hopes that’s not the case. The realist in me, who has experienced this industry for the past 25 years, says it’s probably extremely likely. It can’t be. -be not that bad, but if I was another telecom operator, I wouldn’t post an ad claiming I’m better than Optus right now, until I’ve really checked all my systems .”

The level of risk depends on the individual

Warren said the levels of risk associated with this data breach will vary from person to person.
“Some people aren’t particularly worried about sharing this information publicly.
“But those who have addresses they don’t want their ex-partner to know because they fled domestic violence…it could put them at risk,” he added.
Identity theft was the most likely threat for most people, he said.

“People could use these IDs to provide 100 pieces of evidence to a bank, to take out a bank loan in someone else’s name, and then they would run away with the money. That’s why monitoring the credit is often deployed in these circumstances.”

General view of an Optus store in Sydney.

A data security expert said it was up to individuals to assess what their individual risks were and take appropriate action in the wake of the Optus data breach. Source: AAP / BIANCA DE MARCHI/AAPIMAGE

Mr Warren said it was up to individuals to assess what their risks were and take appropriate action.

For some, this may mean contacting their state registrar to change their driver’s license number or renew their passport a little earlier than normal. He also advised people to use a password manager and multi-factor authentication if necessary to prevent someone claiming to be them from taking over these services.
He also advised people to contact Optus to suspend their phone number to prevent someone from transferring it to another provider and then using it to try to take over someone’s accounts.
“You have to decide if you think the risk of identity fraud is worth the cost in time, money and effort,” Warren said.
“I would definitely contact Optus for help. I think customers should blame it on Optus because it’s not their fault that all of this happened.”

In an email to customers on Friday, Optus encouraged them to look for suspicious or unexpected activity in their online accounts, including bank accounts; report any fraudulent activity; watch out for scammers’ contacts; do not click on suspicious inks; never provide passwords or personal or financial information; and say no to requests to access their computer.

Push for compensation

Consumer data advocate Kate Bower of Choice said it was “totally fair” for customers to seek compensation from the telecom operator.
“The reaction from customers is understandably quite angry, because they’re in a position where they have to give up this data in order to get an essential service,” she told SBS News.

“So, it’s understandable, they’re asking now, why is it up to us to do anything about it? Why isn’t Optus stepping in or why isn’t there a better system in place?”

She said a better approach was needed to help people deal with the fallout from data breaches on this scale.
“What we need are much better rules around compensation, what should happen, when should it happen, who should be required to pay, but potentially we also need to look at other types of situations when these are government-issued IDs, such as passports and driver’s licenses, that have been leaked.
“If nine million people have to go get a new driver’s license on your passport number tomorrow, that’s not something the government can just handle.

“The magnitude of this is going to be a real opportunity for us to think about, okay, what we’re doing in terms of a cure, but also how to prevent this from happening again in the future.”

Penalties and lessons

Mr Warren said Australia should look at how other parts of the world penalize companies for data breaches.
He pointed the , which is among the strictest data protection laws in the world. Under the GDPR, EU data protection authorities can impose fines of up to €20 million (approximately $29.6 million), or 4% of the company’s global turnover. previous year, whichever is greater.
“I think we could learn a lot from whether it’s effective or not, and maybe we can improve it.”
But for now, he said Optus owes its customers “a very clear factual explanation of what happened”, with a full investigation needed to understand all the details.
Ms Bower said she expected Optus customers to leave as a result of the breach.
“It’s definitely a breach of trust,” she said. “I still expect some customers to leave in frustration, but unfortunately that won’t do much to protect people whose data is already there.

“The main problem is that you have to share this information, wherever you go. This type of identity information is what is needed to register for an essential service like a telco, and it could potentially happen again.”