Optus Suffers Massive Data Breach After Advocating Against Better Privacy Legislation

Australia’s second-largest telecommunications company, Optus, announced it suffered a major data breach on Wednesday, 21 September. The company hasn’t released any exact details yet, but said the worst case scenario is 9.8 million people (about 40% of the country’s population) –  whose data potentially dates all the way back to 2017 – may be affected.

Optus has advised that anyone who’s used the service in the last 6 years could be in danger of identity theft. While investigations are on-going and Optus is in the process of working with government cyber experts and privacy regulators, it might be a little too late. Coincidentally, the company recently opposed changes to Australia’s privacy regulations that would give users more control over their personal data. 

Thus far, Optus has mainly communicated the breach via the media, though it has started letting users personally know via emails and SMSes on Friday whether their data was compromised. The home affairs minister, Clare O’Neil, has advised that anyone who’s concerned they might be a victim of a cyber attack should visit cyber.gov.au.

An API Vulnerability Puts Millions at Risk

Optus believes the intrusion occurred via someone exploiting a vulnerability in one of their application programming interfaces (API). An API basically functions like bridging software that lets other programs communicate with each other or with users. Optus’s CEO Kelly Bayer Rosmarin has yet to confirm any specific details about the hack, citing that it’s an ongoing criminal investigation.

Considering the hackers gained access to the company’s databases via an API, it’s possible the vulnerability in question was an authorization issue where someone was granted access to parts of the system they shouldn’t have access to. Depending on which API was exploited, this could have given the hackers access to all of Optus’s user data, including incredibly personal information.

The telecom giant has so far revealed the following customer information has been compromised:

          • Full names 
          • Dates of birth 
          • Phone numbers
          • Email addresses
          • Physical addresses

Some Optus users’ driving license details and passport numbers have also been compromised. Optus emphasized that its users’ payment information and account passwords weren’t compromised, and that its phone services are still safe to use. 

The company is in the process of notifying customers who are at heightened risk. Even so, cybercriminals only need a small amount of data to target their victims. Optus clients now face threats like stalking, identity theft, and targeted phishing attacks.

Optus Vehemently Opposed Positive Changes to Privacy Laws in Australia

Before this data breach blunder, Optus had a chance to promote privacy rights in Australia, but decided to put its own interests ahead instead. It opposed changes to the federal Privacy Act on multiple occasions – changes that would have given users more control over their own data.

The federal Privacy Act is the main legislation protecting Australian citizens’ digital data, including in the telecommunications industry. In 2020, the Morrison government wanted to review and improve the act. One of the proposed changes was to give people the ability to request that companies delete their private data. It also proposed that citizens should have more defined rights to direct legal action against companies over data breaches.

The attorney general’s department then started canvassing views from the public on the matter. Optus argued against both proposed changes, motivating its response by saying that giving people the right to erase their own data would lead to significant technical hurdles and compliance costs. 

According to Optus, giving people the right to control their own data and take direct legal action when data breaches occur would lead to frivolous litigation. The company argued that the proposed changes would not give people more control over their own data. In 2021, the attorney general’s department formally proposed a similar change and Optus replied with the same response again.

Given that Optus had now suffered a massive data breach putting the extremely personal information of millions of people at risk, these responses come across as grossly negligent and self-serving. If this outcome proves anything, it’s that Optus was wrong and people should have more control over their own data.

What Can Affected Optus Customers Do?

Anyone that suspects they may be at risk should take steps to preemptively protect themselves. Here are a few simple tips to follow if you want to protect yourself against potential threats like identity theft and phishing:

          • Change your account passwords for important accounts, and make sure to follow best practices to create a strong password. Never repeat the same password across accounts.
          • Enable multi-factor authentication for important accounts like your emails and online banking.
          • Monitor your accounts and finances for suspicious activity and report anything you see to the relevant authorities/company management.
          • Set daily and withdrawal limits on your financial accounts.
          • Be careful when receiving emails, messages, and SMSes from strangers or companies, especially ones that contain links.
          • Be careful about sharing personal details on social networks that criminals can use along with any stolen information to steal your identity or stalk you.
          • Protect your digital identity by installing a reliable VPN that will encrypt your device’s internet connection and make your online browsing safer. CyberGhost VPN uses impenetrable 245-bit AES encryption and has 7000+ servers across the world.

Optus is still assessing the scope and severity of this breach. As more information comes to light, Optus will notify more people about whether their data may be at risk. The company has stated it won’t include any links in these notifications. Please avoid and report any suspicious Optus-related emails or SMSes.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*