Key Points
- Angry Optus customers pledge to leave, demand compensation following breach.
- Current and former customers say the company's response has been unsatisfactory.
- A data expert said the breach was due to a "combination of failures" and tougher data protection laws are needed.
Optus customers seething over the telco's huge data breach have pledged to leave the company and claim compensation, while a data security expert says a hack of this magnitude was "inevitable" and tougher data protection laws are needed to prevent more occurring.
Optus CEO Kelly Bayer Rosmarin on Friday confirmed the hack, billed as one of the biggest data breaches in the country, could have compromised the personal records of up to 10 million Australians at risk of having their user names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers or addresses compromised.
No payment details or passwords were taken in the cyber attack, Ms Bayer Rosmarin said.
amid reports hackers are trying to sell millions of Australians' personal information following the breach, with Optus admitting it's likely that criminals will make claims capitalising financially on the leak.
Former Optus customers were also affected, with the requiring telcos to retain a particular set of data for at least two years to enable law enforcement and security agencies to access data, subject to strict controls.
However it seemed some had left Optus longer than two years ago.
Many people had already tried to contact the company but found the response from phone operators and online bots unsatisfactory, with some claiming they would go to the ombudsman for advice.
Long-time Optus customer Kim, who did not want to give her surname, said she was angry at the situation that her telco of 20 years had put her in.
The Sydney resident was notified on Saturday her data was exposed, but says when she rang Optus to ask specifically what information had been leaked, she was not given any answers.
She is concerned someone could open up a bank account with the potential level of exposure.
When she demanded compensation, Kim was told in an online customer conversation that that won’t happen.
“That is absolutely ridiculous,” Kim told SBS News. “This is the biggest data breach in Australian history.
“I need them to tell me exactly what information of mine has been exposed, not just this laundry list.”
Kim says Optus should be paying to cover the cost of replacing passports and driver’s licences or waive future bills, or she won’t remain a customer anymore.
“They should be providing us with a … set amount of money so that we can go and get the new driver's licence and go and get a new passport and you know, set up this stuff on all the three credit reporting agencies and all of that.
“God knows how long we have to wait for this.”
Current and former Optus customers are fuming over a data breach that may have affected up to 10 million people. Source: SBS News
Many Optus customers say they will leave the telco as a result of the data hack. Source: SBS News
In a previous statement on Saturday morning the company said: "The attack is being investigated by the Australian Federal Police, and they have advised Optus not to provide comment on certain aspects of the investigation, including verifying the authenticity of customer information published on the internet."
'A combination of failures'
Justin Warren, chair of Electronic Frontiers Australia and managing director of PivotNine Consulting, told SBS News the Optus breach was "kind of inevitable, not surprising but disappointing".
He said it appears the breach was due to "a combination of failures".
Firstly, it seems Optus stored its contact information in the same place as "fairly sensitive" information such as driving licence and passport details, he said.
"It should have been separate, it shouldn't have been this easily available. The API endpoint shouldn't have been publicly visible to the internet, it shouldn't have been accessible without any kind of authentication. You shouldn't have been able to traverse it piece by piece for customer-identifying records. You shouldn't be able to do it at the scale that it happened to be able to extract the data outside of the secured environment.
"There are multiple things that happened here that shouldn't have, any one of which, if had been done differently, would have changed the outcome."
Mr Warren said other telcos were most likely in danger of similar breaches.
"The optimist in me hopes that is not the case. The realist in me, who has experience of this industry over the last 25 years, says it's probably extremely likely. It may not be this bad, but if I was another telco, I wouldn't be putting out an ad claiming that I'm better than Optus right at the moment, until I've really thoroughly checked all of my systems."
Level of risk depends on the individual
Mr Warren said the levels of risks associated with this data breach will vary from person to person.
"Some people are not particularly worried about sharing this information publicly.
"But those who have addresses they don't want their ex partner to know because they have fled a domestic violence situation … this could place them in danger," he added.
Identity fraud was the most likely threat for most people, he said.
"People could use these identifiers to provide 100 points of proof to a bank, in order to take out a bank loan in someone else's name, then they make off with the cash. This is why credit monitoring is often deployed in these circumstances."
A data security expert said it was up to people to assess what their individual risks were and take relevant action following the Optus data breach. Source: AAP / BIANCA DE MARCHI/AAPIMAGE
For some, this may mean contacting their state registrar to change their driving licence ID, or renewing their passport slightly earlier than normal. He also advised people to use a password manager and multi factor authentication where necessary to make it harder for someone pretending to be them from taking over those services.
He also advised people to contact Optus to put a hold on their phone number to prevent someone porting it away to another provider and then use it to try and take over someone's accounts.
"You have to decide whether you think that the risk of identity fraud is worth the cost in both time and money and effort," Mr Warren said.
"I would certainly be approaching Optus for assistance. I think that customers should be putting the onus on Optus for this because it's not their fault that any of this happened."
In an email to customers on Friday, Optus encouraged them to look out for any suspicious or unexpected activity across their online accounts, including bank accounts; reporting any fraudulent activity; look out for contact from scammers; not to click on suspicious inks; never provide passwords or any personal or financial information; and say no to requests for access to their computer.
Push for compensation
Consumer data advocate Kate Bower from Choice said it’s “totally fair” for customers to be seeking compensation from the telco.
“The reaction from customers is understandably quite angry, that they're in a position where they have to give over this data in order to get an essential service,” she told SBS News.
“So understandably, they're now asking, why is it on us to do something about this? Why isn't Optus stepping in or why isn't there a better system in place?"
She said there needed to be a better approach for helping people in the fallout of data breaches on this scale.
“What we need is much, much better rules around compensation, what should happen, when it should happen, who should be liable to pay, but potentially we also need to look at other types of situations when it's government-issued IDs, like passports and driver's licences, that have been leaked.
“If nine million people need to go and get a new driver's licence on your passport number tomorrow, that's not something that the government can just deal with.
“The size of this is going to be a real opportunity for us to think about, ok, what do we do in terms of remedy but also how do we stop this from happening again in the future.”
Penalties and lessons
Mr Warren said that Australia should look at how other parts of the world were penalising companies over data breaches.
He pointed to the , which is among the world’s toughest data protection laws. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $29.6 million), or 4 per cent of worldwide turnover for the preceding financial year, whichever is higher.
"I think we could learn a lot from how effective that either has or hasn't been, and maybe we can improve upon it."
But for now, he said Optus owes its customers "a very clear factual explanation of what happened", with a full investigation needed to understand the full detail.
Ms Bower said she expected Optus customers would leave as a result of the breach.
"This is certainly a breach of trust," she said. "I still expect that some customers will probably leave out of frustration, but sadly, it won't do much to protect the people whose data is already out there.
"The main problem is that you have to share this information, regardless of where you go. This kind of identity information is what's needed to sign up to an essential service like a telco, and it could potentially happen again."
