In the last week, I’ve had two “urgent updates” from Optus. And while it’s difficult to separate my perspective as an Optus customer from my experience covering data breaches over the years, this is still an unusual situation.
As a mainstream telco, Optus has a diverse customer base which makes communication about technical matters a challenge. However, exposure of current ID documents at this scale is relatively rare, so anxiety among customers has been understandably running high.
Optus may be saying as much as possible in its emails to customers, but it’s not enough to prevent fear and confusion.Credit:AP
I was first contacted by Optus about the breach on September 26, around four days after I first read about it. I almost missed the message, since it arrived at 11.56 pm. It was good news, although it was stated vaguely; some combination of my name, date of birth, email address, phone number or home address had been accessed. No passport or driver’s licence.
It was frustrating that Optus couldn’t let me know exactly what details were included. What address are they talking about for example, the one I gave years ago when signing up for the service, or the current one it sends the bills to? What was the exact combination of data because just my name seems a lot less dangerous than a matching set of all five data points.
Most people don’t spend too long thinking about what criminals do with this kind of data. And many Optus customers, at least those that had been contacted, had no idea what to do with the information the telco was giving them.
In terms of practical advice, Optus’ email stuck to the basics of warning me not to click on links in suspicious messages. Presumably it didn’t want to freak anybody out, but this would have been a good time to remind customers that potential hackers could combine the information stolen with data from other sources for identity theft. It could have also used the first email to tell affected customers to secure their passwords on all online accounts, activate two-factor authentication if possible, and make sure none of their passwords could be reset simply by knowing some of the details that had now been exposed.
Having read the email, I mentally placed myself in the second of the four groups of Optus customers, ranked by how much they had been exposed. First were people who didn’t have any data exposed at all. Second were people who, like me, had some basic personal info taken. Third were people who had serious info taken, like passport numbers. And fourth were people whose data had already been published online, by the anonymous person behind the breach in an attempt to prove they were serious.
Of course most people wouldn’t have known which group they were in at the time. And, as it turned out, neither did I. A second urgent email arrived on September 30 that informed me I was actually in the third category of customers; my Medicare number had been exposed.
I knew from reports that Optus had begun working with governments and that new details would come to light, and at least this email gave some specificity (i.e. “Medicare number” and not just “some combination of details from your passport, driver’s license or other ID document”).
Then again, I also knew that for many other people this would be an alarming development. First they say it’s not so bad, and now they say it’s worse? What else have they yet to find out? Do criminals have my medicare card now, and what can they do with it?
Medicare numbers on their own aren’t very helpful to crooks; you generally need your reference number and expiry date too. Plus, I was fairly confident my current Medicare details are completely different to what Optus would have had on file.
Optus suggested in the email that I get a replacement Medicare card, which I know from experience is annoying; everyone on your card has to rely on digital versions on their phones for a few weeks while you wait for the replacements to come in.
But it will be much worse for anyone whose current passport number has been exposed, especially if they’re expecting to travel any time soon.
Now that I was in the higher risk category, Optus offered me a 12-month subscription to Equifax Protect, but I was left to do my own research about what this was. Heading to the cited website (there was no link, so Optus passed that test) and entering the cited unique code, I was immediately asked by Equifax to provide them with 100 points of ID, which I didn’t particularly feel like doing given the context of the situation.
Still, for anyone who might have a full set of their current details plus 100 points of ID out there on the internet, a monitoring service like Equifax’s could be the only way to get a heads-up on attempts at identity theft.
I don’t think it’s necessarily a knock against Optus that it took more than a week to tell me one of my ID numbers had been exposed. There’s an awful lot of sensitive data to comb through, millions of people to inform, and you want to take the time to get it right.
But reading back over the emails and trying to imagine I wasn’t someone who had to think about this stuff as part of their job, I’m struck again by how much of the stress, worry and work of the fallout seems to have landed with the customers here. From trying to work out what data was actually exposed and how dangerous it could be, to organising replacement IDs, applying for Equifax and figuring out if there are other mitigations you need, it’s an unwelcome headache even for the most tech-savvy among us.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
From our partners
Source: Read Full Article