Optus Data Breach – what you need to know
In the last 24 hours, States across Australia have been scrambling to protect Optus customers by enabling the rapid revision of drivers licences; just one of the data points compromised by the recent Optus data hack that affected nearly 10 million customers.
We so often hear “data breaches happen all the time”, but it’s rare that they get wide spread media attention and such an immediate mobilisation of government agencies to address the problem. Even the FBI have been called upon to help out. So with all the media coverage why is this one so important?
The first, and most obvious concern is the sheer magnitude of the data. Nearly 10 million Australians are reported to be in the data set that is in the wrong hands. That’s bad. The type of personal information reportedly in the dataset, would be pretty bad as individual items, such as drivers license details. However, combined in a single data set, this is significantly more alarming as a lot of the data aggregation has already been done.
There are 3 separate components that are important for all hire companies to be aware of. Cyber security expert and trusted HRIA partner, Jason LeGuier from HotlineIT explains each of these concerns below:
I am an Optus customer (past or present)
Impersonation based fraud is a frequent method of cyber crime, but you need to be much more vigilant following this data breach. You may receive scams targeting Optus customers, both from people who DO have the information as well as scammers that are preying on your heightened sense of alarm. Think “your data was found in the Optus data breach, click here to xxx”.
Its advisable to change your Optus password, phone verification code and change them on all other accounts if you re-use this password. Do not make the assumption that the only data stolen is the data that is being ransomed.
Also consider your various password reset questions on all of your important accounts and whether this information could be in the reported dataset.
I am a business that deals with people who are also Optus customers
As hire businesses, we rely on identity checks to minimize risk of theft by hire. This data breach is a very significant one for trusted identity sources, such as passport and drivers license agencies. Unfortunately, this is going to increase the potential for identify theft. As a “lender”, all hire companies will need to be extra vigilant around any suspicious identity verification behavior, such as “photocopied”, “photo’d” or “scanned” images. Remember that if you do a DL check, the result will come back valid. But it does not mean the photo or the person is the license holder. Just that the DL details are a valid license.
If you run any e-commerce activities with your customers, consider a customer wide password reset as a precautionary step to protect both your customers and yourselves.
I am a business that stores customer identity information
Data Privacy is a serious issue. The reported USD $1m ransom will be a drop in the ocean to the direct costs and indirect costs to Optus, without even considering the costs to all of those customers that have had their data leaked. No business wants to go through what Optus is going through right now, but imagine watching this all unfold, and then being NEXT!
- Immediately assess whether the information you hold is necessary. Never retain credit card information and if you do, understand PCIDSS. It is far better to use a third party service, such as your bank, to tokenise credit card information for repetitive billing.
- Once you understand what you are storing, consider access. Not all staff need access to all data, all of the time. Limit access to “needs basis”.
- If you aren’t aware of your current security posture, talk to an expert immediately to get a risk assessment.
- If you don’t have cyber insurance, consider it. If you DO have it, check that you comply with your obligations, particularly around awareness training, email configuration, backups and access management.
Cyber crime is an ever evolving industry and unfortunately, criminals invest far more time and money into ever-evolving techniques, training and tools than businesses spend on defense.
“I have been in this industry a long time and even I am getting alarmed with the level of activity and success by criminals over the past months. If you have read this far, take preventative action rather than responsive action.” said Jason.
Given that some of this data, like passport or license information, is valid for up to 10 years, the impacts of this reported breach are going to be around for a very long time.
If you need any advice, a second opinion, or a Risk Assessment, don’t hesitate to contact HotlineIT directly.
M: 0448 222 090