Reported widely in the press this week, both state and national agencies are providing an evolving response to the Optus data breach. Optus customers and former customers who received notification from Optus can find guidance from the OAIC and IDCARE.
Although it is uncertain if all the data was publicly leaked, security specialists advise that those notified should assume their data was compromised and act accordingly.
An immediate response to any compromise to an online account is to change the account’s credentials. Optus customers can use My Account Login – Optus to update the password and username (the account’s log in email address).
In the case of the Optus breach, customer’s sign-up ID numbers (passport, driver’s licence, or Medicare ID) may have been included.
Drivers Licence. VicRoads can assist breach victims that hold a Victorian drivers license to ensure any unauthorized use of their licence number is flagged and to request a licence change https://www.vic.gov.au/victorian-drivers-licence-record-flag-optus-breach.
Medicare ID. Although victim’s Medicare details can’t be accessed with the ID, there are options to replace Medicare Cards to avoid future identity theft. What to do if you’ve been affected by the recent Optus data breach (servicesaustralia.gov.au).
Passport. It is not possible to travel under a victims passport credential but replacements can be requested. Dept of Foreign Affairs and Trade have an info page regarding the breach. Optus Data Breach | Australian Passport Office (passports.gov.au)
Along with those high point value forms of ID, other personal data leaked included name, date of birth, email addresses, postal address, phone numbers. Victims should guard for scammers leveraging the leak to target them further with phishing attempts.
Optus has reaffirmed it will never send hyperlinks through email or SMS notifications, and are currently offering to assist victims with credit monitoring Equifax Protect Eligibility (optus.com.au).
Anyone who thinks they have been impacted by the breach should also report it to the ACSC here: https://www.cyber.gov.au/acsc/report.