The Optus Breach

Actionable Advice

On Thursday Australia’s second-largest telecoms company, Optus, announced it had suffered a major data breach that had compromised sensitive customer information.

Updated 2022-09-27 11:20 AM: To date, records of 10,200 individuals have been published online (the 10,000 records today and 200 records published earlier). While the purported attackers have since apparently promised that they have deleted their only copy of the data and will not release any further data online, there is no evidence yet to prove this claim (and indeed it is almost impossible to prove). I recommend that affected customers still take precautions to protect themselves. See below.

Updated 2022-09-29 1:33 PM: Optus’ notification emails to customers, telling you that your data has been exposed in the breach, come in various forms. My notification email explicitly mentions that identity document information has been compromised. However, other customers report receiving emails explicitly saying the opposite: “No ID document numbers or details have been affected.” My advice, after some analysis with a colleague, is to trust this assessment. (Specifically, from our investigation using the steps mentioned below to check what data Optus has retained about you, it seems that people who receive the second kind of email are those for whom Optus didn’t retain ID document information.) If Optus is telling you no ID document numbers or details have been affected, I would not yet be going out and changing my drivers license, etc.

I’ve been an Optus customer on-and-off since purchasing my first mobile plan sometime in the early 2000s. By Friday evening I’d been notified that my data had indeed been exposed in this breach. If you’re in a similar position and have been searching for concrete detail and actionable advice, this post is for you. I’ll aim to keep it updated as more information comes to light.

I’ll be covering what we know so far about what data was exposed and how the breach occurred, and what useful steps ordinary consumers can take who have been impacted. This post is in response to my own disappointment with the quality of communications from Optus itself, and the generality of much of the advice offered in the media to date. Hopefully this post raises the bar somewhat.

Updated 2022-10-01 1:58 PM: Also check out the excellent information page on Whirlpool, which I linked to below last Monday, but is probably worth highlighting at the top here.

What data was exposed and how?

Optus’ own communication to me states that

The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers license or passport number. No copies of photo IDs have been affected.

Updated 2022-09-26 4:07 PM: Some media are also reporting that for some customers street address details might also have been exposed.

Updated 2022-09-27 10:39 AM: Today a sample of the data containing 10,000 records was released online. That sample appears to contain Medicare card numbers. So for some customers it seems that Medicare card details might also have been exposed. I’m told that this sample contains records with both Medicare card details and drivers license details for some individuals, which is especially concerning given that drivers license and medicare card constitutes the all-important 100 points of ID.

Updated 2022-10-01 1:30 PM: Optus’ own page describing what identity document numbers were exposed unfortunately makes no mention of the fact that expiration dates were also apparently compromised. Specifically, users report that the validityEnd field in the exposed data encodes the expiration date of their document via UNIX epoch format (however, note that according to many reports it is not always accurate). There are other fields also reported in the data including jurisdictionType, whose purpose I’m told is specific to the card type. Therefore, it is safest to assume that all data on the card has been compromised, except photo, signature, etc.

Some excellent investigation by information security journalist Jeremy Kirk (of whom I’ve been a fan ever since he wrote an excellent story about my research in 2017) suggests that the data was obtained through an unauthenticated REST API endpoint at api.www.optus.com.au, which has since been shut down. Essentially this allowed anyone to send a request asking the server “please give me the contact details for Optus customer with contactid=XXXXX”. By repeatedly asking with different XXXXX values for the contactid the attacker was able to enumerate 11.2 million Optus customers and their personal information which the server duly returned.

Allowing this data to be requested via an unauthenticated endpoint is inexcusable. If the linked reports above are accurate, this is an incredibly basic security error that was exploited: the server should have required requests to be authenticated (e.g. by a username and password or other means) and then it should have only returned data pertinent to the authenticated user. For instance, I as a user should only be able to ask for my own personal information and to do so I should have to first authenticate by logging in. Worse was allowing any and all customers to be enumerated: when your kid repeatedly enters the wrong access code to your iPhone there is a reason it locks for a few minutes before allowing you to try again, to make it difficult for an attacker to enumerate all possible access codes. However, perhaps worst of all was the original sin of choosing to retain sensitive information like drivers license and passport numbers (on a public-facing server) at all.

That said, Optus is hardly a lone sinner. Every major company that collects personal information (which is all of them) has undoubtedly deployed systems with similar weaknesses and has surely suffered its own share of data breaches. What makes this breach interesting is that it appears to impact around 40% of the Australian population and includes uncommon information, notably drivers license and passport numbers.

So what can customers do?

Updated 2022-09-29 3:35PM: Besides the options below, people might also take a look at a guide that appeared in The Conversation earlier this week (but that I’ve only just come across).

When thinking about what you as a customer can and should do to help protect yourself, it helps to understand what attackers might do with the stolen data. The primary risk with this kind of data is identity theft and fraud. An attacker who knows your full name, date of birth and drivers license number can reliably impersonate you to some (but not all) businesses and organisations.

Common advice includes resetting your passwords to valuable online accounts like online banking. That might be helpful in some cases but does not prevent an attacker from using the stolen information to impersonate you, allowing them to take control of your existing accounts or to create new ones in your name. The most common scenario I can imagine here is an attacker who phones up your bank and uses the stolen information to convince the operator that they are you, and then takes over your bank account or steals your money by having it transferred out, etc.

Increased authentication for financially sensitive accounts accessed over the phone, and for your mobile phone account

To guard against this kind of threat, rather than changing your online banking password, you are much better off phoning up your bank and asking them whether they can put in place additional verification steps on your account, because (as a result of the Optus breach, being an Optus customer) you believe you are at risk of identity theft and fraud.

Bank Account and similar

In the case of my own bank I did exactly this. In response my bank has added an additional security question that they will now ask me each time I phone them up. Importantly, I was able to write the security question, meaning I could choose something that was both known to only very few people and—just as importantly—something I wouldn’t forget. Inside jokes are my preferred fodder for this kind of thing, as they tend to be both secret and memorable. (My bank also offered to set an additional password but I knew I would be unlikely to remember such a thing, given that I phone my bank about once a year. If your bank offers a similar choice, do choose carefully.)

I must now also authenticate by providing a one-time code sent via SMS to my mobile number each time I phone the bank, as an additional authentication factor.

SMS two-factor authentication is far from perfect, but these two additional verification steps have increased my confidence that somebody in possession of the Optus data would have reduced additional advantage trying to take over my account than somebody without that data. I am also considering additional measures like placing any cash reserves into term deposit accounts to make them more difficult to access on-demand.

I have not yet spoken to other organisations to see whether they offer similar protection (mostly because I spent today with my kids at the Royal Melbourne Show), but other organisations that come to mind with whom it is probably worth asking include Centrelink, your superannuation provider, perhaps share registry sites, and others that control your financial assets.

Updated 2022-09-30 12:54 AM: It’s also a good idea to do this for your mobile phone carrier as well. This will help to guard against someone taking control of your mobile phone number.

Specifically, it guards against an attacker calling up your mobile phone carrier and pretending to be you, telling the carrier that “you” (i.e. they) have a new SIM card and need to move your mobile number to that new SIM (thereby giving control of your mobile number to the attacker, allowing them to receive your calls and texts, including those used for two-factor authentication). It won’t guard against someone trying to take control of your mobile number by porting it to a different carrier, but as Jay from Telstra kindly pointed out Australian carriers already check that when someone requests a number to be ported from one carrier to another, that that person actually already has control of the number being ported (via an SMS code).

Mobile Phone account

Updated 2022-09-30 11:10 AM: Jeffrey L. Foster (who co-wrote the piece in The Conversation linked above) kindly provided links to guides for the three largest carriers in Australia:

Jen Williams (who also authored The Conversation piece above) reminds me that unfortunately this extra form of protection on your mobile phone account is not enabled by default and you must opt-in manually (see the guides above).

Changing your drivers license or passport number, or Medicare card number

Getting a new drivers license or passport is also something to consider doing. Frustratingly, Optus could tell each customer exactly which piece of data has been compromised (e.g. “it was your passport number ending in XYZ”), allowing customers to decide whether they should try to have their compromised documents reissued. For instance, if the passport Optus had on file for you is 10 years out of date, it is less likely to be valuable and in any case is already invalid. However, at present Optus has left its customers to guess for themselves exactly which pieces of their sensitive information it allowed to be compromised. In my case I am pretty sure I know exactly which of my current document numbers has been compromised but I am not certain.

Updated 2022-09-26 12:18 PM: Twitter user @DownUnder_Dude helpfully pointed me to a wonderful FAQ by @ausnotes on Whirlpool that explains how you can check exactly what data of yours might have been leaked. First log-in here: https://www.optus.com.au/ and then once logged-in, visit this link and you should see a JSON encoded response that contains your personal information. Check in particular the indentType [sic] field, which should tell you what kind of document has been exposed; and the indentValue [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.

Updated 2022-10-01 1:42 PM: Users were reporting as of September 30 that this data now appears to have been sanitised somewhat. In particular, indentType and indentValue are now both XXXXXXX. Indeed having checked again that is now the case for me as well. I can understand why Optus has done this; however it does mean this route can no longer be used to work out exactly which of your documents might have been compromised. Information returned by the next step below has also been sanitised. In particular, documentType, documentNumber, jurisdictionType, issuingJurisdictionName, and lastUpdateDate are all sanitised on my record at the time of writing.

Updated 2022-09-26 4:05 PM: If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric contactId value from the JSON response you got above. Then take the following URL https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/{contactId}?lo=en_US&sc=SS and copy and paste it into the address bar of your browser. Manually replace the part that says {contactId} with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the documentType and documentNumber fields, plus (worryingly) information that would seem to pertain to the expiration date of the document.

Updated 2022-09-27 6:59 AM: Some users are reporting that they can access their own drivers license number and expiration date through these web APIs, but Optus is advising those users unequivocally that none of their license information was exposed during the data breach. This is certainly possible.

In any case, something to consider is whether you can get a new drivers license or passport issued with a different number. Doing so would mean that, at least for organisations that carefully check the validity of drivers licenses and passports, an attacker would have a harder time impersonating you using the stolen data.

Drivers licenses

Updated 2022-09-27 11:04PM: Initially, it appeared as if obtaining a new drivers license might be difficult, especially in some states like Victoria or Queensland. However today reports emerged that states will be assisting people to obtain new drivers licenses who have been impacted by this breach. We will have to wait and see exactly what that looks like but reports today suggest that Optus will be bearing much of the cost here.

Updated 2022-10-01 1:53 PM: An ABC news story by Danielle Maguire from yesterday breaks down the process for replacing your drivers licence in each state. It may be more accurate than the information below, which was from a few days earlier.

How to get a new drivers license depends on which state you are in. From what I understand:

  • Victoria: VicRoads is still developing its process here. For now, you should with the ability to practively flag your license to help prevent certain kinds of fraud in future
  • NSW: online (see also ServiceNSW’s FAQ)
  • QLD, TAS and SA: attend a service centre. Both QLD and SA have said they will waive the usual replacement feee
  • WA: details forthcoming. Updated 2022-09-28 3:48 PM: Media reports that WA is working on a new system to allow issuing new drivers license numbers to affected customers. Hopefully we will know more soon.

For drivers licenses, it seems the situation depends on in which state you live. For instance in New South Wales it seems it is possible if the security of your license has been compromised, but you need to “report the incident to police and obtain a police event number or a ReportCyber Receipt (CIRS) number”. It is unclear to me whether police would issue a police report number. Presumably Optus has already obtained a CIRS number for the breach, but if they have made it public I certainly haven’t seen it. Long-story-short: in NSW this might be possible but it is far from clear.

Updated 2022-09-26 12:20 PM: Shara Evans kindly informed me that as of 2019 it was not possible to have a drivers license reissued in NSW in response to identity theft without a court order. So YMMV.

In my own state of Victoria it seems it is not possible to obtain a new drivers license number due to the Optus breach. Infuriatingly (caps in the original, to add insult to injury):

If you’ve been notified by an organisation that a data breach may have exposed your licence details, but no fraud has taken place, VicRoads will NOT be able to change a driver licence number.

It remains to be seen whether the Optus breach will cause VicRoads to revise this policy.

Updated 2022-09-26 2:30 PM: Rose Roberts tells me that in Queensland the situation is similar to Victoria: unless fraud has occurred you cannot get a new drivers license number.

I’ve not yet looked into other states.

Passports

Updated 2022-09-30 12:58 PM: In breaking news Optus has agreed to cover costs for passport replacements for “affected customers”. We’ll see how that is reflected on DFAT’s website, which was previously updated earlier this week to remove its earlier guidance on passport replacement, as noted below. Therefore I’ve decided to strike out the prior discussion below, for now. It seems we’ll have to wait for further details on how passport renewals will work for customers whose passport numbers have been exposed in this breach.

Updated 2022-09-30 12:21 AM: For some reason, DFAT seems to have taken down all of the useful information on how to change your passport in response to the Optus breach. The information (as of 2022-09-26) you can still access here (via the web.archive.org cache). I have no idea whether that information is still reliable though. Quite possibly not since it has been taken down. The updated page says nothing at all about replacing passports as a precautionary measure. Therefore I have decided to strike out the original advice below, about how to replace your passport, until I can confirm more.

For passports, the situation is more straightforward: you can apply to renew your passport in the usual way, but you wear the cost (at least the Australian Government is not offering to cover it at this stage).

Updated 2022-09-29 6:31 AM: Recent media reports suggest that the government wants Optus to cover the costs of passport replacements.

Updated 2022-09-27 7:07 AM: The media is currently reporting that wait times to get a new passport are up to 3 months and are set to get longer. Keep that in mind if you decide to renew your passport.

Medicare Cards

Updated 2022-09-29 6:11 AM: Alwen Tiu pointed me to the wonderful IDCare guide on how to change your Medicare card. This confirms that you should not use the myGov portal nor the ServicesAustralia Scams and Identity Theft Help Desk, as otherwise you won’t get a new Medicare number at all — only one digit will change and so you’ll be left with a new Medicare card with a number that is trivial to guess (as discussed below, the new expiry date won’t provide much additional protection either). Therefore the process currently recommended by ServicesAustralia to those of us affected by the Optus breach to get a new Medicare card is not the one you should follow. I hope ServicesAustralia will update their guidance to Optus customers.

Instead, to get a new Medicare card with a new number, you have to fill-in a form to request to transfer everyone on your current Medicare card to another. Check out the detailed instructions from IDCare for more info.

Updated 2022-10-02 2:40 PM: Thank you to David Lacey and team at IDCare who, after I reach out to him directly, updated their guiance on how Optus breach victims can replace their Medicare cards to note the more secure route of requesting an entirely new card, in addition to the advice from ServicesAustralia.

Updated 2022-10-01 1:23 PM: Unfortunately, IDCare’s own page of advice for Optus data breach victims is linking to the “insecure” advice being provided by ServicesAustralia. (That despite its fact sheet linked to above contradicting that advice.) I have reached out to IDCare to enquire about this and will update this post once I hear from them.

For those whose Medicare card details have been exposed, Geoff Purchase informs me that you can get a new Medicare card number by reporting your Medicare card as stolen. More information about the official process is here on the ServicesAustralia site.

Updated 2022-09-28 4:00 PM: It appears you’ll get a new Medicare card with a number that will be identical to your current number except the last digit will change. In fact, according to Liam Transmasqueline, it appears that the digit just increments meaning that new card numbers may be trivial to guess. The new card will also have different validity information which will provide some additional protection. However, it is likely that everyone will choose to quickly replace their Medicare card. Given today is September 28, we can expect most cards to be replaced in October. So validity information also looks potentially guessable too. I have no strong conclusions to draw at this stage. Čäìł Ÿøûñg tells me that one option might be therefore to cancel your existing card altogether and request a new one.

Identity Theft Monitoring and Insurance

A final option I have looked into so far is identity theft monitoring and insurance services. In Australia commercial options include Norton Identity Advisor and Equifax Identity Protect.

These services include things like monitoring the so-called “dark” web for cases in which your personal information shows up, though as far as we know the Optus data already appears to be for sale so that point is somewhat moot. Perhaps more useful might be various insurance policies offered to mitigate the risks of identity fraud and theft. It is not yet clear to me how effective these services are likely to be. The Norton service appears to be an offshoot of its LifeLock service in the US. Unfortunately, while US LifeLock offers a beefy insurance policy including covering losses up to $1M USD as a result of identity theft, the Australian policy (much like the prize winnings on Aussie incarnations of US reality TV shows) is far more meagre, covering only certain kinds of losses on the order of tens of thousands of dollars.

It is also unclear to me whether the “dark” web monitoring and notification services that these companies offer are likely to be much better than free services like Troy Hunt’s HaveIBeenPwned. Indeed, Norton is currently offering a 30-day free trial of its Identity Advisor Service, which I signed up for today. It immediately told me my email address had been exposed in a breach that HaveIBeenPwned had already notified me of back in January this year. That said, if you are happy to trust Norton with your drivers license or passport number, or other sensitive information like your mother’s maiden name, bank account or credit card details, etc., its service can also notify you in the event that such information is found to have been posted online (which HaveIBeenPwned cannot). Whether you should entrust this information to Norton is certainly far from clear. In my own 30-day trial I am yet to provide Norton with anything other than email addresses to monitor for: once bitten, twice shy, after all.

Indeed, if you sign-up to Equifax’s online monitoring service you might certainly think twice about how much of your personal information to hand over, given Equifax’s history which includes the infamous 2017 data breach that exposed sensitive information of around 150 million Americans.

Credit Agency Reports and Bans

Credit Reports

One of two final steps I am considering (and one advised by by not-for-profit identity and cyber support service IDCare) is to request regular credit reports from the three large credit bureaus in Australia: Equifax, illion and Experian. The reason this could be useful is to help you work out if someone has tried to apply for credit in your name (e.g. perhaps by using the stolen Optus data to impersonate you). IDCare has more information and helpful links for how to do this, but it seems you need to do it separately for all three agencies.

Updated 2022-10-01 1:57 PM: See also this page on the OAIC web site.

Credit Bans

The final step worth considering is putting in place a credit ban across the three credit bureaus. A ban prevents the credit bureaus from disclosing information on your credit file to credit providers without your written consent, making it much harder for anyone (including you) to obtain credit. However, this looks like a short-term measure: credit bans last 21 days. They can be extended but doing so requires (much like changing your drivers license number in NSW) a police report number or a ReportCyber CIRS number.

In contrast to credit reports, it seems a single application to one of the agencies is sufficient to put in place a ban with all of them. As above IDCare has the details.

Updated 2022-09-26 3:27 PM: CreditSavvy

Multiple people have also pointed me to CreditSavvy’s SavvyShield product, which offers real-time credit reporting and the ability to set up credit bans with the three credit agencies.

CreditSavvy is a free app, and its parent company is a subsidiary of Commonwealth Bank Australia. I am led to believe it makes its money by on-selling credit. As I understand it they are essentially an intermediary for Experian. I have not (yet) signed up to their service. However, my understanding is that by signing up with them you might obtain real-tine notifications when someone applies for credit in your name, for free. The downside is of course having to entrust yet another organisation (and its partners, like the ones it uses to authenticate the identity information you provide to it) with your sensitive information. It is not at all obvious to me whether CreditSavvy would protect your data any better or worse than Experian, Equifax, illion, or Optus itself. Nor whether, being a subsidiary of CBA, it inherits CBA’s security expertise.

CreditSavvy’s privacy policy states that they will keep your information while you continue to use their service and they will keep your information for up to 30 days after you terminate or cancel your subscription. This information could include not only identifying information but also presumably the information on your credit record from Experian. After this time, they may retain de-identified copies of your data (itself a risk), plus copies in database backups.

The cost-benefit trade-off of using CreditSavvy is relatively unclear to me at this moment in time. But it is certainly another option to consider.

Final Thoughts

This breach is infuriating, much like Optus’ response to-date. Hopefully Optus will prove more forthcoming in the days ahead.

It is common practice in the US for firms to offer free identity theft protection services to customers affected by data breaches (indeed, some states require firms to do so by law). Optus could buy back some of the goodwill and faith it has lost with its customers by following suit.

Updated 2022-09-26 8:00 PM: Within minutes of being called out in Parliament today by Minister for Home Affairs and Minister for Cyber Security Clare O’Neil, Optus announced it would be offering credit monitoring to affected customers. There is some doubt about exactly which customers these are at this stage. The Guardian reports “all affected customers” while other outlets are reporting only the “most affected” customers. This is still welcome news. My understanding is that Optus is pledging to provide customers with a 12-month subscription to Equifax’s service. At current pricing the most expensive of these services is priced at $14.99 AUD per month, which is two dollars cheaper than the Standard Netflix plan. We’ll have to wait for further details to understand exactly which customers will get the offer and how they can take it up.

In the meantime, I hope others will find the information above useful. Please reach out to me with your own suggestions. I would love to incorporate extra suggestions into this post.