On 22 September 2022, Optus notified customers of a cyberattack compromising current and former customers’ information. The data constitutes an almost complete suite of identity information about a significant number of Australians.
Upon discovering this, Optus immediately shut down the attack. Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. They have also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators. Optus stated that they have notified those affected.
You can refer to the Optus website for more information about this incident.
Why it could happen to anyone of us?
The Optus breach is by no means the only occasion where customer data has been accessed and made public. It is important to be aware that you may be at risk of identity theft and take urgent action to prevent harm.
How data breaches work
It can be the consequence of an accidental event or intentional action to steal information from an individual or organization. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet. Either way, cybercriminals may access your key personal details and profit from them at your expense.
Loss or Theft
A common form of a security incident is the loss of devices or unauthorized access to credentials, resulting in cybercriminals obtaining confidential information. For example, a lost laptop, mobile phone, or external hard drive that is unlocked or unencrypted can easily lead to information being stolen if it ends up in the wrong hands. Even a locked device could be hacked into by a sophisticated attacker.
Insider Attack
An insider attack is a data breach caused by an employee leaking information to a third party. Also known as a malicious insider, this individual will access or steal data with the intent of causing harm to the organization or another individual within the company.
For example, the malicious insider could have access to the company’s financial details or a client list, which they could pass on or sell to a competitor. Alternatively, the malicious insider could access information about high-risk individuals within the organization—or even password details—and sell them to a hacker for a profit.
Targeted Attack
Targeted data breach attacks see a cybercriminal or a group of attackers target specific individuals or organizations to obtain confidential information. Attackers use various methods to gain unauthorized access to corporate networks and systems or to steal user login credentials.
How to protect yourself
Scammers may use your personal information to contact you by phone, text or email. Never click on suspicious links or provide personal or financial information to someone who contacts you out of the blue. The Australian Competition and Consumer Commission (ACCC) Scamwatch is warning customers to proactively take steps to protect their accounts and watch out for scams.
Steps you can take to protect your personal information include:
- Secure your devices and monitor for unusual activity
- Change your online account passwords and enable multi-factor authentication for banking
- Check your accounts for unusual activity such as items you haven’t purchased
- Place limits on your accounts or ask your bank how you can secure your money
- If you suspect fraud you can request a ban on your credit report.
In addition, organisations should turn their minds to and review their existing cyber-security protections, policies, and procedures. This includes, but not limited to;
- Ensuring that your business has a data breach response plan;
- Reviewing and updating your privacy policy;
- Minimising your data collection and retention where possible; and,
- Conducting regular cyber security training and information courses of all staff. Keep in mind human error plays a significant role in many data breaches.
What should you do in case of a data breach?
Whilst every data breach should be responded to on a case-by-case basis, there are generally four key actions businesses should take in responding to a breach.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
If you are concerned that your identity has been compromised or you have been a victim of a scam contact your bank immediately. You can also report scams to Scamwatch and check cyber.gov.au for information about cyber security.