103 comments

[ 5.0 ms ] story [ 176 ms ] thread
For those not aware this is about 35% of the population of Australia which is around 26 million.
That sounds ambiguous. To clarify: It is 35% of 26 million.
(comment deleted)
i wonder if passwords really haven’t been affected or if they’re just hashed so they think they can get away with saying that
> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised.

Geez, ID document numbers is such a big thing. Now hackers can basically call most institution and impersonate victims. this is quite huge

It shows why we need to rapidly embrace the idea that knowledge of an ID document number and its associated personal details is insufficient proof of identity.
this brings up a very important question - how does one verify one's identity with a business? Esp. online, without having to meet in person at some sort of branch/store?
Why the hell were they storing it? just delete it after marking the account as verified.
Even if it needs to be verified afterwards, the numbers could be bcrypted with high enough iteration count to make them impossible to brute force but easy to verify every few years if necessary... Say 10sec per id?
isnt that like half the population??
About 40% (Australia's pop. is ~25M). It is, however, close to 50% of Australia's adult population (~20M). What a mess.
"Payment detail and account passwords have not been compromised."

No, just your identity is. If you're Australian, you or someone you know will be in this. What a total fuck up.

And why, oh why, are past customers in there. I'm a current one, but even 'not being with them' doesn't necessarily exclude you from this.
FYI optics is Australia's second largest telecommunications provider. This would be the worst known databreach in Australian history.

It is interesting that compared to identity theft announcements from many US corporations they are direct, apologize and state the authorities they are working with. I imagine there's less fear of the legal consequences of not having a tight response as the culture isn't as litigious.

The recent update to Cyber Security legislation in Australia specifically states that any major breach must be reported to the Australian Cyber Security Centre within 24 hours of becoming aware of it. "MAJOR" being subjective, but this easily qualifies.

There are significant penalties for not disclosing within this time period, which is why I think we are seeing this reported before Optus has a clearer plan of how to deal with it.

As a customer of Optus and cyber security trained professional, I'm very frustrated, to say the least.

Thank for that extra info on the obligatory reporting. Good for consumers to know now. I feel like this report could take months to come out in the US.
A mobile company that wants so much of their users ID info. Is it really necessary for them to get all that user info?
Good question. I think the idea is you can’t have a burner phone. Well you can…for example use a foreign sim card of a less fussy telco. But in general this makes it harder to have a burner. Once we get to a point where telcos are not needed to make calls (that amazon wifi mesh for example) maybe we can do away with this need for ID anyway because it is futile.
Calls yes, but making calls is not what’s regulated in Australia. The ACMA regulates the assignment of Numbers in Australia, so make calls to your hearts content but if you want to be addressable by a e164 or IP number, prepare your documents.
My point is in rural locations not at home you need a phone number to connect to 5G (or lesser G) for the data to make a non phone call.
Yes it's legally required for them to properly verify your identity both for credit reasons (on a postpaid plan) and simply to identify who owns what phone number s
Yes. You need to provide legal id to get a phone number in Australia. This is handled by the phone companies themselves. But this is probably a good reason to not let them do it themselves.
This doesn't even seem to include the traffic retention data that must be kept in Australia. That's an accident waiting to happen.
Probably not. As others have said, some of it is more or less legally required. What I don't understand is why they need to (or should be allowed to) retain that data in perpetuity.
> What I don't understand is why they need to (or should be allowed to) retain that data in perpetuity.

Probably because there is no law saying you need to delete the data in X days.

They can verify the identity using a service - there is no need to keep actual documents after the fact.
This is bad. Australia isn't know for it's strong privacy laws anyway, but with the kind of data that's now available out there, ID theft is going to be a huge risk for almost half the country. Even if Optus gets sued, how the hell are people supposed to protect themselves?
I’ve seen Optus “computer security” in action. I use quotes for a reason.

There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.

You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.

They had operating system versions in production that were in my university text books… in the late 1990s.

Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.

And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.

They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.

Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.

You can tell how broken their tech is when you try and use the website. Half the pages just fail to load. I don't mean time out, I mean, they think they are finished loading but most of the page is missing.
Don’t confuse the failings of their consumer-facing systems with the madness behind that facade.

The equivalent of what I was describing in terms of a web experience would be having to use a dialup modem to sign up for an account via Netscape Navigator 4. With a login secured using SSL… version 1.0.

I wish I was exaggerating, but their systems literally date back to that era and have comparable limitations in terms of supported network protocols.

Hahaha holy shit is GSMIS still running? In all it’s TUI glory?

When I left, the mobile division had its customers split between three different systems; GSMIS, Focus and Arbor. The poor customer service reps would have no idea which one any given user was in when the phone rang. The only way to figure it out was to ask the person for their phone number, then type that number into each backend and see which one returned a result.

Telstra's got something similar going on with their management systems - three platforms and two incomplete migrations in progress for seemingly the last eternity.
I tried to sign up for Optus in around 2007? They had this contract system you agreed to over the phone . I spent ages saying “yes” in different ways because it couldn’t pick up my kiwi accent. Eventually I managed to agree and got the worst internet experience ever. Moved to TPG after the contract finished.
from the twitter link ..."The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use. The API endpoint was api[dot]http://optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data."
(comment deleted)
(comment deleted)
Today is a one-off national public holiday in Australia to mourn the loss of the Queen. I'd be curious to know when this attack started and whether it coincided with the public holiday by chance or by choice.
I don't know when it actually occurred, but usually this sort of announcement comes long after the incident. The announcement occurring on a holiday afternoon seems a little convenient.

That said, Optus knows they don't get in any real trouble for this sort of thing so they can only benefit from appearing to respond rapidly and transparently. (Which is a better PR move than being proactive)

New laws make it mandatory to report this major type of breach in Australia to the Australian Cyber Security Centre within 24 hours. They had no choice, or risk having the full weight of the government come at them for trying to cover it up.
> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers

Okay so this was half the country.

I cant honestly understand how anyone thinks KYC laws make sense if anyone can make a bank account as anyone else, and it all looks like legitimate money or the human is getting framed while the criminal just rotates IDs.

You can't make an account with the number or a scan of an ID document (at least here in the EU, but i doubt it'd be much different down under). The real thing is required, or in the case of neobanks, multiple photos at specific angles + selfie from their app.
all it takes is a single institution that subverts that.

regarding angles and selfies, most of those just require you to go through the motions not for it to be accurate or withstand [human] scrutiny.

All it takes to register a new number here, are your details including name, DoB, physical address (all the complete ones leaked), the type of ID used (passport, drivers license) and the number on that ID. You can do it in about 5 minutes online, and the number is then active (but not before).

Not even a copy of the document is required, and it doesn't have to be sighted by anyone. From memory, you don't even have to supply the expiry date on the document (and driver's license numbers remain static).

One of the first things I see happening, is criminals using this to obtain burner numbers not traceable to them.

> driver's licence or passport numbers

They are required to verify that information.

They shouldn't have been storing that though.

Should only have existed for the period of the verification request on signup - a single form post.

How could Dan Andrews let this happen? /s
for those not in australia: this is pretty funny
and for those in australia: yeah, nah. not that funny. :-)
Ironically #Gladys is currently trending on twitter due to a similar question from people.
Nah this is why:

https://www.optus.com.au/about/media-centre/media-releases/2...

> Optus appoints Gladys Berejiklian to its Executive Team in a new role as Managing Director, Enterprise, Business and Institutional

“Optus has set its vision to become Australia’s most loved everyday brand with lasting customer relationships by redefining what customers should expect from their communication provider through our relentless pursuit of best-in-class service, greater innovation, better value and connectivity for all Australians.”

Thsts... amusing.

and the meaning of the phrase cyberattack is further diminished
It's long past time for countries to embrace the digital id the way Estonia (and a few others) have.

For comparison, visit https://www.telia.ee/en and you're prompted for your smart card or associated Smart ID (which is mobile app you can bootstrap from your smart card).

No more need to do a 100 point check (and then hold that information indefinitely), it's been done.

Even if you don't like the Estonian system it's high time to get serious about digital identity and stop pretending that knowing your DoB etc (or social security number in US) is a secure mechanism of proving identity.

Aside: Highly recommend Estonia's e-residency program. Great place to run a company. Future focused.

I'm an Australian living in Sweden who loves BankID but I don't trust the Aus Govt to provide a similar service.
I hear this often, and as an Aussie techie it's such a shame. Whether or not it's true, it almost certainly means we'll never try. How do we get past this?
Personally, it would take strong legislation preventing any variation of law enforcement having any access to any of the data, even that of convicted criminals, to make me comfortable to provide mine into the system. Perhaps even constitutional change prohibiting it. Currently, home affairs could feasibly access any data in just about anything the government does with barely a sign-off which I’m not comfortable with.

Our laws protecting us from the government are way too weak for systems like this to take off. Also we keep hiring contractors who do a fairly poor job building the things in the first place.

> Our laws protecting us from the government are way too weak for systems like this to take off.

Indeed. Remember when the police got into the contact tracing apps?

> Whether or not it's true,

Australia could not even design a proper national broadband network.

I mean the incompetence is only a tiny part of why I feel this way - with how much they improperly use the data they already have on us I'd rather not let them record every login I perform etc.
OP here.

Some more information here (not my preferred source, but oh well): https://www.news.com.au/technology/online/hacking/up-to-9-mi...

It seems around 2.8m have had 'all' data stolen (including ID, address, etc), and around 7m 'just' names, DoB and numbers/e-mail addresses.

Apparently Optus is working on sending personalised details to customers.

What a monumental stuff up.

Myself included. All data listed, though they couldn't specify if it was my passport or driver's license number. I haven't been a customer with them for over 5 years.
Glad I dumped them 2 years ago. I hated their imposed "non direct debit fee" if you elected to pay manually instead of direct debit.

I hated their mandatory text messages that couldn't be blocked, such as upcoming bill reminders. Spam my email as much as you want, but stay out of my text messages!

Former customers are also included in the breach, just in case you thought you were safe not being a customer anymore.
I doubt from 2 years ago. They probably said that to cover those who recently left. I guess we'll see. Not sure if they are notifying people or there's any way to check?
Based on one newer article I've seen, leaked data dates back to 2017, so...

No idea how accurate this is just yet though.

They claim to have started notifying people today (Saturday), with customers with most amount of info leaked being prioritised. Supposedly if you've had ID information stolen, you'll know today. Fingers crossed.

Yep, my details were part of the breach unfortunately. I hate Optus now more than ever.

I left them 2 years ago but they keep my details in a database accessible to the internet? Why? Details leaked are name, email, phone, DOB, home address, drivers license number.

About 4 years ago I emailed them complaining that their marketing team were using my date of birth to send me "birthday deals" on my birthday. Something I never opted in for. I found it creepy because the only reason they knew my DOB was from a sign-up security verification process. So back then they were sharing security details from customer signups to their marketing team for use in promotional material. No respect or care for user's data.

I wonder if a class action can be brought against Optus.

Ah man, I'm sorry to hear that. No emails here yet, but not to say I'm not in the category one down yet (which is only slightly less bad).

I'm starting to worry about the general public's understanding of the ramifications of this. When it first broke, I was pretty upset, and my partner (well educated, and with me long enough to understand some things about breaches) thought my concerns and anger at optus was excessive. It's only after I explained to her in some detail a few scenarios of what could happen with the information, that she asked questions about what we should be doing.

I think we'll be seeing fallout from this for years to come.

> scenarios of what could happen

What could happen?

In my case the home address is old, not my current one, so I dodged a bullet there. That leaves name, DOB and drivers license number. How can those 3 things alone be used?

Email and phone were taken, but nobody can use those if verification is needed. And I can easily change those details in the various places they are used.

I'm quietly confident that because my home address is my old address, and therefore not associated with my drivers license, I'm in better shape than millions of others in this breach.

I'm still angry about it! The email from Optus was tone deaf. They worded it like they are the victims, downplayed the importance, and even ended with "warm regards".

My main concern is that, with ID, it becomes possible to do a Sim swap or number port, which would be the start of a heap of nightmares. Luckily, buried at the bottom of Optus' announcement, they mention that (for the moment) those can now only be done in person, in-store, with physical ID.

For the other stuff (address, name, DoB)...what are the things nearly everyone asks when you ring to make account changes, to verify you are you..

I'd be careful with the home address too (although you should be ok). I moved around a bit a few years ago, and lost track of where I'd updated my address. It was usually as simple as 'I think my most recent address with you is X, can you please update it to Y', and as long as the other stuff checked out, no questions were asked.

And yeah, I had to laugh about that press release :/

Still no email this side. No news is good news, right?

I wouldn’t normally get angry about something like this but when the CEO talked about how upset she was that there were people out there who would do such harm I almost blew my stack. The level of wilful ignorance to your responsibilities required to feel that statement could be appropriate is astounding.

But most of all, if you’ve worked anywhere even remotely resembling a professional organisation in the last 10 years then it should be obvious just how bad things are inside Optus for this to have even happened. Something is deeply wrong there. This kind of breach should have thousands of things standing in the way of it being possible

In Australia, due to counter terror laws, you can't get a phone sim without providing verifiable government ID. So the consequence of that is that they phone companies have a really large amount of sensitive information. This information loss should be treated like a workplace death. Or a toxic spill. things will only change when a CEO goes to jail for this sort of obvious negligence. It may be harsh, but until there's real consequences, nothing will change.
Optus CEO Kelly Bayer Rosmarin did an interview with ABC today, and said "some of the customer information is information you would find on Facebook or LinkedIn such as name, date of birth, phone number and email address".

Umm...no. Most people do NOT publicise that information to the public.

Agreed. Until a CEO goes to jail for something like this, it'll continue to become a "pay the fine and move on" situation.

Worth keeping in mind that Optus recently hired Gladys Berejiklian, which may say something about the character of the company:

https://finance.yahoo.com/news/optus-appoints-ex-nsw-premier...

For international readers, Gladys Berejiklian was the Premier of the state of New South Wales, and resigned as Premier once it became public that she and her boyfriend were being investigated by the Independent Commission Against Corruption. Optus is the job she accepted while the corruption investigation continued.

https://au.finance.yahoo.com/news/gladys-berejiklian-resigns...

> Optus notifies customers of cyberattack compromising customer information

- the notification being finding a link to their quietly released press release on HN this afternoon? Thanks Optus!

- cyberattack is the word to use to encourage speculation that a nation-state was behind the breach, that there was no way to defend against this and to avoid saying "data breach"

- here "customer information" means current and former Optus customers' personal information

If the executive knew at all about the state of security or the potential risk of breach, then they are culpable and should be personally prosecuted.

The story HAS to be that if you, as an exec in power, know your company has deficient safety protocols regarding its care of toxic material, the breach of which is known to cause serious damage and harms, AND you do nothing: hello personal prosection, reaching right through the corporate veil.

Until we set this kind of legal precedent for the egregious disregard for the integrity of private and personal data, this is just going to keep happening.

Great.

My coworker got hit by massive targeted identity theft which started with their SIM, provided by Optus. The attackers were able to successfully port my coworker’s Optus number and then hacked their Optus email which had everything in it. It took them months to undo the damage, and more trouble was always around the corner usually while they were sleeping or the service being hit didn’t have support staff online. Do Optus even have any security checks at all for preventing fraud?

Lessons: if the service doesn’t support MFA, don’t use it; don’t put all your service eggs in one basket; don’t assume that your phone number is safe, and act accordingly.

Optus needs to pay for this and I don’t just mean dollars. Comfortable people with responsibilities they didn’t failed to keep need to see gaol time, or at the very least lose their jobs and not be allowed to walk back into the revolving door for a long time. This is outrageous.

This just twigged something for me - there is now enough information available to easily do number ports, giving someone else control of the number used for MFA. Anything that relies on your number to verify account actions, transactions, etc is now at risk.
Absolutely, and you can bet this is going to happen once this dataset is sold off.
Luckily (buried at the bottom of their announcement), at least for the moment sim swaps, ports, etc are in-person, in-store with physical ID only.
DOB, name and address are typically enough details to commit severe identity theft, at least back in 2017 when it happened to me in Australia. Someone stole a letter from my insurer in my mailbox and used my name and address to impersonate me and obtain my DOB and email from my insurer. They then used these details to hijack my phone number (SIM porting) and obtain my bank account details. They ended up hacking into my online banking (because my bank used and still uses SMS based OTP, not a device key - St George Bank, I’m looking at you) and tried withdrawing thousands of dollars in cash from an atm using cardless withdrawal. They didn’t succeed because I was overseas at the time and the bank fraud monitoring picked it up on the spot and froze all my cards. Very scary indeed and firm proof that you can do a lot of damage with very little information about someone, at least in Australia.
> used my name and address to impersonate me and obtain my DOB and email from my insurer

Sounds like the biggest fail was your insurer handing over those details based only on your name and address. How did that work? "Hi, I'm Dave Smith from 101 Easy Street South Sydney, can you tell me my DOB and email please?" Why would the insurer give a customer their own personal details? They are supposed to ask the caller to state those details in order to proceed with account access.

The reliance on using OTP by SMS has become worse in that time, if anything. Although these days they prefer to set up a fake Linkt website and phish the OTPs since Facebook leaked everyone’s mobile numbers.