Here’s what we know about the Optus cyber attack, and what you can do to protect your data
At the end of September, Optus announced it’d been the victim of a ‘sophisticated’ cyber-attack targeting customer data as far back as 2017. Here’s what you need to know about the data breach and how to protect your information.
Jump to...
How did Optus get hacked?
A criminal investigation by the Australian Federal Police is currently underway looking into the origins of the Optus cyberattack and the methods used by the hackers. A separate Deloitte investigation has also been commissioned by Optus to discover what happened and why.
The breach has been described as “sophisticated”, employing multiple European IP addresses that kept changing during the hack. Rumoured culprits include cyber criminals or state-sponsored hackers. In early October, one Sydney man was been arrested for allegedly using the stolen Optus data in an SMS blackmail scam, though he is not the main suspect behind the initial attack.
Home affairs minister Clare O’Neil, on the other hand, asserts the attack was "basic" and has criticised Optus for leaving its systems vulnerable through an unprotected Application Programming Interface (API), which is a computer program that allows software systems to talk to each other.
In a statement to the ABC, Optus CEO Kelly Bayer Rosmarin responded, "Our data was encrypted, and we have multiple layers of protection."
"We invest heavily in our cyber defences, and we really are doing everything we can to ensure that our environment is secure."
Because Optus is collaborating with the local state and federal police, specific details of the case cannot be disclosed to the public just yet, including how exactly the breach occurred.
When did the Optus attack happen?
The Optus attack was first reported Thursday, 22 September 2022. Optus notified customers within 24 hours.
What personal data was stolen in the Optus breach?
Unfortunately, attackers stole some personal information during the Optus data breach. This includes customers’:
- Full names.
- Dates of birth.
- Phone numbers.
- Email addresses.
A smaller group of customers may also have had their home addresses and government ID stolen, such as passports, Medicare, and driver’s licence numbers. Stealing these official identification documents is a massive deal because hackers can pose as you when signing up for loans or other financial services. Identity theft can have severe consequences for your finances and credit score.
According to Optus, the following data has not been compromised:
- Messages (SMS and MMS).
- Voice calls.
- Account billing and payment details.
- Account passwords.
Mobile and home internet services have also not been affected, says Optus.
Who has been affected by the Optus data breach?
Optus estimates that up to 9.8 million Australians could have their data compromised due to the attack, with 2.8 million severely impacted. Optus has also identified 17,000 valid Medicare numbers in the exposed records (including a further 26,000 expired Medicare numbers) and 10,000 users with highly sensitive personal information like passport numbers exposed.
'Optus claims it has now notified the most affected customers of their involvement in the attack, but some less affected customers who only has emails and names leak may not yet be notified. Customers who are concerned about their data can reach out to the telco safely and directly through the My Optus app.
Optus executives have also warned the attack impacts customers as far back as 2017, so even ex-Optus users should take note. Anecdotally, some customers who left Optus dating back to 2012 claim to have been implicated, though these claims have not been verified.
According to Optus, customers on most Optus MVNOs such as amaysim, Coles Mobile, Dodo Mobile, and Catch Mobile have not been impacted. GOMO customers, on the other hand, may have been affected. Optus will be contacting impacted GOMO users within the coming days.
What should I do about the Optus data breach?
If you are concerned your data has been breached, it’s vital to monitor for suspicious activity on your accounts and report any you see to the relevant provider. Be wary of any spam calls/texts/emails, even on social media, and never click on suspicious links.
Banks, government bodies, and other institutions make it a policy to never contact you asking for personal information. If you receive suspicious communications, do not hand out your details. You can contact the provider directly to follow up or check the ACCC's Scamwatch to see if similar frauds have occurred.
Optus has explicitly stated it will not be sending links or data requests in official emails about the attack, so if you receive an email from "Optus" with a "click here for more details" button, it's likely not from the telco. Optus will be posting updates on the fallout of the data breach on the Optus Media Hub..
You can get in touch with Optus through the MyOptus app, which the telco claims is the safest way to contact them, or by calling 133 937. Keep in mind wait times may be longer than usual due to the fallout of the attack.
Take some time to double-check your security, such as changing banking passwords and accounts linked to your mobile plan. Turn on multi-factor authentication. Apps such as Google Authenticator can act as a replacement for your email or phone number if your data has been compromised. If you're eligible, obtain a free credit score check to see if a scammer could be running up debt in your name.
For more resources on protecting your personal information online, check out:
- ID Care, Australia and New Zealand’s identity and cyber support service. Fill out the Get Help Form to receive a personalised plan of action for protecting your data.
- OAIC on identity theft.
- MoneySmart on identity theft.
If your identity is stolen, apply for a Commonwealth Victim’s certificate, which can help support you as you re-establish your identity with official institutions.
How can I protect my data on my mobile phone?
Mobile phones are generally pretty hard to hack, especially products that use iOS, like Apple’s iPhone. However, it’s still possible for a virus to infect your phone while browsing, and cybercriminals can hack the account used by mobile apps.
Enable two-factor authentication on all your accounts, especially mobile banking or money management apps. This helps protect your data since hackers need more than just your password to access your account. You could also download a VPN app to protect your connection while you browse the internet. Additionally, make regular backups of your phone’s data to a secure hard drive.
If you suspect your mobile phone has a virus, do not connect it to any other device and bring it to an authorised repair shop as soon as possible. You may have to perform a factory reset, which is why regular backups are important.
What is Optus doing about the cyber-attack?
Optus is collaborating with the AFP, OAIC, FBI, Deloitte, IDCare, and other industry regulators to investigate the attack and protect against any further data breaches.
The Australian federal government has also announced new regulations for telcos after the cyber attack. This includes opening up legal communication pathways between banks and telcos after hacks, so financial institutions can be informed which mutual customers have had their personal data compromised. This simplifies the process of identifying who's a likely target for scammers and other fraudulent activity.
Optus has temporarily paused its online or over-the-phone SIM swaps and replacements, as well as any change of ownership requests, to stop criminals from taking control of accounts. These processes can be completed in-store instead with the appropriate ID.
Optus has also announced it will provide free one-year Equifax Protect subscriptions to customers most affected by the attack, such as those whose ID numbers were stolen. This service can help affected customers monitor their credit and prevent identity theft.
Eligible customers will be contacted directly via email, SMS, or post by Optus with details on how to sign up to their subscription. Optus will not be sending clickable links or data requests, and customers will only be contacted with details if they've already been notified the data breach involves them.
Is Optus still a good mobile provider?
Optus’s data breach has left many current and former customers fuming. Complaints have been directed against the telco’s inadequate notice to potential victims, lack of practical advice, and emphasis on personal responsibility vs. corporate accountability.
Ex-customers have been especially vocal about Optus’s absurd data retention since users who ditched as far back as 2017 have been implicated, too.
Current Australian metadata laws require telcos like Optus to retain customer data for up to two years after an account is closed. One insider source told the ABC, “It annoys me that people think Optus and others want this data – it's necessary for metadata laws – we don't.”
“People pretend data is gold — it isn't; it's uranium – super useful if used correctly and incredibly dangerous to just have laying about.”
While the responsibility lies with Optus to protect consumer data, the government must rework personal data laws to keep pace with modern times.
Meanwhile, Optus claims its systems are safe, stable, and ready for continued usage. The carrier won several 2022 Mozo Experts Choice Mobile Plan Awards, including Mobile Plan Provider of the Year 5G for its 5G mobile network.
However, if you’re looking to switch mobile providers, you can check out our best mobile page for other award-winning telcos rated highly by experts and fellow Aussies for excellent service, coverage, and more.
More FAQs about the Optus data breach
Is a data leak serious?
The consequences of a data leak for a company and its customers can be quite severe. Financially, data leaks can cost institutions millions, which goes towards press, tech upgrades, staff, customers support, and more.
For customers, the loss of privacy can be at best an inconvenience, at worst an invasion. They may have to pay for support services or to redo official documents, and must employ extra vigilance against scammers in the wake of the attack.
The effects for everyone involved can be long-lasting, too, so it's vital to seek resources and take proactive steps to protect your accounts and personal information in the wake of a data breach.
Should I change my payment details with Optus?
Optus claims no payment details such as credit card or direct debit numbers were lost in the September 2022 data breach, so there is no need to change your payment details to your Optus account. Instead, banks will be on the lookout for fraudulent activity on customer accounts, and it may be wise to change relevant internet banking passwords and enable multi-factor authentication to keep your bank accounts safe.
Is Optus compensating victims of the data breach?
Optus announced it will be providing free 12-month Equifax Protect subscriptions to the most affected customers whose personal details and ID numbers were stolen during the cyber-attack. Impacted users who have already been notified of their involvement will be sent details shortly via text, email, or post on how to sign up to the one-year service, which will provide access to credit monitoring and identity protection tools.
Optus claims it will continue to offer advice and support to customers affected by the data leak, which includes customers dating back to 2017. If you are concerned you may have been impacted, contact Optus through the My Optus app or by calling 133 937.
How do I know if I've been affected by the Optus data breach?
Optus estimates up to 9.8 million Australians have been affected by the attack, with 2.8 million seriously impacted (including 17,000 valid and non-expired Medicare numbers). Optus is contacting customers both current and former to inform them if their data has been compromised by the breach.
If you're currently with Optus (or have had a mobile plan with them since 2017) and haven't already been notified via text, email, or post that your data has been stolen, you can reach out to the telco through the My Optus app or by calling 133 937.
In the meantime, take steps to protect your private accounts, especially with your bank and any utility/service providers. Monitor for suspicious activity and be wary of any spam calls/texts/emails. Never click on a suspicious link and never hand out personal details to a third-party that contacts you out of the blue for them.
What are the signs my phone has been hacked?
The one advantage of using our phones so often is we can usually tell pretty quickly when something is off. Signs your mobile phone may have been hacked can include strange or inappropriate pop-ups, extremely laggy performance, sent calls/texts not made by you, unusually high data usage, finding apps on your home screen you didn't download, and a quickly draining battery.
If you suspect your phone has a virus, do not plug it into another device. Switch it off and take it to an authorised retailer, who may have to perform a factory reset to salvage the device.
How can I tell if I'm being scammed?
No matter the method or content, most scams have a few red flags in common. This includes out of the blue contact, sending links or downloadable attachments without context, scare-tactics, urgent or demanding language, spelling mistakes, grainy images, promises of money (that often sound too good to be true), and posing as legitimate businesses or authorities but not providing valid ASIC credentials.
Optus has explicitly stated they will not send links or attachments in official communications about the breach. If you receive messages, texts, or emails from "Optus" with a link, it's likely a scam. Do not click on the link.
Contact Optus directly for more information if you are concerned, or check the ACCC's Scamwatch for common Optus scams.
Are my bank accounts safe after the Optus breach?
While bank account passwords and payment methods were not lost in the Optus data breach, email addresses, names, and phone numbers were. Scammers could use this information to hack into your private accounts, steal your identity, or spam you with fraudulent texts, emails, calls, or social media messages.
For this reason, many Australian banks have put their systems on high-alert for any suspicious or fraudulent activity. You can protect your account by changing passwords, enabling multi-factor authentication, and obtaining a free credit check to make sure no one is running up debt in your name.
Do I need to update my drivers licence or Medicare card after the Optus data breach?
If you have been contacted by Optus and told your Medicare card or driver's licence have been compromised in the attack, you may have to replace these documents. For customers severely impacted by the breach, Optus strongly recommends you replace these documents ASAP.
You can apply for a new drivers licence through the relevant state or local authority (such as Service NSW or VicRoads). In states or territories where the government has not already agreed to waive the fee, Optus has stated it will apply a credit to the account of customers who have had to replace their drivers licenses (some conditions apply).
At the moment, it is not mandatory in any state or territory to replace your drivers licence after the Optus attack. However, if you have been contacted by Optus and strongly advised to do so, it may be a good idea to replace your licence to protect your identity anyway.
If you have not been contacted by Optus about replacing your drivers licence, there is not need to do so. If you're not sure if you need to, you can reach out to Optus safely through the My Optus app or by calling 133 937.
As for Medicare cards, Optus strongly advises affected customers who had their card details exposed. You can get started on this process through Services Australia.
Do I need to replace my passport after the Optus hack? Can I still travel on my current one?
At the moment, Optus advises that customers who had their Australian passports compromised in the data breach do not need to replace them. Unless otherwise notified by government, travellers can still fly on their current valid copies. The telco is working with the government on solutions for those who need to use their passports as a valid form of ID.
Customers who had their New Zealand passports breached in the attack will need to contact New Zealand Internal Affairs. Customers with other international passports compromised will receive advice from Optus soon.
Why is Deloitte investigating the Optus attack?
Optus announced it has commissioned the international firm Deloitte to conduct an independent forensic review into what happened during the September cyber attack and why. This includes looking into Optus's internal systems and processes to prevent similar attacks from happening again.
In a statement to the press, Optus CEO Kelly Bayer Rosmarin said, "This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists."
This review will happen concurrently with other official investigations into the attack, including those run by the Australian Federal Police and the FBI.
What if Optus hasn't contacted me yet about the data breach?
If you have are or have been a recent customer with Optus, but haven't received any official communications about the data breach, you can reach out safely via the My Optus app or by calling 133 937. It's possible Optus might not have valid or current contact information for you. It is also possible any of your information leaked in the data breach wasn't high-priority (i.e. Medicare or driver licence numbers), or that your data hasn't been compromised at all, and therefore the urgency to contact you is relatively low compared to more affected customers.
Optus states it has now reached out to all affected customers who are contactable with information they have on file. For customers Optus hasn't been able to reach via email or text, it has sent letters to the most recent valid residential address it has on file.
Looking for options beside Optus? Browse and compare mobile plans below ranked by WhistleOut for most included value.
If you prefer the convenience of a big network provider but would like to save and switch from Optus, here are the best value options from Telstra and Vodafone on the WhistleOut database right now.
