Optus data breach: what can customers do and how can we create a safer data future?
University of Melbourne cyber security expert and Deputy Director of the Defence Science Institute, Associate Professor Toby Murray suggests how customers can minimise their risk and a way forward for preventing future breaches.
On Thursday 22 September, Australia’s second-largest telecoms company Optus announced it had suffered a major data breach that had compromised sensitive customer information of around ten million customers. Reports, including Optus’ own communications with customers, indicate that the exposed data includes names, dates of birth, email and street addresses, drivers’ license numbers and passport numbers. Of these, the latter two are most concerning, but all this data is potentially useful to identity thieves and fraudsters.
As of Tuesday 27 September, records of 10,200 individuals have been published online. While the purported attackers have since promised that they have deleted their only copy of the data and will not release any further data online, there is no evidence yet to prove this claim. We recommend that affected customers still take precautions to protect themselves.
So what can Optus customers who may have been caught up in this breach do to help protect themselves? And what can be done in future to make these sorts of breaches less likely?
What can customers do?
Firstly, don’t panic. As trite as it sounds, be alert, but not alarmed. The stolen data might be used by scammers who want to target Optus customers directly. So be on the lookout for texts and emails purporting to be addressed to Optus customers impacted by this breach, especially ones that ask for sensitive information or payment.
The second thing consumers can do is to strengthen their online digital security, especially for financially sensitive accounts. If your bank offers two-factor authentication, but you haven’t yet enabled it, do so. If it offers a physical authentication token like a UbiKey or RSA SecureID, then you should opt in for that too.
The third thing is to strengthen accounts that you access over the phone. Call up your bank and ask them to put in place additional verification methods on your account. That way, if somebody phones the bank claiming to be you, they need to answer an additional security question or provide a one-time code sent by SMS to your mobile phone, or similar.
To help reduce the risk that the stolen identity information will be used to successfully impersonate you, consumers can also try to have their driver’s license or passport reissued. Passports can be reissued with new numbers by lodging an ordinary passport renewal application; although you will have to pay for it yourself at this stage and face a long wait time.
Some states like Victoria and Queensland are currently refusing to reissue new driver’s license numbers to victims of data breaches, unless they can demonstrate that they have been victims of identity theft or fraud. However, this option may be worth trying if you live elsewhere.
Consumers may also consider taking up commercial identity theft prevention services, such as those offered by companies like Norton and Equifax. These services include, for instance, monitoring to detect when your personal information has been exposed online, plus insurance cover to help cover the costs you suffer if your identity is stolen. Free services that are widely used also include HaveIBeenPwned, which will notify you when your email address has been detected in a public data breach.
Finally, consumers should also consider contacting the three major credit bureaus in Australia: Equifax, Experian and illion, to request regular credit reports. These include information about when somebody has applied for credit in your name, allowing you to detect when you may be a victim of identity theft. You can also request a credit ban, which will prevent anyone from applying for credit in your name for 21 days, and if you are the victim of fraud, such bans can be extended beyond that period.
How can similar breaches be prevented in future?
The Optus breach reportedly occurred because of a simple (yet common) problem with its website, which allowed anyone to request the sensitive information of arbitrary Optus customers without first having to log-in (authenticate themselves) and even though the details of one customer should not be made available to any other (ie: without any access control).
Companies deploying web sites that handle sensitive data can reduce the risk of these kinds of problems by ensuring that new features are heavily tested (including via security penetration testing, and automated security fuzz testing) to weed out these kinds of bugs before the site goes live and has the potential to harm customers.
Bug bounty programs can also help to ensure that bugs missed during testing before deployment are more likely to be safely found and fixed even after a site goes live.
The Optus breach was dangerous because Optus’ systems retained sensitive customer information like driver’s license and passport numbers. Indeed, telecoms companies like Optus (and other kinds of companies too) regularly collect and retain a lot of sensitive customer information as part of their business operations.
Indeed, telecoms companies are required by law to do so, including retaining sensitive metadata. Companies should collect as little information as required to operate their businesses. Governments should pass laws with sufficient penalties for violations of this basic principle. Governments should not pass laws that require or incentivise companies to collect more information than is necessary, and existing laws that do so should be repealed or rewritten.
In the USA, companies that suffer data breaches are required in some states to offer free identity theft protection services like credit monitoring to their impacted customers. Australia should impose similar requirements on companies like Optus, to ensure that the cost of breaches is not placed on consumers (who are not at fault), but rather on the companies (who are).
In situations where a company has been negligent, civil remedies might also be made available to its consumers.
It remains to be seen whether the Optus breach will see a shift in the Australian landscape surrounding data breaches. The Government and opposition have each already proposed legislation in response to this breach, but many of the remedies proposed so far would not have helped in this case. As always when designing legislation, knee-jerk reactions are rarely productive in the long term and many competing interests need to be carefully balanced, which requires careful, sober analysis, informed by expert advice.
Let’s hope that the ultimate outcome of this data breach is that consumers will be better protected in future, with better access to remedies if or when their data is compromised.
Associate Professor Toby Murray