In September 2022 private data for around 9 million Optus users was stolen.
In response, the CEO of Optus Australia has offered an emotional apology after customers raged about the hack online. A statement from Optus said that Information which may have been exposed includes customers' names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers.
It is thought that 2.8 million people had all of their details taken, while information for around 7 million people which included DOB, email address, and phone numbers was stolen. Optus is "very sorry" and knows that "customers will be concerned". Optus has said its services were not affected in the breach and remain safe to use, with messages and voice calls not compromised.
Customers have taken to social media to say that the telco had not yet contacted them to make them aware of the breach.
Nothing to worry about. Just another online day in Australia.
(Score: 2) by RS3 on Saturday September 24 2022, @06:53PM (18 children)
Maybe Australia does things differently, but why do Optus need birth date, driver's license, passport numbers, etc.?
(Score: 5, Insightful) by Gaaark on Saturday September 24 2022, @07:02PM
MOTD at the bottom of the article (for me):
"Never give an inch!"
It's the business of business to not give you an more than an inch (unless it's up your arse), but take as many miles from you as they can.
These guys should be crying because they're going to jail and losing everything, not because they're "Sorry".
Same with the likes of Zuckerberg: "We know we shouln't have done that, and I'm sorry we did. Again. And again. and again. We're so sorry. Again." Bull-shirt.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by NateMich on Saturday September 24 2022, @09:36PM (11 children)
I was wondering that. It says Optus is a telecommunications company. Do you need a drivers license to use a phone in Australia?
(Score: 5, Informative) by deimtee on Sunday September 25 2022, @04:50AM (10 children)
Yep. Every phone is tied to a certified ID. No such thing as a "burner" phone in AU.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 5, Insightful) by driverless on Sunday September 25 2022, @01:08PM
Isn't it wonderful what all this extra security they've added around phones has achieved?
Oh, sorry, read it too fast, it says "security theatre". My bad.
(Score: 2) by Mykl on Sunday September 25 2022, @10:52PM (8 children)
Having all of this data breached is a very bad thing, but I do like the absence of burner phones in Australia (not that people can't still spoof numbers - hopefully we get the Telcos to come to the party on that one soon).
I can understand the need for proper identification against a phone number when it comes to Financial Crime, as virtually all of our services these days use a phone number to text 2FA, verify account details, provide password resets etc.
(Score: 2) by deimtee on Monday September 26 2022, @02:50AM
I don't mind the certifying part, but there is no need for them to keep the copies they do. A simple boolean in a database that says DL sighted, BC sighted, etc. is all that is needed. They should not be allowed to keep copies of any of it past the need for verification.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 2) by RS3 on Tuesday September 27 2022, @12:17AM (6 children)
I'm very saddened to hear this. I consider phones, especially cell, and phone phone numbers to be fundamentally and extremely insecure. Sending any kind of sensitive information to a phone number is lunacy IMHO, for many reasons, including that a phone number could be incorrect, so who knows who will get your critically important info. But the people setting this up and using it don't care, and evidently don't have to care.
(Score: 2) by Mykl on Tuesday September 27 2022, @01:11AM (5 children)
I didn't say that it was a good thing that phones are used so centrally for this, but it is what it is. Given that's the case, we need to come up with ways to minimise the many, many dangers that they pose.
(Score: 2) by RS3 on Tuesday September 27 2022, @01:48AM (4 children)
Well sure, and I never said you said it was a good thing. I'm referring to the govt. laws and policies. I assume you're not in Aus govt.?
So firstly, I'm concerned about the root cause- how did this happen in the first place (that someone things phones are secure)?
Secondly, the only thought I have is for experts to be consulted by govt. officials, and the laws and policies based on reality (that phones and numbers are _not_ secure).
What are your thoughts, ideas?
(Score: 2) by RS3 on Tuesday September 27 2022, @01:51AM
"things" should be "thinks"
(Score: 2) by Mykl on Tuesday September 27 2022, @05:32AM
It sounds really archaic, but a lot of fraud for _big_ things (change of property title, sale of large shareholdings) could be avoided by no longer allowing these transactions to be online-only.
For most people, a property purchase is a once-in-a-lifetime event. Requiring someone to show up in person to sign the papers (along with ID etc) would massively reduce the threat of fraud while creating a relatively minor inconvenience for many (who would probably be more than happy about it when told that it reduces the chance that they will be swindled out of their life savings down the track).
Should I need to physically turn up to a Telco store in order to obtain a phone number? Maybe! This can be mitigated for business accounts by allocating a range of numbers at one time, so that the poor peon in IT isn't making daily trips to the store.
This will obviously have more of an impact on some people (e.g. remote and rural residents, shift workers etc), but it would be safer than what we have today.
(Score: 3, Insightful) by deimtee on Wednesday September 28 2022, @03:25PM (1 child)
They think mobile phones sort of carried on from landline phones. Landlines in AU were pretty secure. One network and each phone physically tied to a single address. When mobiles started being introduced they tried to keep that security. To get a mobile you had to show up with proof of ID and the phone was tied to the name and address on that ID.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 2) by RS3 on Wednesday September 28 2022, @04:54PM
Yes, you're on to what I'm seeing- legacy landline concepts being applied to cell phones.
Notice I wrote "legacy"- old copper-based stuff would be almost impossible to hack, and there'd be pretty much no point. Well, I suppose one could voice call and give a password / security code verbally, but even then you can't be sure of who answers the phone. Could be a robber / kidnapper who has the homeowner literally tied up and is trying to clean out their bank accounts.
If hackers (and I hate using that term that way) can get into govt. networks and systems worldwide, there's no way cell networks are somehow magically immune.
I wish I understood the mechanisms (people making very poor decisions) in place that decide to use cell phone numbers as a secure way to identify and communicate sensitive information. Lunacy. Somehow these decisions are being made without consulting actual tech experts. And like too many things in society, everyone else does it because it's the current fad. Lunacy.
(Score: 4, Informative) by MostCynical on Saturday September 24 2022, @10:42PM (2 children)
When you buy a phone on a plan [optus.com.au], you are entering a lease [optus.com.au] - so, finance. As with any finance (car, home loan) you need to prove your identity - so, licence or passport.
The problem is the way this information is stored.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Informative) by deimtee on Sunday September 25 2022, @11:02AM (1 child)
That too, but you can buy a prepaid SIM card and have your own phone and you still need to provide ID to get it connected to a network.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 2) by RS3 on Wednesday September 28 2022, @04:59PM
In the US. I'm using a prepaid plan. I bought a SIM card in a store, cash, no ID requested nor given. I called the provider and gave some info- full name, postal address (which could have been a PO box), an email address (which I don't think was necessary), but no driver's license, no DOB nor anything else.
Bottom line: I never provided any form of physical ID- just verbal over the phone, and fairly limited at that.
(Score: 2) by Tokolosh on Saturday September 24 2022, @10:46PM
The children. Oh, and terrorists. And people I find offensive.
(Score: 1, Insightful) by Anonymous Coward on Monday September 26 2022, @11:53PM
For decades many companies in Australia have been collecting all possible data. I had a run in with a place selling sauces for whom wanted far too much personal data for an online purchase. Now, your DOB name real address and so on is everywhere. Electricity account, gas, phone, you name it.
While there is a law designed to prevent burner phones it does not work. The easy dodge is where one person signs up for lots of services. They curtailed that. If you have more than 5 sims you go on a watch list. The other way around is money. So much for trying, it just affects everyday people.
Many companies get cagey when asked why they need DOB and licence. By law they should admit that they want to do a credit check. Really they don't. Front end staff are not paid enough to care.
With all of this personal data in so many places, many of them with websites like Optus, it is only a matter of time before the next data breach. The price we pay.
(Score: 3, Funny) by Opportunist on Saturday September 24 2022, @07:06PM (4 children)
He doesn't just cry, he commits Seppuku. Way more entertaining to watch.
(Score: 3, Touché) by NateMich on Saturday September 24 2022, @09:42PM (2 children)
Well, from what I've seen they cry and bow when they apologize.
I haven't seen them actually commit Seppuku. That would imply that they actually care.
(Score: 3, Funny) by Opportunist on Saturday September 24 2022, @11:59PM (1 child)
Hey, one can dream.
Besides, have you tried handing them a sword? I mean, while they're in the mood, the least you can do is give them a helping hand.
(Score: 2, Interesting) by Runaway1956 on Sunday September 25 2022, @02:53AM
https://youtu.be/AC9SF7TOyHQ?t=78 [youtu.be]
Abortion is the number one killed of children in the United States.
(Score: 3, Interesting) by c0lo on Monday September 26 2022, @09:34AM
Didn't happen with any executive of that nukeplant in Fukushima, did it?
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 5, Insightful) by drussell on Saturday September 24 2022, @07:46PM
Some sort of note in the summary to the effect of "Optus, an Australian telecommunications provider and second-largest wireless carrier in Australia is a subsidiary of Singaporean telecommunications conglomerate Singtel," would have been appreciated.
(Score: 1, Insightful) by Anonymous Coward on Saturday September 24 2022, @07:51PM
But not enough to elect politicians that will will regulate and punish the offenders.
(Score: 5, Insightful) by Joe Desertrat on Saturday September 24 2022, @11:58PM (2 children)
In the name of "security", they will make it harder for customers to use their accounts, adding extra login steps, requiring information like phone numbers, etc., while doing next to nothing about the actual security holes that allowed the breach. I'm sure the hackers didn't crack the passwords of nine million users to accomplish what they did.
(Score: 3, Informative) by c0lo on Monday September 26 2022, @09:45AM
Nobody is talking about cracking a password or something.
Even more than that, it may be about negligence to secure an API at all [abc.net.au]
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Tuesday September 27 2022, @02:07AM
They already do this. Many other places also. It is getting to the point where you cannot function in society without a number. I have tried this to see how far you can get. Many places online require a phone number
(Score: 4, Insightful) by progo on Sunday September 25 2022, @04:01AM (4 children)
Wikipedia says Optus is an Australian wireless carrier with 10.5M customers in 2019. Australia has about 26M residents.
The story isn't "9M Optus accounts compromised" -- it's "All Optus accounts compromised."
(Score: 5, Informative) by janrinok on Sunday September 25 2022, @05:37AM (2 children)
If we had used a different headline somebody would have complained that it was too vague. After all, if Optus only had a few hundred accounts and had compromised 'all' of them it would still have been a minor breach when compared to others that we report. Alternatively, if we had used 'All Accounts Hacked' it would have been incorrect and we would also be accused of click-baiting the headlines. We try - and I accept that we don't always succeed - to make the headline useful. More often than not we use the one provided by the source because that way we cannot subsequently be accused of exaggerating any claim or displaying a specific bias.
I cannot accept that the headline in this case is misleading - it is as accurate as it needs to be given they limited space we have for it. It is most certainly newsworthy for the reason you have pointed out, but it is not misleading.
(Score: 2) by progo on Sunday September 25 2022, @07:12PM (1 child)
Sorry I didn't mean to cause offense, and my criticism was meant to be directed upstream at the primary reporters. And you make good points in your reply.
(Score: 3, Interesting) by janrinok on Monday September 26 2022, @01:09AM
No offence was taken, there is no need to apologise.
I was simply trying to explain why we tend to use the original titles more often than not.
(Score: 1, Interesting) by Anonymous Coward on Monday September 26 2022, @11:41PM
OP here. On posting I did not realise Optus served literally half the country. Numbers are from the original article. I will watch this in the future. Thanks for pointing this out.
This story is stil going. Hackers have threatened to release the data.