As a provider of critical infrastructure and one of Australia's largest phone companies, the question on everyone's lips is, "how was Optus hacked"? And for those who fell victim to it, "what does it mean for me".
The how?
Due to the nature of the case and Optus collaborating with the local, state and federal police, the specific details on how the breach occurred cannot be disclosed to the public. But here’s what we know.
The Australian Federal Police is looking into the origins of the Optus cyberattack and the methods used by the hackers. Optus has also commissioned a separate Deloitte investigation to uncover what happened and why.
Described as a “sophisticated” breech, the rumoured culprits engaged multiple European IP addresses that kept changing during the hack. In which the home affairs minister Clare O’Neil asserts the attack was “basic”.
She has criticised Optus for leaving its systems vulnerable through an unprotected Application Programming Interface (API), a computer program that allows software systems to talk to each other.
What was stolen? And from whom?
The Optus breach exposed more than 10,000 individuals’ details as a part of the violation. This includes more than 3200 driver’s licences, 151 overseas passports, 110 passports, 55 Medicare cards, 55 proof of age cards, 41 photo cards, and 31 learners’ driver’s licences. Optus has also revealed more than 37,000 Medicare numbers were exposed in the data breach in which close to 15,000 are active.
The Optus attack impacted customers from 2017, with anecdotal reports suggesting ex-customers as far back as 2012 have also been affected.
According to Optus, most Optus Mobile Virtual Network Operators (MVNOs), such as Coles Mobile and Catch mobile, have not been impacted. However, online-only mobile services (GOMOs) may have been affected.
Further revelation of the case has identified an additional 9.8 million Australians could be impacted by the attack, with 2.8 million severely impacted. Optus claims it has notified most of the affected customers about their involvement in the attack, but those considered less so are yet to be told.
How can you protect your data?
Keeping passwords, financial, and other personal information safe and protected from outside intruders should be a priority for businesses, but it’s increasingly critical for consumers and individuals to heed data protection advice and use sound practices to keep your sensitive personal information safe and secure.
The traditional definition of personal identity information (PII) is data such as health records, credit card numbers, and Tax File Numbers. However, the big data age of the Internet is upon us, and even data not previously considered to be PII can feel very personal when viewed in a broader context.
Bits of data, when combined, can tell someone a lot about you. Those aggregated ‘bits’, which constitute the new PII, may include information such as your email address, browsing history and search history. As we move further into the information society, the definition of PII will be broadened, and businesses, consumers, and individuals need to think about what we consider as personal information.
Here are a few tips on how to keep your PII private and secure:
- Use Secure Passwords – Passwords are easily decrypted by hackers, mainly if you don’t use sound password-creation practices. The best passwords contain uppercase and lowercase letters, numbers, and special characters.You should also avoid using easily guessed words or alphanumeric combinations, such as the names of children or pets, birth dates, addresses, and similar information that can be easily guessed.
- Share personal information with caution – This tip applies to both the online and offline worlds: Questions to ask yourself before sharing anything include:
- Who is asking for your personal information
- Why do they need it?
- How will they use it?
- What security measures do they have in place to ensure that your private information remains private?
- How to share information carefully – The truth is, it’s impractical in today’s modern world for people not to share information. Families need to share passwords to Email accounts and online streaming services such as Netflix, and in the workplace, co-workers need to share login credentials, but you shouldn’t give out passwords without concern.If another person needs access for a single, isolated purpose, change your password when the task is completed, and they no longer require access. If there is an ongoing need to access shared accounts, then it is best to determine the legitimacy of the request and grant access on a case-by-case basis.
- Don’t use the same password – A password manager seems an even better idea when considering that you should never use the same password for more than one account or service.Think about it: If a hacker cracks your password on one website, they suddenly have broken it for a dozen more. But remembering the slew of passwords the average person would need to recall to access the many accounts and services most people have these days is no simple feat unless you have a photographic memory.
- Avoid using personal platforms to send sensitive data – Using easily accessible platforms such as Email, messenger, or even WhatsApp can be a convenient way to send information quickly. Still, it’s impossible to ensure the intended recipient is the person who receives the document on the other end.
- Shred old documents and statements – Credit card statements, bank account statements, credit card offers, and more plague our mailboxes every month. While online access to accounts has made printed statements practically unnecessary, many consumers toss these items out when they’re received. But doing so without first shredding them could put your personal information in the hands of thieves.It may seem like junk mail, but it could be a valuable tool for identity thieves. All it takes is a partial account number, coupled with your bank’s name, and your name can be matched. That’s why it’s essential to shred mail or other documents containing potentially sensitive information.
- Get rid of old data you no longer need – Keeping your computer and mobile devices clean is a good practice to ensure usability, but it’s also wise to eliminate old information you no longer need. Keep only the data you need for current routine business, safely archive or destroy older data, and remove it from all computers and other devices, including
- smart phones
- laptops
- external hard drives
Protecting your customer's data, protecting your business.
Protecting your personal and professional information online and on mobile is no different than protecting your house and personal assets. Security can be as simple as locking the doors or as elaborate as monitoring and alarm systems. The first step is a mindset that identifies the exposure, risk and management of your information whenever it’s requested.
Scantek is ISO 27001 Information Security Management compliant. Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It typically involves preventing the probability of unauthorised/inappropriate access to data.
Scantek is an Australian-owned and operated provider of cutting-edge ID verification software that is helping businesses improve efficiencies whilst safeguarding their customer’s personal and private information.
If you’re a manager or owner of a business seeking an Identity Verification solution widely used by organisations and local governments to improve data security, we welcome you to contact us to see how our technology can support your business.