What to do if you've been the victim of a data breach
Last week customers of Australia's second-largest telco, Optus, were greeted with news that nobody wants to receive: as a result of a data breach, your personal information has potentially been compromised.
The data breach is believed to have been one of the largest to occur in Australia, with over 9.7 million current and former Optus customers stretching as far back as 2017 likely to have had at least some information such as their name, date of birth, email, phone number and address stolen.
Even more concerningly for around 2.8 million Optus customers, the perpetrators behind the breach were able to access personal details such as the identification numbers on drivers licenses and passports.
In a statement made last week, Optus chief executive Kelly Bayer Rosmarin apologised to customers and urged them to up their vigilance in the period ahead.
"We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.
"Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious."
How common are data breaches?
The Optus breach is, without a doubt, one of the more significant incidents of its kind in Australia, but it's by no means the only occasion where customer data has been accessed and made public.
In recent years a number of corporate and government institutions including the likes of Canva, Bunnings, ShopBack, the Australian National University, Service NSW and the Victorian Government have been hit by data breaches which resulted in the release of the personal details of individuals.
In fact, the Office of the Australian Information Commissioner's most recent Notifiable Data Breaches Report notes that there were 464 breaches between July and December 2021 alone - a 6% increase on the six months prior.
Of those breaches, 96% ended up affecting 5000 people or less while just three impacted over 50,000 individuals, with almost all of them coming about as a result of malicious and criminal attacks or human error.
What is stolen data used for?
One positive in the Optus case is that the telco has reported that payment information such as credit card and bank account details hasn't been compromised, but like most data breaches, the worry is that the personal details that have been stolen will be used by criminals to conduct identity theft.
This is particularly true for the Optus customers who have had information like their passport or license numbers exposed because, as the Minister for Cyber Security Clare O'Neil pointed out in an interview with the ABC, these pieces of information are commonly used in identification checks.
"The reason this is so concerning to us is because what this effectively amounts to is 100 points of ID, so the scope for identify theft and fraud is quite significant in particular for those 2.8 million Australians."
This concern is also shared by Professor Gernot Heiser, leader of the Trustworthy Systems Group at the University of New South Wales, who says that there are numerous ways for personal information to be misused.
"With this information, people can potentially set up accounts in your name and use that, for example, for the purpose of money laundering. Or it could be used for even milder things like creating social media accounts in your name and posting hate speech or other material that will badly reflect on you."
What action can you take if your data has been exposed?
Because the information stolen in a data breach differs between individuals and incidents, there's no simple safeguard or solution.
Having said that, there are a number of broad recommendations that people can take on either to reduce their chance of falling victim to identity theft, or prepare themselves for a future data breach.
1. Change your password
After any data breach, one of the first steps to take is changing the password associated with the service or account which has been compromised - especially, says Heiser, if you've used that same password for multiple accounts.
If you haven't already, it may also be worth adding an extra layer of security to your accounts by enabling multi-factor authentication (MFA) if it's available.
According to the Australian Cyber Security Centre, because MFA requires multiple points of proof rather than, say, just a single pin or password, it can provide "significantly more powerful security" against criminals.
2. Apply for new identify documents
While the leak of sensitive personal information like a driver's licence number or passport number doesn't happen in every data breach, if it does occur, as it has to plenty of customers in the Optus breach, it may be worth exploring the possibility of replacing any affected identity documents - as much as a pain as that may be.
For example, following the Optus incident, Australians who had their drivers licence numbers exposed have been encouraged to replace their licenses, with a number of state governments waiving replacement fees for those impacted.
3. Monitor your bank accounts
For many people, their first reaction to a data breach will be whether or not their money is safe. It's a totally natural reaction, which is why the ACCC's Scamwatch recommends that people keep any eye on their bank accounts for any unusual transactions or purchases in the wake of a breach.
Scamwatch also encourages people to ask their banks about any options available to secure their money further, including placing withdrawal limits on their accounts.
4. Check your credit score
Stolen identities are often used take out loans or other products in your name, so one of the ways to monitor any credit fraud is by regularly reviewing your credit report. Australians are able to access a free copy of their credit report from the three major credit reporting agencies (Equifax, Experian and illion) every 90 days, and it's also possible to place a ban on your report if you suspect that you've been a victim of identity theft.
Following the Optus data breach, the telco has stated that it will be offering some customers free access to a 12-month subscription of a credit monitoring service from Equifax.
5. Watch out for scams and phishing attempts
While it's good practice in general to avoid clicking on any suspicious links sent via email or text and to ignore any unsolicited requests for your information, not-for-profit identity and cyber support service IDCARE urges Australians to be particularly vigilant after data breaches.
If you are contacted by someone claiming to be from a company or the government, the general advice is to never respond to any requests for personal details and, instead, to contact the organisation directly if you do need to find out whether it's genuine.
In regard to the Optus breach, the telco says that it won't include any links in its communication with customers as it anticipates that criminals will most likely use the incident to attempt to scam people.
For more recommendations check out the OAIC's guide on how to respond to a data breach notification, otherwise if you believe you've been a victim of a scam or fraud, here are some resources and contacts that may be able to help:
- AFCA - 1800 931 678
- ACCC - 1300 302 502
- IDCARE - 1800 595 160
- Services Australia Scams and Identity Theft Helpdesk - 1800 941 126
Get stories like this in our newsletters.