On Thursday 22nd September, 2022 and as required under Australian law, Optus reported that it had suffered a “hack” that resulted in the private information of many millions of its current and past customers being stolen. This information, Optus reported, included customer’s names, addresses, dates of birth, telephone number(s) and details of the identification documents (eg. driver’s license and/or passport details) that Optus had required their customers provide.

This breach of security has potentially wide-reaching ramifications.



Description of the risk

Assuming Optus’ reporting is accurate, the personal information that has been stolen is sufficient, for the holder of that information to commit identity fraud. The value of this information on the black market should not be underestimated. Criminals who ply their trade seeking to obtain people’s personal information through social engineering attack vectors and who are successful, potentially, only one in every several thousand attempts, will be looking at this stolen data and rubbing their grubby hands in anticipation.

Identity fraud is where someone (the bad guy) uses another person’s (the victim) personal information (the exact information that has been stolen from Optus) to obtain a benefit of some sort, typically financial. For example - the bad guy might obtain a credit card or personal loan in the victim’s name. They might buy a car with finance in the victim’s name. They might even be able to convince the victim’s legitimate bank that they are that person and withdraw the funds in that legitimate bank account. In all cases, the bank will likely have no idea that this is a bad guy pretending to be the victim - how would they know - the bad guys has all the needed information to pretend to be the victim. In each of these scenarios, the bank that has offered the loan/credit will seek to secure the associated repayments from the victim, while the bad guy has disappeared with the money.



What should you do immediately if you’ve been caught up in this situation?

If you’re the same situation that my wife and I personally are in (my wife has an account with Optus and has been advised that her personal details have been stolen), you might consider taking the same immediate action that we are taking.

Our banking arrangements, likely similar to many Australian couples, falls under the age-old description of “Everything that mine is hers and everything that’s hers is hers”, meaning that we have a joint bank account and my wife has her own bank accounts in her name only. That means, because she is the sole or joint  holder on all of our accounts, all of our accounts are at risk.

Whereas we believe that should or when she becomes a victim of identity theft, we will eventually be able to overcome whatsoever challenges ensue, the important thing while we are working it all out is that we are able to meet all of our legitimate financial obligations and to feed our family. We have therefore decided that it is time for me to open bank accounts in only my name. Our wages will be deposited in to my new account and held at arms length from any account that the bad guys might otherwise be able to access by having her personal information.

This is a seemingly rudimentary action, but it is one that will ensure that we can keep a roof over our heads and feed our family if/when things get real.


If your situation is different (eg you’re not in a relationship), you might want to ask a very trusted person (eg your parents or siblings) to hold at some of your money until such time as you’re comfortable the risk has dissipated.



What should you immediately stop doing and never do again?

You should immediately stop interacting with emails on a smart device such as a phone or tablet. By interacting I mean clicking on links and/or replying to emails. This is because you cannot see (a) where a link is taking you and/or (b) what the actual sending email address is on a smart device. Any email that you receive that relates in any way at all to matters of finance, subscriptions, insurances, banking, your personal details, etc should only be interacted with on a computer, where you can hover the mouse over links before clicking to see whether the web site you’ll be taken to is legitimate. If you don’t know how to do this, email me at info@remex.com.au, as I’ll be more than happy to help.

You should also immediately stop interacting with SMS’. Again, by interacting I mean clicking on links. If you are sent an SMS that is legitimately seeking your interaction, you should be able to undertake that interaction by using a computer and visiting the sending company’s web site directly.



What should you do regularly now and in to the future?

The Australian government’s Office of the Australian Information Commissioner deems that credit reporting bodies must provide to you a copy of your consumer credit report free of charge each three months. This information is available on their web site here. At the time of writing this article, there are three active credit reporting agencies in Australia, namely Equifax, Experian and illion. Each will hold slightly different information about you and, importantly, all of them should hold information of recent significant changes, such as, an application for a credit card or loan.

Being that there are three credit reporting agencies and each is compelled to provide you a copy of your consumer credit report, free of charge, each three months, our advice is that you systematically request a copy of your report from them monthly (suggested schedule below) and specifically be on the lookout for activity that you did not instigate.

Suggested schedule:
Obtain report from Equifax on 1st October, 1st January, 1st April and 1st July.
Obtain report from Experian on 1st November, 1st February, 1st May and 1st August.
Obtain report from illion on 1st December, 1st March, 1st June and 1st September

In effect, this will give you the opportunity to observe any unusual activity every month - and the sooner you deal with it when it happens, the easier it will be to deal with. When you observe unusual activity, follow the advice of the Office of Australian Information Commissioner.



Parting thought ... for you to ponder

As alluded to in our advisory on Microsoft 365 security in 2019, certain “systems” and “services” are under constant and consistent attack by hackers. This is the case because the potential payday, should the hackers get in, is huge. In the case of this Optus data breach, they got several million Australians’ personal data and will be able to use that data or sell it on the black market for others to use for years to come.

Two of the most effective ways to protect yourself and your data are: (a) to remain vigilant and careful when interacting with any links in emails, SMS’ or social media posts; and (b) to try to be as obscure as possible.

Businesses that embrace and put all of their eggs in to the basket referred to as “the Cloud” are well and truly putting their future in to the hands of those Cloud providers, because they retain no control at all over the levels of security and they are working from systems that have a huge bulls-eye on them and are under constant attack.