Optus customers caught up in a cyber-attack that may have exposed the personal information of 9.8 million people say they are angry and concerned about having been exposed to the risk of identity fraud.
Emails from Optus to customers caught up in the data breach began landing in people’s inboxes about 4pm on Friday, roughly 24 hours after the attack was first reported.
The messages, addressed from the Optus chief executive, Kelly Bayer Rosmarin, were labelled as an “urgent update from Optus about your personal information” and began with Rosmarin expressing her “great disappointment” about the data breach before outlining what information had been taken – and what had not.
“Importantly, no financial information or passwords have been accessed,” the email said. “The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as driver’s licence number or passport number. No copies of photo IDs have been affected.”
The email said Optus was “currently not aware of customers having suffered any harm” but offered a checklist for people to follow to protect themselves. This included suggestions to “look out for any suspicious or unexpected activity across your online accounts, including your bank accounts” and to “never click on any links that look suspicious”.
The email offered a contact number for customers to call with any concerns, but did not offer any way for Optus to be contacted in writing or a means to lodge a complaint with the company.
Some customers who thought they might have been caught up in the breach but had not received a letter on Friday said they had to call the company to confirm their information had been stolen.
I am affected by the breach, but I have not been contacted by Optus at all. I only found out by contacting them to ask them directly. Have not even had an email telling me that a breach OCCURRED.
— Belle Belle (@bellebelle) September 23, 2022
Others who did receive the email said they were angry about what they described as a “condescending” effort at damage control, and frustratedthat they now have to spend time protecting themselves after Optus’ mistake.
Alistair Roberts, an Optus customer and IT professional, said he was a “pretty angry customer”.
“Optus sent me my bill yesterday, but couldn’t get around to informing me I’d been part of the hack,” Roberts said.
“And the letter was terrible. Put the onus back on customer to check everything. Then just a number for a call centre that no doubt is flooded.”
The Optus 133 937 customer service number has a recorded message saying they'll be 'reaching out' to customers whose data has been subject to unauthorised access.
While we wait, it would be good to know how long Optus keeps former customers' data. 1-2 years? Longer?
— Lady Raven (@kity_katz) September 23, 2022
Another customer, who wished to remain anonymous, said their work had required them to maintain a number of “burner phones” over the years and they were now “freaked out” about what information has fallen into the public domain and who may have it.
“There are people who I really don’t want to know where my front door is,” they said. “How do I get one of those shell corporations to give me a new identity to hide behind?”
But they said the responsibility ultimately lay with the government for requiring corporations to collect so much data in order to access a basic necessity of modern life.
“It’s such a lazy, clumsy policy,” they said. “We’re so powerless.”
Electronic Frontiers Australia chair, Justin Warren, said that while Optus was ultimately responsible, the government bore some responsibility for the breach because of laws that require large troves of personal data to be collected by telecommunications companies.
“Government needs to stop passing laws that require government agencies and corporations to collect private information they can’t keep safe and secure,” he said.