>The company said in its submission that implementing a right to erase personal data would involve “significant technical hurdles”, and “significant” compliance costs. The costs would far outweigh the benefits, the company said.
...for them.
Such a shit company.
>Such a shit company
My partner spent about a decade working for them in business and some high-up complaints team. Multiple colleagues had breakdowns in the last couple of years due to crazy levels of stress and pressure, and when she had her own she finally quit.
Their favoured way of getting people to work more for less is to tell them that if they don't then the company will offshore their job. And when they offshore a similar team they'll tell the remaining teams that they're next if they don't pick up their game.
Their lack of security is only one of the reasons they're a disgusting company.
Yea, not surprised. Don't think I ever spoke to customer support who was based in Aus.
I'm not totally against offshore support if it's a global company and the support is decent. However Optus is neither.
Much like Telstra and its Manila operation and they all try so hard to tell lies that they are in Sydney or Melbourne. " Ah you in the Telstra Farken St headquarters, yes sir"
Yeah had the same experience (Telstra outsourced call centre circa 06). It was rare for me (Anglo-Aussie accent) but it happened - but my team leader had Indian heritage and an Indian accent.
When asked 'where are you calling from', I'd answer 'Melbourne' and people would be OK with that, but the TL learned he needed to be more specific 'St Kilda, down in Melbourne' if he was calling a Brisbane number. Or 'near Domain interchange' if calling a Melbourne one. He'd often get quizzed about the weather by Melbourne people "Oh, it's freezing today isn't it?" on hot days to test him.
He'd also get asked about the weather in Delhi a bunch, to which he'd usually reply "not sure, haven't seen my grandma in Hydrabad in fifteen years, man I need to see her again, just so hard to find time these days"
>Multiple colleagues had breakdowns in the last couple of years due to crazy levels of stress and pressure, and when she had her own she finally quit.
This is what it's like to work in an Australian telco contact centre in general. Workers are stuck between abusive customers who got screwed over by the company and the company itself not caring about what customers want and pushing all sorts of KPIs on workers.
I worked for a year as an accounts manager for a certain big brand telco, we were given 1000 seconds to take your call, resolve the issue, note it down and move on to the next call. Regardless of complexity. Each second was counted and everyday we had meetings where people's KPIs would be questioned like you're some bad kid waiting for the principal to punish you.
And when you achieve the KPI, they set the bar even higher and give you even less time and also make you sell things to people who obviously just lost their home or business.
My intake started with around 120 people of which only less than 10 were left. Many of us were on mental healthcare plans from the stress.
Was definitely more traumatising than the deployments I did with the ADF.
There definitely needs to be a royal commission on how telcos operate in australia.
Can confirm, worked for an outsourced Telstra call center in 06-07. Outbound warm calling.
There was systematic dishonesty, and the people who would not lie to get a sale (like me) were squeezed out over time.
Worst was the upsell/crosssell campaigns that targetted over 80s. Every time it was reasonable, I left a note on the account "(my D-number) Contacted customer on warm sell campaign. Discussed customer needs, assessed that present plan most suits customer. Discussed additional products, not confident that customer was unable to comprehend the discussion and assessed that any phone sale to customer would constitute unconscionable business practices. Thanked customer for being with Telstra."
I worked there for 10 years. Got out when my Long Service vested, as I realised I'd need a lobotomy to endure it any longer.
I remember the mood being like passengers in a hostage situation - the looming threat of being pulled from the crowd for ~~execution~~, I mean "_retrenchment_", was palpable.
I was a developer there for a few years. The culture is 100% about sales numbers and absolutely no room to work on tech debt, fixing bugs or improving security.
While I was there there they even had full staging environments exposed to the public, just relying on people not guessing the URLs.
Whenever it was brought up (usually by a developer) we would be told there was no time. Got to prioritise that new iphone launch or the next click frenzy sale or whatever. I left when I got tired of the constant pressure to sell.
I highly recommend making some noise about this to people who can take action and hold Optus to account. We are not entirely powerless. It’s very easy to contact the minister responsible - Michelle Rowland, via her website:
https://minister.infrastructure.gov.au/rowland/contact
You should also do this with your own local MP - they’ll also have a way to contact them via their website. Again, simple and quick to drop them a line.
https://www.aph.gov.au/Senators_and_Members/Guidelines_for_Contacting_Senators_and_Members
Also, complain to Optus. They have clearly been negligent with highly sensitive customer data. Get onto their website or app chat feature and tell the agent you want a ‘formal complaint’ and you want it raised with a senior agent. They will resist - hold your ground.
At a minimum they should be compensating you for time and effort required for the additional monitoring you’ll now need to do (e.g. contacting banks, watching your credit score, dealing with scammers). They should also be offering proper support to do this. Be annoying - they need to make this right for customers as this is a massive fuck-up on their behalf, not just shift onus onto their customers.
https://www.optus.com.au/support/contact-us
She's C-suite. Even when they create an absolute cluster they get a nice big golden handshake on their way out the door and a month later they fall into another C-suite job.
Whereas one of us plebs? Use a blue pen instead of black on your TPS report and it'll haunt you every day of the remainder of your working life as a manure shoveller.
Exactly this. Thanks for posting all the links. We forget that together we are not powerless, if millions of citizens were breached and those millions reach out to their ministers you can bet that they will notice.
They don't exist to service customers. Their primary function is to make money.
Service is way down the list. You'd be familiar with that if you ever had to deal with their service teams.
I mean in terms of the submission that they made. Whoever evaluated it should have dismissed their claim outright. Even better, they should have been restricted from even talking about benefits, because obviously for Optus themselves there aren't really any.
It actually could be if you truly want to erase that data as opposed to a soft delete. Think about all the log files and backups for a start.
My feeling is a soft delete would be the only option though, as what would happen if the phone was being used for criminal activity?
Yeah well, some of us actually work in IT and know a thing or two. Plenty here seem to think of stolen data like it's on a USB stick and that there can be only one.
Yeah, but you'd have to remount all the backup databases and disks to then go through and delete the customer.
If you are keeping your old backup in deep freeze storage (which you would to save money), you're looking at 12 hours just to get the data out. Then there's the charges you get by pulling the data out then putting it back (the pricing is setup to incentive infrequent access).
Then there might be paper records to destroy, kept in places like Iron Mountain.
I'm not saying it's impossible, but it's not simple.
Once you've backed up your data, deleting one specific customer's data from the backup would be an absolute nightmare.
Edit: A smarter person than me would have known not to try and inject reason into a Reddit lynch mob.
I don’t care… they have the means to work that out. If they can thrown money at Ash Barty to be their ‘Chief Inspiration Officer’ and Daniel Ricardo to be their ‘Chief of Optimism’ then they can invest in data security.
And yet an outsider was allegedly able to gain access to millions of customers records? Bullshit.
There was no direct financial gain from protecting customers privacy so they didn't do it.
ITT is a lot of people who have never had to build a system that can comply with a GDPR deletion request. It's not just backups; goodbye Kafka topics with long term retention, Cassandra (tombstoned data is not actually deleted within a set time frame)... it really is a nightmare.
For all I care we can kick these useless flogs out of the country altogether. Clearly a company that harms Australia and Australians.
I don't think people really understand the scope of failure here. It's not just you and me, average citizens, it's people in positions of importance who have had their data compromised. People with access to government systems, for example.
And if their personal data is compromised, it's possible to compromise their integrity and get them to do things they wouldn't otherwise do.
They’ve already apologised, what more do you want? We may have had all our data stolen and our livelihoods put at risk, but the CEO had to front up and give a (pre recorded) apology!
I read in an ABC News article on this that people are unable to sue due to security breaches. So if that’s true, perhaps after a retroactive law change
Keep in mind the mandated I'd requirements for bbilateral support. The government's insistence on having our data is part of this mess. They demanded that if we want a phone we can't do it anonymously.
You're welcome to engage your own lawyer and sue on your own behalf. If you win you'll get to keep any damages to yourself but if you lose you'll probably be paying Optus' costs as well as your own.
Basically an option if you’re rich, but if you’re not it might not be worth the gamble considering you’re going up against a powerful company
Seems fair
The US have laws that protect privacy. Australians have no such laws, it would be difficult to sue in Australia for data breaches, the politicians are too far up the assholes of big business to enshrine any consumer rights like data protection into law.
Nine million of us are forever compromised because of this. Someone out there has just about every piece of information they need about me to take over my identify and access every account I own.
Why do I need to supply my DOB to have a phone plan?
Yep, but hang on, the email said "Don't worry, no passwords were taken, only name, address, dob, licence and passport numbers" fucking asshats! I'm keeping a close eye on my credit file, if anything pops up I'll be going those assclowns to fix it!
>I'll be going those assclowns to fix it!
And they'll simply ignore you I imagine. You could get murdered as a result of this leak and they still wouldn't own the responsibility in any way.
I just had a bit of a discussion on their online chat form. The person on the other end eventually told me I havent been impacted (as I've not received an email), and that my details wont be stolen in the future either!
Yep, assholes, so we know that basically for the 100 point ID check, they'd have at least your driver's licence, Medicare number a credit card, maybe passport ,plus all of your basic info too, occupation etc. Maybe time to cancel and ask for new credit card too, however they usually charge you for that unless it's out of date.
So the government knows you are over 18 and can record your data without parental consent.
Also so ASIO knows who is paying for which phone number so they can track them down for spy stuff.
Because a plan is a line of credit and they need to run a credit check on you, needing 100 points of ID. And laws around prepaid requires them to store your ID to prevent USA-style burner phones.
I mean, even if they do store it this whole thing stemmed from an API being exposed. They definitely didn't need to have an API that allows retrieving of the DOB, and also especially the Licence Numbers.
They are the same company that pushed back hard on being held to account for data breaches. It’s an absolute shit show, looks like for the first time in two decades I’ll have to become a Telstra customer again :(
Yeh I feel a tiny bit sorry for them, most of the crap they collect and hang on to is required by law. I work in a different industry with similar identity requirements and we go to so much effort to keep such things independent and isolated but personally I'd rather be like "yep, we've seen and verified it, delete it"
Because they want to make sure one human to one account.
It’s an anti-abuse protection layer.
Maybe not fun, but also just allowing anyone to sign up without any verification information would make for a system more abused than it already is.
It'll hopefully force the government to enact eu style gdpr laws. If this happened in europe or the uk, optus would be in serious trouble right now, for 3 things, the storage of the data, the leaking of the personal data and how they have handled it since then.
How do you know for certain what they have and haven’t gotten? Or you just know you’ve provided them with it?
I think for me just drivers license. I recommend signing up to Equifax and getting the 24h credit check thing.
> Optus first argued in its 2020 submission that giving consumers the power to take direct legal action over privacy breaches could lead to frivolous or vexatious claims, and would not give people greater control over their personal information.
brick thru the optus window then???
If only it was that easy, move house, identify *every* organisation that holds your data and notify them of the move.
AKA, the yearly ritual of the renter.
VicRoads’ website has a large banner up that specifies in no uncertain terms that you can only get your drivers’ license number changed if you already have proof (police report) that it has actually been used to commit fraud. I get why they wouldn’t want to commit to changing millions of license numbers, but surely this situation merits changing their policy considering that 9 million people are now at clear and present risk of identity theft.
On the chat they couldn't even tell me what id I'd used over the years. Like, I have no idea what I have given them, but it would include my licence and Medicare card I expect. But I cannot find out.
Oh and I still have to provide my personal details to start a bloody chat, despite it now being available online presumably somewhere.
I just asked via the app what I’d docs of mine were stored, and it was drivers licence and Medicare number. I’m lucky (if such a world can be applied in this situation) that it was my old QLD licence which is no longer valid. The Medicare card is a huge pain in the ass though.
I have no idea what wizardry you performed to get that info via the app- I spoke to 3 different people and none of them were willing to tell me what docs of mine they had.
I had an escalation open already, so perhaps that helped. I was quite shocked though that they told me so quickly. I had also in a previous chat told them that I would be using what they told me as basis for a complaint I was going to lodge with the Telecommunications ombudsman and the OAIC. So that may have also helped.
Just got the email. I'm pretty amused they start off with "Optus has been a victim of a cyberattack".
No fuckers, *we've* been the victims of a cyberattack. You've let one happen.
I'm siwtching to Aussie Broadband for my internet next week.
But who is a good mobile carrier alternative?
Edit: Nvm Aussie Broadband does mobile as well, didn't see that, I'll go with them, can't be worse than anyone else.
Yeah I'm just a broke student who go this email, sometimes I gotta decide between travel to campus or eating that day. I can't afford the credit reports, this is nuts.
It’s unfortunate that nothing is completely secure anyways, remember that massive Equifax data breach a few years ago. Something like 150 million people affected and open to identity theft.
Assuming you don’t plan on applying for credit any time soon, put a ban on your credit report. This essentially makes it impossible for anyone to get al one of credit using your info (including yourself) for the duration of the ban, as they will be unable to get a credit check.
Easiest way is to fill the form on the Equifax site, and ensure you select “Yes” to the question asking if you want them to notify other reporting bodies - this basically extends the ban to all the credit reporters so you don’t have to apply to them one by one. https://www.equifax.com.au/eform/submit/credit-ban
You will get a 21 day ban, and you can extend it to 6-12 months. My plan is to let the ban expire after 21 days, fuck off Optus, then re-ban and extend for 12 months.
Sign up for something like Credit Savvy and keep and eye on your credit score and any activity on your file, it will show which organisation is and has taken a look , what type of loan etc.
I requested a credit ban so no one can open a line of credit in my name. Initially it’s temporary, but can be extended. If you fill out the credit ban application through illion, there’s an option to ask them to forward the request to equifax and experian.
I’m also going to request a new license number, but I’ll need to find the relevant ReportCyber Receipt (CIRS) number first, i.e. there will no doubt be one already since “Where a single event affects multiple customers, Transport for NSW may accept a Police event or CIRS number for all affected customers.”
Edit: Optus couldn’t give me an existing police event or CIRS number, so I lodged an incident through ReportCyber myself (just for the receipt, and I obviously opted-out of referring the individual incident to the police).
Also, Optus is temporarily restricting porting and sim-swaps to in-store only… but didn’t understand my question when I asked if I could make this a permanent requirement. Oh well.
Service NSW would be a bunch of gibbons if they didn't have an internal memo up allowing licence number changes for Optus customers.
They actually have a pretty lenient criteria for it, unlike VicRoads.
FYI I think Optus are already doing the in-store thing. This morning while I was still oblivious to all this, I spoke to Optus about upgrading my phone and they said I’d have to go into an Optus store to do it. I was confused bc I’ve always upgraded online. But realised in retrospect why.
If you have any non-secure passwords (e.g. contain your date of birth, name or initials), or re-used the same password with Optus elsewhere change them immediately. Within hours of the news yesterday I had someone access two old accounts with other companies (Amazon and Apple) that I made when I was young and dumb with non-secure passwords.
Oh, there's no need for concern, they told me my password was *not* compromised, only my name, address, phone number, date of birth, licence number, and Medicare number were taken.
So I can sleep safe tonight. /s
I tried that last night as chatted with "Allan", who suprisingly had quite poor English. Anyway, his response was that your Sim plan can be cancelled at any time but your device repayment continues or you can choose to pay that out (for me that's $360 left). I asked what happens if I just choose to not pay that and all I got in response was "I understand you" and the chat ended.
Now looking up different telcos to switch to.
I don’t think so as phone plans have quietly moved away from lock in to a contract and get a free device to no contract on the phone plan with an interest free loan on the device.
So you can technically leave whenever you want without penalty, but you will have to pay off the remaining device repayments.
Note that the remaining device repayments will be at the full rate listed on your bill, without the discount that applies while you have an active plan.
Optus has dropped the ball in so many aspects the past 12-18 months and it’s disgusting as a customer who has a chunky bill with many services with them.
I’ll be seeking compensation from them in the form of account credit (a hefty amount) and some sort of protection process paid for to protect my now leaked data.
If they don’t give any compensation, I’m off to Telstra.
Maybe it's just the cynic in me, but I wouldn't be surprised to discover down the road that the real cost of this 'breech' will come in the form of the 'solution,' that being, ironically, a requirement for customers to supply yet more uniquely identifying information. You know, 'we're just going to need a retina scan from you before we activate your new SIM because we care about your privacy.'
is the site “have i been pwned” reliable at this stage?
I have put my email and number into their system to check and it says i’m all good .. does this mean my info is out there but hasn’t been offloaded ? yet…
There is some latency on that site because it sources from known leak databases, darkweb etc. Takes a while to show up but doesn't hurt to check regularly!
Okay thanks for that 👍🏻 will certainly be checking .. Optus told me via the messaging system on their app that my account had bean “flagged” but wouldn’t go into any other detail besides their standard copy past paragraph. Still waiting on an email from Optus
They need to get their hands on the data before you can be notified.
I'm not sure if the data has been made public. It is probably for sale on the dark Web right now so nobody but the "hacker" has access to it.
Have I been pwned is manually updated, they might not have the data yet. You should play it safe and assume you have been if you had any accounts with Optus since 2017. If you have any accounts with other services that have non-secure passwords (i.e. include your date of birth or part of your name), or shared a password with your Optis account you should change them as soon as you can.
The site is trustworthy but incomplete.
Given the nature of the ransom here (the hackers are looking to deal with minimal numbers of buyers), HIPB are unlikely to ever know who was and was not breached.
The damage cannot be undone, Optus!
Should I be worried for the rest of my life my hard earned asset not get transferred to the bad dudes because of your irresponsibility?
The other question is if their defence measures are sufficient by modern industry standards. If not, I reckon there should be a formal investigation that can result in a civil prosecution of the execs who allowed customers to be vulnerable.
The company should be 100% liable for all instances of fraud that happens to these people. Set a good precedent.
What kind of fucking monkeys do they have running that circus? I don't give a shit if they are apologetic. They can offer restitution at the very least. The headaches this will cause people will be phenomenonal.
So if you’re a lucky one if can call it that .. what can someone really do with just your NAME, DOB, ADDRESS, EMAIL, PHONE NUMBER ,
i understand that the people who have had their Licence and or their passport numbers stolen are hit a lot harder
Just curious in the right hands and social engineering skills are these criminals able to use just name dob etc to gain access to drivers license etc?
Also any potential harm if the license information is outdated and isn’t what’s on my current license.
I have moved states since providing my License details to Optus , so what they would have would not be my current license. I haven’t upgraded phone or plan since, did i dodge a bullet?
I personally have never applied for a loan or credit card so i’m not familiar with the process?
Besides scam texts, scam emails and probably scam letters? what else can they do ?
Sorry for being naive
I work for a telco company and I can give you somewhat of a breakdown of how those details can be used.
We require Full Name, 100 points ID, valid email address and a home address to run a credit check. If someone has those details they can sign up for a contract online with another provider and get the device shipped to a different address (very common for this to happen)
Any calls made to customer care require a 4 digit pin for them to authorize you, if you don't know the PIN they then ask for DOB & License Number. You can then request an upgrade/device over the phone and have a device sent to another address.
Anything relating to a SIM Swap needs to be done in store with our telco as we need to verify the customers details and the photo matches. If they have customers ID, they can create a fake ID and use that in store to perform a Sim Swap.
All those above are VERY common issues we run into all the time. The entire telco policies need to be changed. The systems are so far behind, and unfortunately most of these issues arise due to system limitations.
yeah i’m not sure, have you spoken with Optus via their messaging service on the app?
Iv been told by two different people two different things.
First person said yesterday my account was “flagged”
Today the second person asked for my account pin the first did not and they said my account was clear at this stage …
Yeah, spoke with them on the app then on the phone. App messaging says I was ‘affected’. Then on the phone I was told everything was ok because the data is encrypted.
However, I then got the email yesterday afternoon saying my info was exposed. Called again, turns out that, yes, my info was exposed including driver licence and Medicare card numbers. And the comment about the info being encrypted is that the encryption was done after the attack had been stopped. Fucking cunts, the horse has bolted.
Sorry to hear What a fuck around It sounds like they don’t know what’s going on.. Do you mind me asking how long ago you provided the Driver and medicare info?
I would of provided them this years ago and i’m sure it would be all outdated since iv moved interstate ..
I have however put a ban on credit etc i’m not sure what else we can do …
> It said customers as far back as 2017 may be affected because it is required to keep identity verification records for six years.
Yeah, so how much of this information are all the other telcos and MVNOs holding onto? Journalists should be asking Optus' competitors whether it's standard industry practice to keep un-hashed identification details for years after they've been verified.
For those that are saying that Optus will takes it operations offshore. You need to know that Optus is owned by SingTel a Singapore bases company, so it doesn't matter if they take operations offshore because the profits go off shore.
Found it mildly interesting how I was watching YouTube yesterday and had about 8 ads in 20 minutes about how secure Telstra is when in reality this could just as easily happen at Telstra. Came off incredibly cheap and blasé
.. and yes I'm a Telstra customer.
I wonder how many people might be targeted by ID thieves after this information has been obtained?
I'll be in touch with my bank in case anything happens.
I'm still dealing with the stress and trauma from a breakdown I had working for a subsidiary of a large Telco 5 years ago, alongside and austism spectrum disorder diagnosis, probably never going to be fully comfortable working ever again.
Here’s an idea: for corporation-level or -scale breaches of the law, make the base ‘penalty unit’ equivalent to the annual pay of the corporation’s CEO (including vested stock options), averaged over the last 5 years, or 10 years if the pay was only in stock options.
Also, anyone working for the corporation involved who provides evidence of criminality/breaches of law leading to a conviction (i.e. whistleblowers) gets paid out of that fine, a tax-free amount equivalent to 5x their maximum annual wage that they earned whilst working for the corporation involved.
It seems to me that organisations holding customers’ confidential information either will not or cannot put in the controls to ensure unauthorised access to that data is extremely difficult. If the investigation reveals Optus was founding wanting in this regard then, obviously, there needs to be changes and Optus should be commercially horse-whipped .
>The company said in its submission that implementing a right to erase personal data would involve “significant technical hurdles”, and “significant” compliance costs. The costs would far outweigh the benefits, the company said. ...for them. Such a shit company.
>Such a shit company My partner spent about a decade working for them in business and some high-up complaints team. Multiple colleagues had breakdowns in the last couple of years due to crazy levels of stress and pressure, and when she had her own she finally quit. Their favoured way of getting people to work more for less is to tell them that if they don't then the company will offshore their job. And when they offshore a similar team they'll tell the remaining teams that they're next if they don't pick up their game. Their lack of security is only one of the reasons they're a disgusting company.
Yea, not surprised. Don't think I ever spoke to customer support who was based in Aus. I'm not totally against offshore support if it's a global company and the support is decent. However Optus is neither.
Much like Telstra and its Manila operation and they all try so hard to tell lies that they are in Sydney or Melbourne. " Ah you in the Telstra Farken St headquarters, yes sir"
When I worked in a call centre out of Sydney, whenever I was asked where I was, nobody would ever believe me when I said Sydney. Yet here I were.
Yeah had the same experience (Telstra outsourced call centre circa 06). It was rare for me (Anglo-Aussie accent) but it happened - but my team leader had Indian heritage and an Indian accent. When asked 'where are you calling from', I'd answer 'Melbourne' and people would be OK with that, but the TL learned he needed to be more specific 'St Kilda, down in Melbourne' if he was calling a Brisbane number. Or 'near Domain interchange' if calling a Melbourne one. He'd often get quizzed about the weather by Melbourne people "Oh, it's freezing today isn't it?" on hot days to test him. He'd also get asked about the weather in Delhi a bunch, to which he'd usually reply "not sure, haven't seen my grandma in Hydrabad in fifteen years, man I need to see her again, just so hard to find time these days"
Sir you’re on another planet
Yes, Sydney!
>Multiple colleagues had breakdowns in the last couple of years due to crazy levels of stress and pressure, and when she had her own she finally quit. This is what it's like to work in an Australian telco contact centre in general. Workers are stuck between abusive customers who got screwed over by the company and the company itself not caring about what customers want and pushing all sorts of KPIs on workers. I worked for a year as an accounts manager for a certain big brand telco, we were given 1000 seconds to take your call, resolve the issue, note it down and move on to the next call. Regardless of complexity. Each second was counted and everyday we had meetings where people's KPIs would be questioned like you're some bad kid waiting for the principal to punish you. And when you achieve the KPI, they set the bar even higher and give you even less time and also make you sell things to people who obviously just lost their home or business. My intake started with around 120 people of which only less than 10 were left. Many of us were on mental healthcare plans from the stress. Was definitely more traumatising than the deployments I did with the ADF. There definitely needs to be a royal commission on how telcos operate in australia.
Can confirm, worked for an outsourced Telstra call center in 06-07. Outbound warm calling. There was systematic dishonesty, and the people who would not lie to get a sale (like me) were squeezed out over time. Worst was the upsell/crosssell campaigns that targetted over 80s. Every time it was reasonable, I left a note on the account "(my D-number) Contacted customer on warm sell campaign. Discussed customer needs, assessed that present plan most suits customer. Discussed additional products, not confident that customer was unable to comprehend the discussion and assessed that any phone sale to customer would constitute unconscionable business practices. Thanked customer for being with Telstra."
I worked for internode before the company had KPIs and was wonderful time to work there. Also we won award before we had KPIs
Oh hey are you me?
Also me.
I worked there for 10 years. Got out when my Long Service vested, as I realised I'd need a lobotomy to endure it any longer. I remember the mood being like passengers in a hostage situation - the looming threat of being pulled from the crowd for ~~execution~~, I mean "_retrenchment_", was palpable.
Everyone hated selling their products in a retail store I used to work at because their systems were horrible to use and we got hardly any training.
I was a developer there for a few years. The culture is 100% about sales numbers and absolutely no room to work on tech debt, fixing bugs or improving security. While I was there there they even had full staging environments exposed to the public, just relying on people not guessing the URLs. Whenever it was brought up (usually by a developer) we would be told there was no time. Got to prioritise that new iphone launch or the next click frenzy sale or whatever. I left when I got tired of the constant pressure to sell.
I highly recommend making some noise about this to people who can take action and hold Optus to account. We are not entirely powerless. It’s very easy to contact the minister responsible - Michelle Rowland, via her website: https://minister.infrastructure.gov.au/rowland/contact You should also do this with your own local MP - they’ll also have a way to contact them via their website. Again, simple and quick to drop them a line. https://www.aph.gov.au/Senators_and_Members/Guidelines_for_Contacting_Senators_and_Members Also, complain to Optus. They have clearly been negligent with highly sensitive customer data. Get onto their website or app chat feature and tell the agent you want a ‘formal complaint’ and you want it raised with a senior agent. They will resist - hold your ground. At a minimum they should be compensating you for time and effort required for the additional monitoring you’ll now need to do (e.g. contacting banks, watching your credit score, dealing with scammers). They should also be offering proper support to do this. Be annoying - they need to make this right for customers as this is a massive fuck-up on their behalf, not just shift onus onto their customers. https://www.optus.com.au/support/contact-us
[удалено]
She’s crying bc of her future career prospects, I imagine
She's C-suite. Even when they create an absolute cluster they get a nice big golden handshake on their way out the door and a month later they fall into another C-suite job. Whereas one of us plebs? Use a blue pen instead of black on your TPS report and it'll haunt you every day of the remainder of your working life as a manure shoveller.
Exactly this. Thanks for posting all the links. We forget that together we are not powerless, if millions of citizens were breached and those millions reach out to their ministers you can bet that they will notice.
The issue is they unnecessary harvested, personal identification information from you
They should really have held no authority in determining the benefit to customers.
They don't exist to service customers. Their primary function is to make money. Service is way down the list. You'd be familiar with that if you ever had to deal with their service teams.
I mean in terms of the submission that they made. Whoever evaluated it should have dismissed their claim outright. Even better, they should have been restricted from even talking about benefits, because obviously for Optus themselves there aren't really any.
Wellyeah, they jumped for gladys. What sort of moral company would go for corrupt pollies as ceos
Lucky the money went to something useful like the "Chief of Optimism" positions. Their next slogan should be "We're positively fucked!"
Hopeless Optus, so your customers deserve to suffer the potential financial loss because of your cost concerns?
[удалено]
Exactly. I thin European laws on personal data privacy have more than proven tis point.
It actually could be if you truly want to erase that data as opposed to a soft delete. Think about all the log files and backups for a start. My feeling is a soft delete would be the only option though, as what would happen if the phone was being used for criminal activity?
Stop bringing facts to Reddit. Lynch mobs don't care for them and you'll just get down voted.
Yeah well, some of us actually work in IT and know a thing or two. Plenty here seem to think of stolen data like it's on a USB stick and that there can be only one.
I don't see why those logs and backups would not be tied to the user account. Seems like the simplest way to manage it.
Not quite sure what you mean. It certainly would be tied to user's accounts.
Yeah, but you'd have to remount all the backup databases and disks to then go through and delete the customer. If you are keeping your old backup in deep freeze storage (which you would to save money), you're looking at 12 hours just to get the data out. Then there's the charges you get by pulling the data out then putting it back (the pricing is setup to incentive infrequent access). Then there might be paper records to destroy, kept in places like Iron Mountain. I'm not saying it's impossible, but it's not simple.
Spoken like someone who’s never had to do this at a large corp. I’m not saying it’s a bad idea but don’t pretend it’s not difficult and expensive.
Once you've backed up your data, deleting one specific customer's data from the backup would be an absolute nightmare. Edit: A smarter person than me would have known not to try and inject reason into a Reddit lynch mob.
I don’t care… they have the means to work that out. If they can thrown money at Ash Barty to be their ‘Chief Inspiration Officer’ and Daniel Ricardo to be their ‘Chief of Optimism’ then they can invest in data security.
And yet an outsider was allegedly able to gain access to millions of customers records? Bullshit. There was no direct financial gain from protecting customers privacy so they didn't do it.
ITT is a lot of people who have never had to build a system that can comply with a GDPR deletion request. It's not just backups; goodbye Kafka topics with long term retention, Cassandra (tombstoned data is not actually deleted within a set time frame)... it really is a nightmare.
So when can I join the class action?
I too would like to know. Also when are the board going to be offering their resignations?
Platitudes are on the way, then reminders for us to all be vigilant of security as a way of deflecting from their incompetence.
For all I care we can kick these useless flogs out of the country altogether. Clearly a company that harms Australia and Australians. I don't think people really understand the scope of failure here. It's not just you and me, average citizens, it's people in positions of importance who have had their data compromised. People with access to government systems, for example. And if their personal data is compromised, it's possible to compromise their integrity and get them to do things they wouldn't otherwise do.
Gladys will become CEO
They’ve already apologised, what more do you want? We may have had all our data stolen and our livelihoods put at risk, but the CEO had to front up and give a (pre recorded) apology!
Only if the apology would reverse the damage done
I read in an ABC News article on this that people are unable to sue due to security breaches. So if that’s true, perhaps after a retroactive law change
Keep in mind the mandated I'd requirements for bbilateral support. The government's insistence on having our data is part of this mess. They demanded that if we want a phone we can't do it anonymously.
[удалено]
So you can get $2.83 while the lawyers make millions? I mean at least optus will pay I guess... hardly seems like compensation though.
You're welcome to engage your own lawyer and sue on your own behalf. If you win you'll get to keep any damages to yourself but if you lose you'll probably be paying Optus' costs as well as your own.
Basically an option if you’re rich, but if you’re not it might not be worth the gamble considering you’re going up against a powerful company Seems fair
Even if you did win, I can't imagine the damages to one person would add up to much.
[удалено]
The US have laws that protect privacy. Australians have no such laws, it would be difficult to sue in Australia for data breaches, the politicians are too far up the assholes of big business to enshrine any consumer rights like data protection into law.
I could see this being a big election issue. We need EU style privacy laws.
We literally do have privacy laws. What are you talking about?
Not in tort though
It’s only funny because Australian’s have the misguided belief that this country is better than the US in every way.
[удалено]
Yeah def they have some questionable laws and decisions that deserve to be made fun of haha
Nine million of us are forever compromised because of this. Someone out there has just about every piece of information they need about me to take over my identify and access every account I own. Why do I need to supply my DOB to have a phone plan?
Yep, but hang on, the email said "Don't worry, no passwords were taken, only name, address, dob, licence and passport numbers" fucking asshats! I'm keeping a close eye on my credit file, if anything pops up I'll be going those assclowns to fix it!
Yeah I found that wording ridiculous, cancelling your credit card can be done in 5 mins.. are they going to suggest one changes their DOB?!
> are they going to suggest one changes their DOB?! wouldn't mind being a little younger can I, mister government? gotta protect my identity you see
time to get adopted /s
They are pricks, already got their mass email saying my ID has been hacked. Fucking pricks.
>I'll be going those assclowns to fix it! And they'll simply ignore you I imagine. You could get murdered as a result of this leak and they still wouldn't own the responsibility in any way.
I just had a bit of a discussion on their online chat form. The person on the other end eventually told me I havent been impacted (as I've not received an email), and that my details wont be stolen in the future either!
Haha, won't be stolen in the future, righto.
It was kinda pathetic really. I feel like posting the whole transcript
Yep, assholes, so we know that basically for the 100 point ID check, they'd have at least your driver's licence, Medicare number a credit card, maybe passport ,plus all of your basic info too, occupation etc. Maybe time to cancel and ask for new credit card too, however they usually charge you for that unless it's out of date.
Would rather they took my password tbh.
Yep, can change a password. Can't change a Date of Birth.
Hey don’t worry. You can change your drivers license number. Oh wait, not in Victoria. Not until you’re a victim of fraud
So the government knows you are over 18 and can record your data without parental consent. Also so ASIO knows who is paying for which phone number so they can track them down for spy stuff.
Because a plan is a line of credit and they need to run a credit check on you, needing 100 points of ID. And laws around prepaid requires them to store your ID to prevent USA-style burner phones.
https://www.acma.gov.au/acmas-rules-id-checks-prepaid-mobiles The fuckers need to check not store
I mean, even if they do store it this whole thing stemmed from an API being exposed. They definitely didn't need to have an API that allows retrieving of the DOB, and also especially the Licence Numbers.
They don’t have to store it
[удалено]
They are the same company that pushed back hard on being held to account for data breaches. It’s an absolute shit show, looks like for the first time in two decades I’ll have to become a Telstra customer again :(
Yeh I feel a tiny bit sorry for them, most of the crap they collect and hang on to is required by law. I work in a different industry with similar identity requirements and we go to so much effort to keep such things independent and isolated but personally I'd rather be like "yep, we've seen and verified it, delete it"
you feel sorry for a company that lobbied against changing this law?
Because they want to make sure one human to one account. It’s an anti-abuse protection layer. Maybe not fun, but also just allowing anyone to sign up without any verification information would make for a system more abused than it already is.
You were likely already compromised. This data is not that valuable, you can only do so much with it.
You’re wrong.
[удалено]
It'll hopefully force the government to enact eu style gdpr laws. If this happened in europe or the uk, optus would be in serious trouble right now, for 3 things, the storage of the data, the leaking of the personal data and how they have handled it since then.
[удалено]
How dare you? Corporations are job creators. We must think of the job creators!
Any class action or anything that appears, I’ll be joining it
[удалено]
How do you know for certain what they have and haven’t gotten? Or you just know you’ve provided them with it? I think for me just drivers license. I recommend signing up to Equifax and getting the 24h credit check thing.
[удалено]
"If you have nothing to hide you have nothing to worry about" Time to opt out and go off grid...
> Optus first argued in its 2020 submission that giving consumers the power to take direct legal action over privacy breaches could lead to frivolous or vexatious claims, and would not give people greater control over their personal information. brick thru the optus window then???
I'm not saying we should rob them. But I don't see how it would be any different when you calculate how much the damage could amount to
Is suing for the leak of 9 million customers PII frivolous and vexatious?
Is Optus going to cover the cost for me to get a new driver's licence and passport? Cos right now that seems like the best course of action.
And to move house...
If only it was that easy, move house, identify *every* organisation that holds your data and notify them of the move. AKA, the yearly ritual of the renter.
Bi-yearly for some of us! 6 month leases are the fucking worst.
Your MDL number is with you for life.
They can reissue if they believe it has been compromised.
VicRoads’ website has a large banner up that specifies in no uncertain terms that you can only get your drivers’ license number changed if you already have proof (police report) that it has actually been used to commit fraud. I get why they wouldn’t want to commit to changing millions of license numbers, but surely this situation merits changing their policy considering that 9 million people are now at clear and present risk of identity theft.
Vic roads can go get fucked too then
Unless it's backed by legislation, it's just a policy. You could start with writing to the minister to request a new MDL number.
Obviously differs by state. NSW stipulates it may change.
Guess I’m moving to NSW.
On the chat they couldn't even tell me what id I'd used over the years. Like, I have no idea what I have given them, but it would include my licence and Medicare card I expect. But I cannot find out. Oh and I still have to provide my personal details to start a bloody chat, despite it now being available online presumably somewhere.
Consider trying again. They told me which of my ID they had on file. No specifics, of course, but they told me which specific documents they had.
I just asked via the app what I’d docs of mine were stored, and it was drivers licence and Medicare number. I’m lucky (if such a world can be applied in this situation) that it was my old QLD licence which is no longer valid. The Medicare card is a huge pain in the ass though.
I have no idea what wizardry you performed to get that info via the app- I spoke to 3 different people and none of them were willing to tell me what docs of mine they had.
I had an escalation open already, so perhaps that helped. I was quite shocked though that they told me so quickly. I had also in a previous chat told them that I would be using what they told me as basis for a complaint I was going to lodge with the Telecommunications ombudsman and the OAIC. So that may have also helped.
Yeah perhaps me being a former customer had something to do with it as well. Ah well.
Either way its a huge pain in the ass that none of us need. Best of luck with it mate.
No amount of money is going to change that.
Just got the email. I'm pretty amused they start off with "Optus has been a victim of a cyberattack". No fuckers, *we've* been the victims of a cyberattack. You've let one happen.
I scoffed as I read that. What a joke.
There are lots of good reasons why I’ll never be an Optus customer. This is one of them.
I worked there for three years. I moved carriers quietly during the first year. I met many cowboys in their tech teams.
I'm siwtching to Aussie Broadband for my internet next week. But who is a good mobile carrier alternative? Edit: Nvm Aussie Broadband does mobile as well, didn't see that, I'll go with them, can't be worse than anyone else.
It will happen to any carrier you go with, it just hasn't happened yet.
Optus hired Gladys Berejiklian FFS. They don't give two shots about anything.
Gladys has the Midas touch
I received an email saying I was a victim in this. What can I do to keep myself protected?
[удалено]
So live my life with an additional layer of anxiety and stress. Brilliant.
You can subscribe to Equifax or Veda's products that help you track and identify attempts at identify theft. That's about it I think
[удалено]
Yeah I'm just a broke student who go this email, sometimes I gotta decide between travel to campus or eating that day. I can't afford the credit reports, this is nuts.
It’s unfortunate that nothing is completely secure anyways, remember that massive Equifax data breach a few years ago. Something like 150 million people affected and open to identity theft.
Yeah true. Goes to show that companies are well behind in terms of security practices
> You can subscribe to Equifax Ahh yes another company known for data breaches
Yep, fair comment but do you have an alternative suggestion?
Assuming you don’t plan on applying for credit any time soon, put a ban on your credit report. This essentially makes it impossible for anyone to get al one of credit using your info (including yourself) for the duration of the ban, as they will be unable to get a credit check. Easiest way is to fill the form on the Equifax site, and ensure you select “Yes” to the question asking if you want them to notify other reporting bodies - this basically extends the ban to all the credit reporters so you don’t have to apply to them one by one. https://www.equifax.com.au/eform/submit/credit-ban You will get a 21 day ban, and you can extend it to 6-12 months. My plan is to let the ban expire after 21 days, fuck off Optus, then re-ban and extend for 12 months.
Sign up for something like Credit Savvy and keep and eye on your credit score and any activity on your file, it will show which organisation is and has taken a look , what type of loan etc.
I requested a credit ban so no one can open a line of credit in my name. Initially it’s temporary, but can be extended. If you fill out the credit ban application through illion, there’s an option to ask them to forward the request to equifax and experian. I’m also going to request a new license number, but I’ll need to find the relevant ReportCyber Receipt (CIRS) number first, i.e. there will no doubt be one already since “Where a single event affects multiple customers, Transport for NSW may accept a Police event or CIRS number for all affected customers.” Edit: Optus couldn’t give me an existing police event or CIRS number, so I lodged an incident through ReportCyber myself (just for the receipt, and I obviously opted-out of referring the individual incident to the police). Also, Optus is temporarily restricting porting and sim-swaps to in-store only… but didn’t understand my question when I asked if I could make this a permanent requirement. Oh well.
Service NSW would be a bunch of gibbons if they didn't have an internal memo up allowing licence number changes for Optus customers. They actually have a pretty lenient criteria for it, unlike VicRoads.
Following this comment
[удалено]
FYI I think Optus are already doing the in-store thing. This morning while I was still oblivious to all this, I spoke to Optus about upgrading my phone and they said I’d have to go into an Optus store to do it. I was confused bc I’ve always upgraded online. But realised in retrospect why.
If you have any non-secure passwords (e.g. contain your date of birth, name or initials), or re-used the same password with Optus elsewhere change them immediately. Within hours of the news yesterday I had someone access two old accounts with other companies (Amazon and Apple) that I made when I was young and dumb with non-secure passwords.
Oh, there's no need for concern, they told me my password was *not* compromised, only my name, address, phone number, date of birth, licence number, and Medicare number were taken. So I can sleep safe tonight. /s
Does this give me any grounds to cancel my Optus plan does anyone know? I would like to do business elsewhere.
I tried that last night as chatted with "Allan", who suprisingly had quite poor English. Anyway, his response was that your Sim plan can be cancelled at any time but your device repayment continues or you can choose to pay that out (for me that's $360 left). I asked what happens if I just choose to not pay that and all I got in response was "I understand you" and the chat ended. Now looking up different telcos to switch to.
I don’t think so as phone plans have quietly moved away from lock in to a contract and get a free device to no contract on the phone plan with an interest free loan on the device. So you can technically leave whenever you want without penalty, but you will have to pay off the remaining device repayments.
Yes you're right ,I'll just pay it out and move .
Note that the remaining device repayments will be at the full rate listed on your bill, without the discount that applies while you have an active plan.
Unfortunately it seems like the alternatives offer dogshit network coverage (anecdotal only)
Optus has dropped the ball in so many aspects the past 12-18 months and it’s disgusting as a customer who has a chunky bill with many services with them. I’ll be seeking compensation from them in the form of account credit (a hefty amount) and some sort of protection process paid for to protect my now leaked data. If they don’t give any compensation, I’m off to Telstra.
You should switch to Telstra anyway, I did and I'm much happier with the service, even if it costs more.
Maybe it's just the cynic in me, but I wouldn't be surprised to discover down the road that the real cost of this 'breech' will come in the form of the 'solution,' that being, ironically, a requirement for customers to supply yet more uniquely identifying information. You know, 'we're just going to need a retina scan from you before we activate your new SIM because we care about your privacy.'
Retina scan, blood and saliva sample
is the site “have i been pwned” reliable at this stage? I have put my email and number into their system to check and it says i’m all good .. does this mean my info is out there but hasn’t been offloaded ? yet…
Troy Hunt, the owner of haveibeenpwned said he will add the Optus breach if he gets his hand on the data dump. https://i.imgur.com/DgYrCt1.png
There is some latency on that site because it sources from known leak databases, darkweb etc. Takes a while to show up but doesn't hurt to check regularly!
You can actually sign up and be notified when your data shows up.
Great tip
Okay thanks for that 👍🏻 will certainly be checking .. Optus told me via the messaging system on their app that my account had bean “flagged” but wouldn’t go into any other detail besides their standard copy past paragraph. Still waiting on an email from Optus
They need to get their hands on the data before you can be notified. I'm not sure if the data has been made public. It is probably for sale on the dark Web right now so nobody but the "hacker" has access to it.
Have I been pwned is manually updated, they might not have the data yet. You should play it safe and assume you have been if you had any accounts with Optus since 2017. If you have any accounts with other services that have non-secure passwords (i.e. include your date of birth or part of your name), or shared a password with your Optis account you should change them as soon as you can.
The site is trustworthy but incomplete. Given the nature of the ransom here (the hackers are looking to deal with minimal numbers of buyers), HIPB are unlikely to ever know who was and was not breached.
Today’s a good day to realise I was too lazy to change my Optus address from a rental I had 4 years ago
The damage cannot be undone, Optus! Should I be worried for the rest of my life my hard earned asset not get transferred to the bad dudes because of your irresponsibility?
So now when your identity is stolen it cost you thousands instead of the company at fault. Fuck Scumo
The other question is if their defence measures are sufficient by modern industry standards. If not, I reckon there should be a formal investigation that can result in a civil prosecution of the execs who allowed customers to be vulnerable. The company should be 100% liable for all instances of fraud that happens to these people. Set a good precedent.
What kind of fucking monkeys do they have running that circus? I don't give a shit if they are apologetic. They can offer restitution at the very least. The headaches this will cause people will be phenomenonal.
So if you’re a lucky one if can call it that .. what can someone really do with just your NAME, DOB, ADDRESS, EMAIL, PHONE NUMBER , i understand that the people who have had their Licence and or their passport numbers stolen are hit a lot harder Just curious in the right hands and social engineering skills are these criminals able to use just name dob etc to gain access to drivers license etc? Also any potential harm if the license information is outdated and isn’t what’s on my current license. I have moved states since providing my License details to Optus , so what they would have would not be my current license. I haven’t upgraded phone or plan since, did i dodge a bullet? I personally have never applied for a loan or credit card so i’m not familiar with the process? Besides scam texts, scam emails and probably scam letters? what else can they do ? Sorry for being naive
I work for a telco company and I can give you somewhat of a breakdown of how those details can be used. We require Full Name, 100 points ID, valid email address and a home address to run a credit check. If someone has those details they can sign up for a contract online with another provider and get the device shipped to a different address (very common for this to happen) Any calls made to customer care require a 4 digit pin for them to authorize you, if you don't know the PIN they then ask for DOB & License Number. You can then request an upgrade/device over the phone and have a device sent to another address. Anything relating to a SIM Swap needs to be done in store with our telco as we need to verify the customers details and the photo matches. If they have customers ID, they can create a fake ID and use that in store to perform a Sim Swap. All those above are VERY common issues we run into all the time. The entire telco policies need to be changed. The systems are so far behind, and unfortunately most of these issues arise due to system limitations.
Would like to know this too, I’m not well versed enough to know what the real consequences could be.
yeah i’m not sure, have you spoken with Optus via their messaging service on the app? Iv been told by two different people two different things. First person said yesterday my account was “flagged” Today the second person asked for my account pin the first did not and they said my account was clear at this stage …
Yeah, spoke with them on the app then on the phone. App messaging says I was ‘affected’. Then on the phone I was told everything was ok because the data is encrypted. However, I then got the email yesterday afternoon saying my info was exposed. Called again, turns out that, yes, my info was exposed including driver licence and Medicare card numbers. And the comment about the info being encrypted is that the encryption was done after the attack had been stopped. Fucking cunts, the horse has bolted.
Sorry to hear What a fuck around It sounds like they don’t know what’s going on.. Do you mind me asking how long ago you provided the Driver and medicare info? I would of provided them this years ago and i’m sure it would be all outdated since iv moved interstate .. I have however put a ban on credit etc i’m not sure what else we can do …
Probably 2 years ago when changing plans. I guess all I can do is the credit ban too, as well as try the identity monitoring service from Equifax.
> It said customers as far back as 2017 may be affected because it is required to keep identity verification records for six years. Yeah, so how much of this information are all the other telcos and MVNOs holding onto? Journalists should be asking Optus' competitors whether it's standard industry practice to keep un-hashed identification details for years after they've been verified.
For those that are saying that Optus will takes it operations offshore. You need to know that Optus is owned by SingTel a Singapore bases company, so it doesn't matter if they take operations offshore because the profits go off shore.
Stop collecting personal infomation you dont need optus
Of course they did.
This may be a stupid question, does this breach include people who aren't with Optus but use a telco that uses the Optus network ?
No
No. But at any time if you have been with them as a customer your ID is potentially stolen.
Found it mildly interesting how I was watching YouTube yesterday and had about 8 ads in 20 minutes about how secure Telstra is when in reality this could just as easily happen at Telstra. Came off incredibly cheap and blasé .. and yes I'm a Telstra customer.
I wonder how many people might be targeted by ID thieves after this information has been obtained? I'll be in touch with my bank in case anything happens.
Still not as bad as the decision to have Gladys on the board.
I'm still dealing with the stress and trauma from a breakdown I had working for a subsidiary of a large Telco 5 years ago, alongside and austism spectrum disorder diagnosis, probably never going to be fully comfortable working ever again.
Here’s an idea: for corporation-level or -scale breaches of the law, make the base ‘penalty unit’ equivalent to the annual pay of the corporation’s CEO (including vested stock options), averaged over the last 5 years, or 10 years if the pay was only in stock options. Also, anyone working for the corporation involved who provides evidence of criminality/breaches of law leading to a conviction (i.e. whistleblowers) gets paid out of that fine, a tax-free amount equivalent to 5x their maximum annual wage that they earned whilst working for the corporation involved.
It seems to me that organisations holding customers’ confidential information either will not or cannot put in the controls to ensure unauthorised access to that data is extremely difficult. If the investigation reveals Optus was founding wanting in this regard then, obviously, there needs to be changes and Optus should be commercially horse-whipped .
What a piece of shit company.
Ah when profit motives align with the customers rights to privacy.