How are people being impacted?

Up to 9.7 million Australians may have had their data obtained through the Optus breach. That’s over 38 per cent of the national population, and nearly half the number of people old enough to have a driver licence.

Josh Allen, a 29-year-old student, is one of the customers impacted by the breach. He joined Optus six years ago to access Premier League coverage; the company holds exclusive broadcast rights until 2028.

“I don’t care about my driver licence,” Allen laughs. “I just need the Premier League.”

Allen believes Optus’ response to the hack was an own goal, he says the company hasn’t been clear on how he’s been personally impacted, and he finds out more information from media outlets than Optus itself.

Optus notified Allen his data was part of the leak on Friday, the 23^rd of September — a day after its original media release.

This email was all Optus sent Allen directly about the breach for over three weeks, until the company told Allen it was his passport details specifically which had been leaked.

That didn’t stop Optus emailing Allen about unpaid bills. “So they still want their money,” Allen says.

However, Allen also received another email related to the hack, a message from a law firm based in the U.K. invited Allen to provide details to join a class action. He later discovered, the email was fake.

Scams emails, like the one Allen recieved, are a form of ‘social engineering’ — think psychological manipulation — called ‘phishing.’ It’s a strategy used to get targets to willingly hand over their information.

Many phishing techniques rely on impersonating a known source — like a big brand or law firm — to gain targets’ trust. Then, bad actors can direct targets to a fake log-in page or sign-up form.

Allen believes the phishing email was an attempt to build upon leaked information. In some cases, bad actors can use details they already have like jigsaw pieces to create a complete picture of a target’s identity.

For example, if a bad actor gets a target’s phone number, they can use other information to ‘sim-jack’ the number to their own SIM card by convincing a phone company they’re the target.

In conjunction with a target’s email address, a bad actor may now request and receive 2 Factor Authentication codes from major websites to make logging into the target’s accounts easier.

The jackpot would be the target’s email password, then a bad actor can reset the log in details for the target’s other accounts, including online banking services and social media.

Combine those with ID documents like a passport and credit applications become easy as 1, 2, 3.

Optus has referred Allen’s passport number to the Documentation Verification Service. Thankfully, that means bad actors can’t use it as an identity check online. Unfortunately, neither can Allen.

In “specific circumstances,” says Optus, the company may foot the bill for a new passport, but there’s still no clarity on how the scheme will work from the Australian Passport Office or Optus.

Had Allen’s driver licence information been leaked, he could apply for a new one from VicRoads. It’s using a form to match application details against leaked data before processing replacements.

And for other information like email accounts or phone numbers, Allen may want to make sure the answers to security questions used to reset the details for those services are known only to him.

In the meantime, Allen is waiting for more communication from Optus. There’s just one problem.

“Do I feel like I can trust them? The short answer is no, really.”