Optus Data Breach

[Bones17]

Optus says customer information compromised in cyber attack

Optus is hit by a cyber attack that compromises customer information. Customers' names, dates of birth, phone numbers and email addresses have been exposed.

www.abc.net.au

 

[TigerMasochist]

Looks like Oopstarse needs a better security system. Nothing ever gunna be safe when there's potential to access millions of peoples personal info all nice n securely stored on the internet.

 

[Tigers of Old]

There's a reason we call them Droptus in our household.

 

[ThePercies]

There's a reason we call them Droptus in our household.

We don't have a choice up here. Telstra is pretty poor and Optus is just slightly better. I'm more worried about my slow nbn speeds

 

[tigerman]

Don't know what Optus's mobile network coverage is like nowadays, it wasn't as good as Telstra's when I enquired about it years ago. With historical passwords, addresses etc part of the hack, I'm glad i never signed up.

 

[AngryAnt]

Good thread here.

https://twitter.com/i/web/status/1573228058789974016

Basically some engineers setup an unathenticated API on a test network exposed to the internet, so anyone could access it without logging in.

Even more unbelievably, this test network was connected to the production database containing the live customer data that has been stolen.

This setup violates the most basic rules of software and internet security/separation of concerns.

This is so incredibly bad I can't even.

 

[mexican_radio]

someone is going to have to take the fall for this

 

[Tigers of Old]

The banks seem paticularly jumpy. Got a text for this morning 'unusual actvity on your account' for a regular monthly payment.

 

[TigerMasochist]

Might be old, stupid n totally internet inept. But why do any of these mobs need to save all your personal info once they have established your bona fides to set up your account????
Everyone constantly gets told to upgrade their internet security, not just hand out private information etc etc etc. Yet mobs like banks, phone companies, utilities companies store the private details of millions of people and are probably constant targets for the hackers as the value of breaking in would be in the multi millions of $
Oops we're sorry simply doesn't cut it, with all the info these bastards have stored in their files thousands upon thousands of fake identities could easily be established.

 

[TigerMasochist]

The banks seem paticularly jumpy. Got a text for this morning 'unusual actvity on your account' for a regular monthly payment.

Just be happy that they're keeping a close eye on your account at the moment ToOheys, even if they are a bit twitchy.

 

[TigerForce]

Besides f*cking up my monthly payments when going to nbn, everything seems fine on this side. Too many duds at the call centre IMO.

 

[AngryAnt]

Might be old, stupid n totally internet inept. But why do any of these mobs need to save all your personal info once they have established your bona fides to set up your account????
Everyone constantly gets told to upgrade their internet security, not just hand out private information etc etc etc. Yet mobs like banks, phone companies, utilities companies store the private details of millions of people and are probably constant targets for the hackers as the value of breaking in would be in the multi millions of $
Oops we're sorry simply doesn't cut it, with all the info these bastards have stored in their files thousands upon thousands of fake identities could easily be established.

Because they need your details for confirmation when you ring in to change/close account. They are legally obliged to keep details for 6 years IIRC.

Without knowing the full details, I can't believe this stuff was all kept in a single or at least a linked DB. Looks like the guy who stole the data is selling on the dark web for $1 million, pretty cheap. If I was optus I'd be buying it back and hoping it doesn't get resold elsewhere.

 

[bigwow]

Besides f*cking up my monthly payments when going to nbn, everything seems fine on this side. Too many duds at the call centre IMO.

Had the same issues a few years back. Curiously, resolved in a couple of days, once I involved the Ombudsman, prior to that months of back and forth, with no result.
Dumped them soon after.

 

[TT33]

Had the same issues a few years back. Curiously, resolved in a couple of days, once I involved the Ombudsman, prior to that months of back and forth, with no result.
Dumped them soon after.

unfortunately, it seems to me that like most large organizations they're totally useless at really looking after their customers/clients.

The communication industry & energy sector are perfect examples of maximising profits whilst doing as little as possible to provide the best possible service for their customers.

I can't tell you how sick I am of hearing the phrase "Your call is important to us please stay on the line, a customer service person will be with you as as soon as possible".

Meanwhile 20 minutes later you might be lucky to have your call answered.

JUST EMPLOY MORE STAFF YOU MONEY GRABBING B@*&T@RDS

 

[TigerForce]

unfortunately, it seems to me that like most large organizations they're totally useless at really looking after their customers/clients.

The communication industry & energy sector are perfect examples of maximising profits whilst doing as little as possible to provide the best possible service for their customers.

I can't tell you how sick I am of hearing the phrase "Your call is important to us please stay on the line, a customer service person will be with you as as soon as possible".

Meanwhile 20 minutes later you might be lucky to have your call answered.

JUST EMPLOY MORE STAFF YOU MONEY GRABBING B@*&T@RDS

Same here TT. Best way to solve a problem now is to use the online chat like I did in the end. Lost 90 minutes of calls on my mobile when they told me to 'hold', and then decided to use the online chat which looks like a robot but ended up being quicker.

 

[TT33]

Same here TT. Best way to solve a problem now is to use the online chat like I did in the end. Lost 90 minutes of calls on my mobile when they told me to 'hold', and then decided to use the online chat which looks like a robot but ended up being quicker.

Yeah fair comment TF, I'll have to sstart using that a bit more,, sometimes they can't answer some queries. But Instead some good experiences with it.

 

[BT Tiger]

Good thread here.

https://twitter.com/i/web/status/1573228058789974016

Basically some engineers setup an unathenticated API on a test network exposed to the internet, so anyone could access it without logging in.

Even more unbelievably, this test network was connected to the production database containing the live customer data that has been stolen.

This setup violates the most basic rules of software and internet security/separation of concerns.

This is so incredibly bad I can't even.

It doesn't sound much like a "cyber attack" as they described it to me in yesterdays email, more like they left the doors unlocked for someone to waltz in to pinch a bunch of stuff. Not happy Jan.

 

[BT Tiger]

Because they need your details for confirmation when you ring in to change/close account. They are legally obliged to keep details for 6 years IIRC.

Without knowing the full details, I can't believe this stuff was all kept in a single or at least a linked DB. Looks like the guy who stole the data is selling on the dark web for $1 million, pretty cheap. If I was optus I'd be buying it back and hoping it doesn't get resold elsewhere.

If they did pay this ransom how could they guarantee that the data hasn't just been copied and then ask for more money?

 

[DavidSSS]

Might be old, stupid n totally internet inept. But why do any of these mobs need to save all your personal info once they have established your bona fides to set up your account????
Everyone constantly gets told to upgrade their internet security, not just hand out private information etc etc etc. Yet mobs like banks, phone companies, utilities companies store the private details of millions of people and are probably constant targets for the hackers as the value of breaking in would be in the multi millions of $
Oops we're sorry simply doesn't cut it, with all the info these bastards have stored in their files thousands upon thousands of fake identities could easily be established.

For a phone account I see absolutely no reason why they need your passport number or the like, all they need is some level of prrof that you will pay the bills. Where I work we do need positive proof of identity and it does worry me that the scans of passports and the like are not removed later. What they need to do is to sight the proof of identity and then tick a box saying it has been sighted. No need to keep this.

DS

 

[AngryAnt]

It doesn't sound much like a "cyber attack" as they described it to me in yesterdays email, more like they left the doors unlocked for someone to waltz in to pinch a bunch of stuff. Not happy Jan.

Exactly so. No hacking involved, doors left wide open.

Apparently the api address was api.optus.com.au

‍‍‍‍