4 Steps to take if your information has been breached

Are you one of the millions of Australians who have had their data breached in the recent Optus attack? If so, you may be concerned about the potential consequences and what happens if you’re defrauded. In this article we discuss:

• What is the threat?
• Response considerations
• Personal vs Business Data Breach
• Steps to safeguard additional data loss
• How you can place a temporary ban on your credit report to mitigate or prevent any financial damage

On the 22^nd of September, Optus (Australia’s second-largest telecommunications company) announced that up to 9.8 million customer details were stolen from their customer database. These details include names, birth dates, phone numbers, email addresses, and – for some customers – addresses and driver’s licenses or passport numbers dating back to 2017.

According to Australian law, telecommunications providers are required to hold your data while you are their customer and for an additional two years but may keep the data for longer for their business purposes.

Unfortunately, this may mean that even if you are a previous customer, your data may be included in the breach, and now is the time to be vigilant in protecting your data.

Optus has announced that they are conducting an independent external review of the company’s massive data breach, yet customers are still left asking the questions of ‘what happens to my data moving forward and what can I do to protect myself from any unprecedented breaches in the future?’

What is the Threat?

Now under investigation by the Australian Federal Police, the Optus data breach ranks as one of the country’s largest breaches ever recorded.

The now-known hacker, going by the nickname “Optusdata” published two different samples of stolen data on a well-known data leak forum following the breach. You may have seen this screenshot from BreachForums floating around the internet and on social media. It includes a threat from the proposed hacker claiming to have the data and demanding for a ransom of $US1 million ($1.5 million).

The compromised data includes personal documents provided by customers that equate to 100 points to prove their identity.

If your data has been compromised, there is a chance it could be distributed across the dark net. Cybercriminals use breached data to commit identity theft and fraudulent credit applications or use personal information in phishing attacks.

Response Consideration

Each customer will need to be handled on a case-by-case basis depending on the extent of the personal or business information breached and compromised.

As a precautionary measure, there are proactive steps you or your business can take, alongside placing a temporary ban on your credit report. These steps are:

• Remain vigilant surrounding potential scams or any unsolicited calls/emails/texts.
• Scammers try to impersonate the government and other businesses. Ensure that you never respond to requests to supply personal and account information, or access to your device.
• Never click on any links that look suspicious or supply passwords or personal or financial information.
• Consider subscribing to www.scamwatch.gov.au for the latest information about scams affecting our community.
• Look out for any suspicious or unexpected activity across your online accounts and report any fraudulent activity at once to your provider.

We also recommended that any and all personal and work accounts are protected with multi-factor authentication.

Personal vs Business Data Breach

Whether you hold a personal account with Optus or have an attached business account, your data is equally at risk. If you are a business owner, ask yourself, ‘could this data breach potentially negatively impact my business?’ Especially since most businesses up until this point haven’t invested in cyber security solutions.

Here are 4 steps you can take to improve your personal security

Step 1: Identify your most vulnerable accounts and secure them

Make a list of your most vulnerable accounts. Do you hold a personal account? Have you got a business account or both? Which bank accounts or card details are connected? What other business accounts or personal accounts are your credit card details saved to?

Next, check how a password reset is done to each of these accounts. Does it merely require access to your text messages or email account? If so, you need to protect those accounts as well. Consider updating your password to a new – never used – password for each account as a precautionary step.

This is also where a password manager can come in useful so you don’t have to remember all your passwords, but they’re held in a safe and secure place. (Not on a post-it note!)

Step 2: Lock your SIM card and credit card if possible

A major concern for many with the current threat, is that the data will be used to compromise your phone number, which is what many people use for their multi-factor authentication. SIM jacking – getting a mobile phone provider to give access to a phone number they don’t own – is a serious threat and should be taken seriously.

Most carriers allow you to add a verbal PIN as the second verification step, to prevent SIM jacking. Even though Optus has chosen the step of locking down SIM cards temporarily, that lock will not last forever. Call your provider and ask for a verbal PIN to be added to your account. If you suddenly lose all mobile service in unusual circumstances, contact your provider to make sure you haven’t been SIM jacked.

Step 3: Improve your cyber security

There are multiple ways people can use your leaked data that you may not yet be aware of. The personal or business information that has been stolen from Optus could be used with other information cyber criminals can find about you online. This could include information related to your social media profiles, your business website, your employer’s website, any discussion forums, and earlier breaches that supply additional information. The truth of the matter is, so many of us, businesses included, have unknowingly been victims of cyber breaches in the past. We recommend that you check what information about you is available

to cyber criminals by checking the website, HaveIBeenPwned. This website is hosted and run by Australian security professional Troy Hunt, allowing a database of what is known as leaked data.

Simply search for your email accounts on the site to get a list of what breaches they have been involved in.

Always ensure that you continuously create unique and secure passwords for everything you sign up to and go back now and alter any passwords you may have been using for multiple sites/accounts.

Step 4: Place a Temporary Ban on your Credit Report

If you or your business has had any specific data breached with the Optus attack, or even if you are concerned you may have had data compromised within the past unknowingly, you can take steps to place a temporary ban on your credit report.

A credit report ban ensures that a credit reporting bureau will not show any information from your credit report to a credit provider. It offers a period for any potential fraud to be investigated without the risk of added damage to your credit score.

In effect, no one will be able to apply for credit in your name while this credit freeze is active.

If a credit provider asks a reporting bureau for information while the ban is in place, the reporting bureau will alert the creditor of the ban and that you may have been a victim of fraud. The only way your information could be released during a ban is with your express written permission or if it is mandated by Australian law.

How do I place a ban on my credit report?

The quickest way to place a ban on your credit file is by filling out the request form at one of the 3 major credit bureaus in Australia:

Equifax: Request a credit freeze with Equifax by completing this form.

Experian: Request a credit freeze with Experian by completing this form.

Illion: Request a credit freeze with Illion by completing this form.

You can also request when applying for a ban with one of the bureaus listed above, that they also freeze your credit file with the other 2 bureaus. This will require that you agree to their terms and conditions. Please note that the bureaus may be experiencing higher-than-average demand as a result of the Optus hack, and there may be a delay before your application is confirmed yet the sooner you start the process, you are taking the first step in safeguarding yourself or your business from further and potential implications.

By placing a freeze on your credit report, it allows for a first ban period of 21 days. If extra time is needed, you can request an extension. Your credit score does not become affected by placing the freeze and it will not affect your current credit accounts or repayment responsibilities either.

Where to from here?

By following the steps outlined in this article, you can feel more at ease knowing you are putting the right steps and processes in place to mitigate any further risk. Should you need any more information, or have any questions, please do not hesitate to get in touch with us here.

Help others understand the steps they can take to safeguard their personal and business information by sharing out this article! You never know who you can save by doing so.