My role in Corum involves providing security guidance and advice to our internal team about product or system security. It also means I get approached by our staff when there are incidents, such as with the Optus Breach.  

Speaking with one of our team members this morning, he asked me what he should do to protect his family, given they are all Optus account holders. I told him I would write up some advice he could share with his family. I thought the advice may benefit other Corum staff and the greater Corum customer family, so we are sharing the tips on our Cyber Security News Page.

What do we know about the breach?  

There is plenty of media information about the breach, so I won’t go into specific details here. In short, threat actors have gained access to up to 9.8 million Australians’ personal data via Optus systems.  

According to Optus, the data included: 

• Your name 
• Date of birth 
• Email address 
• Phone number
• The postal address associated with your account, and  
• The numbers of the id documents you provided, such as driver’s licence, Medicare, or passport number.  

According to Optus, the data did not include: 

• Copies of photo IDs 
• Account Passwords 
• Payment details such as bank and credit card account numbers.  

Optus is providing a subscription to Equifax Protect for 12 months for impacted customers. While this is a positive step, it doesn‘t do much to protect you now.  

What can you do now?

1. Keep up to date with Optus investigation and reccommendations: 
   • Check for daily updates on https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack 
   • Sign up for Equifax protect.
2. Follow the advice from cyber.gov.au and take steps to protect your identity by:
   • Completing the get help form at IDcare.org on their dedicated Optus Breach page.  
   • Register for a Commonwealth Victims’ Certificate.  The certificate can help support any claim you may need to prove you were a victim of an identity crime. 

      

3. Protect yourself from phone porting and SIM card scams.  
   • As your mobile phone number and critical forms of identification have been breached, you may be at increased risk of your mobile phone number being “ported” to another SIM card.  
   • Where possible, move any SMS-based MFA to an App based MFA protect your accounts. If your mobile number is ported, the threat actor will have gained access to any account that send an SMS security code 
   • Use a multifactor authentication app such as Microsoft Authenticator or Google Authenticator instead. 
     
     
4. Ensure you have strong endpoint protection such as anti-malware, anti-spam, and ransomware protections on all your devices.  
   • The threat actors may likely use the information to target you with targeted spear-phishing emails to gain further information or gain access to your device. 

      

5. Check if your information was previously involved in a breach by checking if your information is listed on the https://haveibeenpwned.com/ website.  
   • This free resource is owned and managed by Troy Hunt, a well-known Microsoft security researcher who created the site to help individuals and companies keep track of breached information. You can enter your email or commonly used password and see if it has previously been breached.  
   • Suppose your email address or passwords have been breached previously. In that case, a threat actor may combine this new information to attempt to gain access to your email or other online accounts. The site can let you know if you need to change passwords on those sites or any site where you used the same password. 
     
     
6. Start using a password manager.  
   • We have covered this topic many times, but the additional protection it adds to your online security is invaluable. It will allow you to have unique, long random passwords that you don’t need to remember for each account.  
   • This means that should a threat actor gain access to one of your accounts, they will not be able to use the same password to access your other accounts.

      

7. Protect your critical accounts with Multifactor Authentication (MFA). I won’t go into detail on how to do it for each type of account. The ACSC has some step-by-step guides you can follow. Ensure you have MFA enabled for the following account types: 
   • Your business and personal email accounts, focus on any primary email addresses. All major email providers, Gmail, Microsoft, Outlook, Hotmail, Yahoo etc., all support MFA.  
   • Protect your banking accounts. Note: Not all Australian banks currently support MFA.  
   • Protect your social media accounts. Your social media account has valuable information that can be used to find out the most personal information about you. It can be used to target you or your family and friends.  
   • Consider using a physical security key such as a Titan Security key or Fido Security key to providing ultimate protection for your email and other online accounts. These small physical USB-based devices are a device you plug in or tap to enable a log-on to your accounts. Once set up, they stop all types of online attacks aimed at gaining access to your accounts.