Optus Data Breach Support Guide

This page compiles some of the publicly available resources that might help if you are impacted by the Optus Data Breach.

We have laid this out in a series of steps with additional guidance to support you as you navigate through this.

About Astero
Astero is a cyber security company that helps high growth technology companies and regulated entities manage their exposure to cyber security threats. Please contact us if you have any questions or feedback.

1. Follow IDCARE's Advice to Protect Your Identity and Credit Score
IDCARE - Optus Data Breach Response Page
IDCARE - Optus Fact Sheet
IDCARE - GetHelp Form
  • IDCARE is one of the central resources for helping consumers respond to this data breach. Please refer to the guidance on the IDCARE page and Optus Fact Sheet linked above.
  • Their guidance refers to other Fact Sheets for:
    - Being vigilant about scams and unsolicited communications (link).
    - Getting free credit reports to monitor changes to your credit (link).
    - Applying for a credit ban across the major Credit Reporting Agencies (link).
  • If you become aware of your information being misused, complete the IDCARE GetHelp web form immediately.
The remaining steps on this page are informational in nature and have been provided by Astero to help you navigate some of the other guidance provided by IDCARE and other organisations.

Please read the Disclaimer at the bottom of this page before proceeding and keep up-to-date by contacting Optus via the My Optus App or calling 133 937.
2. Change Your Optus Account Password
Optus - How to reset your password
ACSC - Creating strong passphrases
  • Change the password for your Optus account using the instructions linked above. This page was written for users who have forgotten their passwords, but the steps are exactly the same.
  • Ensure this is a unique password that is not used for any of your other accounts.
  • It is highly recommended to use a strong passphrase as your password, as long as they meet the parameters required by Optus.
  • Refer to the Australian Cyber Security Centre (ACSC) link above for guidance on creating strong passphrases.
3. Change Your Other Passwords
ACSC - Password managers
  • Change the passwords for all of your other accounts (e.g. email, bank, social media). This is critical for any accounts that used the same password as your original Optus one.
  • The guidance in Step 2 applies here. Ensure you use unique passwords for each account and strong passphrases where accepted.
  • Look to use a Password Manager. This will make it easier to generate and keep track of each unique password. Apple Keychain and Google Password Manager are good options to get started but there are many third party providers that work across multiple devices and operating systems.
  • Refer to the Australian Cyber Security Centre (ACSC) link above for guidance on selecting and securely using a Password Manager.
4. Use Multi-Factor Authentication
ACSC - Turn on multi-factor authentication
  • Enable multi-factor authentication (MFA) or two-factor authentication (2FA) for all of your accounts where possible.
  • Refer to the Australian Cyber Security Centre (ACSC) link above for guidance.
  • There are a number of ways to implement MFA. Where possible, use an authenticator app (e.g. Microsoft or Google Authenticator) on a trusted device that has screen locking enabled. Physical hardware tokens are even better.
  • Where possible, do not use SMS for MFA. The risks around SMS are explained in Step 5.
5. Secure Your SIM Card and Phone Number
SIMProtect - SIM hijacking is on the rise in Australia
Optus - How to change your SIM card PIN
  • SIM card hijacking / swapping / porting scams allow attackers to port your SIM card and phone number to their own SIM card. Once in control, attackers can intercept your phone calls and SMS messages. This includes MFA codes where SMS MFA is used, and one-time passwords used for bank transfers. Refer to the first link for further information.
  • Optus has allegedly made it harder for these attacks to take place, with all SIM swaps to be made in-person at an Optus store.
  • However, it is recommended that you enable and/or change your SIM card PIN using the instructions and device guides in the second link above.
6. Getting New ID Credentials
Australian Passport Office - Optus Data Breach
Services Australia - Optus Breach - Medicare Card
Optus - Driver Licence Information
  • As stated by the Australian Passport Office, getting a new passport is a personal decision and currently a cost that you will need to pay for yourself. Refer to the link above for guidance.
  • If you’re concerned or you’ve been affected, you can replace your Medicare card. Services Australia have provided guidance in the second link above.
  • Replacement driver's licence numbers and associated fees is a topic that is currently under development with each state. Refer to the other links here for the latest guidance available for each state as at 28/09/22.
  • Please note that in some states, driver's licences have two identifiers:
    1. Driver's licence card number (a simple process to replace in most states)
    2. Driver's licence number (might require a Police report in some states)

    This is still developing and we are expecting Optus to disclose if one or both of these two identifiers, and any other data fields, have been breached for each of their impacted customers. Refer to the third link above for an update from Optus.

    Pay attention to the requirements on each page and reach out to your respective state agency for more information.

    NSW example as at 28/09/22: According to the link provided, most finance applications in NSW require both of these numbers so only changing the card number should be sufficient. However, the second option is recommended if you genuinely believe that your identity has been stolen, which currently requires a Police report.
ACT Driver Licence
NSW Driver Licence
NT Driver Licence
QLD Driver Licence
SA Driver Licence
TAS Driver Licence
VIC Driver Licence
WA Driver Licence
7. What Data Might Optus Have on You?
Whirlpool Forums - Optus September 2022 Cyberattack & Data Breach
  • It is expected that Optus will eventually reach out to each individual customer that has been impacted by this incident and disclose which of their data fields and information was breached.
  • In the meantime, the Whirlpool Forums and their members have explained a way that you as an individual can see which of these fields might be stored by Optus on your behalf (e.g. driver's licence and card numbers, passport number, or Medicare card number).
  • Refer to the instructions in the link above at your own discretion. This will require you to login to your Optus account in a browser and check two Optus URLs.
  • Please note the data that comes back from this technique is not necessarily the information that has been breached.
8. What Else Can You Do?
ACSC - Easy steps to secure your devices and accounts
ACSC - Protect yourself and your family
  • This is an unfortunate event but has put the spotlight on the real nature of cyber security threats today. We highly recommend that you use this opportunity to improve your cyber security posture against a range of threats, beyond data breaches.
  • The Australian Cyber Security Centre (ACSC) website is an excellent source of information for individuals and families, businesses, and larger organisations.
  • The links above are a great starting point and include guides on:
    - Updating your devices (link)
    - Backing up important data (link)
    - Ransomware attacks (link)
Thank You
  • If you found this page helpful please feel free to follow Astero on LinkedIn and contact us if you have any questions or feedback.
  • We have provided links to other sources and guidance below.
Other Sources and Guidance

Disclaimer

Material on this site is made available on the understanding that Astero AU Pty Ltd (Astero) is not providing professional advice. Before relying on any of the material on this site, users should obtain appropriate advice from Optus, Government authorities, or information security and legal professionals.

Links to other Internet sites are for your convenience. Astero takes reasonable care in linking to other websites but has no direct control over the content presented in those websites or the availability or currency of those the websites. Astero does not endorse or recommend any links to external websites or third party content. Astero makes no representation that the material on any linked websites does not infringe the intellectual property rights or any other rights of any person. Astero does not authorise the reproduction of such material.

While efforts are made to provide accurate information, there are no warranties or guarantees whatsoever as to the currency, completeness, suitability, or applicability to a particular situation.

Astero may revise this Disclaimer from time to time. Please contact us if you have any questions or feedback.

Contact Us

Thank you.
Please complete all mandatory fields.