Scamwatch is urgently warning Australians to be on the lookout for increased scam activity following the recent Optus data breach and to take steps to protect themselves.
About the Optus data breach
The information that has been released in the data breach includes:
- your name
- date of birth
- phone numbers
- email addresses,
- residential addresses, and
- identity document numbers. For example, driver’s licence, Medicare or passport numbers are all information that are used to identify you.
Serious damage can occur when your information winds up in the wrong hands, but there are steps we can take to protect ourselves. Scamwatch urges everyone to be cautious and remain alert to potential scams.
IDCARE has a dedicated support page to assist Optus customers impacted by the data breach. While there are real and serious risks, there are ways to protect ourselves.
All consumers and businesses should look out for scams
- Scammers will use the data breach and target people in any way that they can. This means you will likely notice an increased number of phishing emails, phone calls, and SMS or social media messages.
- Be wary of new communications and don’t just accept what you’re being told. Take your time, do your research, and independently contact the purported business or agency communicating with you, using contact details you have sourced yourself, for example through searching for the business or agency online.
- Do not click any links or open any attachments.
- never provide anyone with your personal or banking information or grant remote access to your device.
- Check the login activity for your accounts and sign out of unrecognised devices (Microsoft, Gmail, Yahoo, AppleID, Facebook)
- Check your social media accounts, update passwords and do privacy and security checks
What to do if your information was exposed in the data breach
Secure your bank accounts
- Tell all of the banks or credit providers that you use that you are a victim of the Optus data breach and ask about how you can protect your money. This may include:
- setting transaction limits on your accounts
- enabling multi-factor authentication for online and telephone banking
- additional security questions
- special security words
- If your passport or driver’s licence has been compromised, tell your bank so that they do not rely on these documents to verify your identity.
Stop people taking out loans in your name by getting a credit ban
- You can apply to Credit Reporting Agencies for a credit ban to stop people getting credit or loans in your name. This is a free service. You can indicate that you wish to create credit bans with all three Credit Reporting Agencies when making a credit ban application. This will last for 21 days and can be renewed. See the IDCARE credit ban factsheet or contact any of the three Credit Reporting Agencies directly:
- When a bank or credit provider is checking your suitability for credit, they check with Credit Reporting Agencies. If someone tries to take out a loan in your name, the check will fail if you have put a ban on your credit report.
- Remember to renew the ban to continue the protection.
- Credit Reporting Agencies also provide paid subscription for credit monitoring.
Contact your Superannuation Fund
- Tell your Superannuation fund that you have been impacted by the Optus data breach and ask for an alert to be placed on your file.
- Discuss what additional security features they can implement for you such as multi-factor authentication or a further security question.
- Place a hold on any activity to roll over your fund.
When to replace a driver licence
- Most states and territories will allow you to replace either or both your driver licence number and card number.
- A driver licence number is a unique number which stays with you for life and does not normally change when a new card is issued.
- A driver licence card number is a unique card number on the card which changes each time a card is produced.
- By changing either of these you will have more protection because it will make it harder for criminals to use your old one to take out loans or credit in your name. It will make it harder for them to use your licence number for verification.
For more information about how you can replace your driver licence please visit your state or territory road transport authority:
- QLD – you can apply for a new driver licence customer reference number. See QLD information about data breach
- NSW – only those whose driver licence and card number were exposed need a replacement. See NSW information about data breach
- SA – is encouraging all Optus customers who are exposed to replace their licence. See SA information about data breach
- TAS – you may replace your licence if you wish to. See TAS information about data breach
- NT – only those whose driver licence and card number were exposed can apply for a replacement. See NT information about data breach
- WA - is advising all those whose card number and driver licence number were exposed as well as only licence number to replace them. See WA information about data breach
- Vic – is advising people to register to flag their licence and replacement – See Victorian information about data breach
How a new driver licence will help you
- By obtaining a new driver licence you should receive a new unique card number.
- From 1 September 2022 the card number on a driver licence is a mandatory verification field for NSW, ACT, SA, TAS, NT and WA issued licences.
- When your licence is re-issued the card number is updated. Including this in data matching criteria minimises the risk of identity theft using a stolen or lost driver licence.
- A document verification that doesn’t capture the card number will fail.
- Note: Queensland and Victoria do not have card number data in the document system but may have other arrangements in place to support verification.
- Passports are safe to use for international travel
- If your passport was exposed in the data breach it will now be blocked through the Document Verification Service
- You wont be able to use your passport for online verification (for example for a home loan) unless you go into a service centre, store or bank in person
- You can still get an International COVID-19 Vaccination certificate while your passport is blocked
- Information about replacing passports is available on the Australian passports page
- There are some specific circumstances where you can replace a passport and Optus will reimburse you for the cost. You need to contact Optus directly.
- You can change a Medicare card
- Visit Services Australia page
Contact telecommunications, technology and other online services
- Contact your telco and internet providers, tell them about the breach and request additional security on your account
- Contact Buy Now Pay Later services where you have accounts and request additional security
What else you can do
Change your passwords
- Change your online banking and email account passwords.
- Use different passwords for every account, and remember, the stronger the password, the better. create passwords that are long and use a combination of letters, numbers, and symbols.
- Consider using a random password generator or password manager to strengthen the security of your accounts.
- For more information, visit the Australian Cyber Security Centre.
Change the email address you use for important accounts
- The email address that you provided to Optus may now end up in the hands of a criminal.
- If it is possible you may want to stop using that email account for important services
- Review all the accounts that you use that email address for. Consider using a different email account for your important accounts. You should check:
- other telecommunications or internet accounts
- energy accounts (gas and electricity)
- you Apple ID or Google recovery email
- your MyGov account or any government service
- your account with road traffic authority
What to do if you think scammers have actually used your information
- If you have been a victim of cybercrime or identity fraud you can report to the police via Reportcyber.
- Contact your bank or financial institution immediately
- You can contact IDCARE a free service which can help people recover from a cybercrime or stolen identity.
- IDCARE is Australia and New Zealand’s national identity and cyber support service, they provide a free and confidential support service for those impacted by scams and identity crimes. you can contact IDCARE on 1800 595 160.
- Report scams to https://www.scamwatch.gov.au
Current scams to look out for
‘Unauthorised transaction on your account’ scams
Scammers are calling people to advise that there has been a suspicious purchase or transaction on their online account. They may claim there is a problem because of the Optus data breach. They will request your personal or financial information such as credit card details.
If you receive an unexpected call, check your account independently or contact the organisation in a secure way.
Use the organisation's secure app if it has one, or log in to its website using your normal login. You can also call the organisation back using a phone number you have sourced independently, such as from the ‘Contact Us’ page on the organisation's official website.
A large range of organisations are currently being impersonated, including a variety of subscription services, online marketplaces, credit/debit cards and other payment facilities.
‘Hi Mum’ scams
‘Hi Mum’ scams involve scammers texting people claiming to be a family member or friend needing help. Victims receive a message from scammers who claim to be using a new number due to having lost or damaged their phone. The messages very quickly develop into requests for money and/or personal information including photos.
Scammers are now claiming the reason they have a new number is because they replaced their existing phone number due to the Optus hack.
Optus is not contacting people about issuing new sim cards. Delete these messages.
If you receive demands to pay money with a threat that your information will be released, delete the message. Scammers are pretending to be hackers to make you give them money.
Optus is not threatening email account closure if you do not update your password or verify your personal information.
Optus is not contacting people about their bills and asking you to update your information.
Scammers are impersonating Optus directly in phone scams. You should not provide personal information or financial details to callers offering a reward or gift due to the data breach.
There is no financial restitution being sent to individuals caught in the data breach at this time.
Scamwatch has received reports about messages impersonating the Government. This message below is not from the Australian Government – it is a Medicare / MyGov scam. Do not click on links in messages. Instead, go to the official Services Australia website for information.
Remote access scams
Scammers are using the Optus data breach in remote access scams.
Remote access scams involve getting victims to download a piece of software to their phone or computer that hackers can use to access the device.
Scammers will claim to be from an organisation and provide a reason they need access to your device, including reasons related to the Optus data breach.
Scammers may claim they need access to your device to secure it, fix it, investigate what the problem is, or even catch hackers on the device.
Remote access software includes programs like TeamViewer QuickSupport, AnyDesk, and Zoho Assist.
Scamwatch is receiving reports of scammers calling individuals by phone and offering to assist them with identity rectification.
Scammers are offering to resolve compromised information documents if the recipient tells them which sort of document of theirs was impacted. Instead, follow the advice provided here and on IDCARE’s dedicated support page.
IDCARE - Optus Data Breach Response