Optus Data Breach: Customer passport bungle – The CEO has to resign

It has been three weeks and two days since Optus suffered a massive and what they call “Sophisticated” cyber attack resulting in the details of 9.8 million current and former customers falling into the hands of cyber criminals. Yet it is only today that they have reached out to customers who’s Passport details were compromised – and even then they couldn’t get that right.

Today’s email to some customers outlines clearly that their Passport number was exposed – a key link in one’s online identity.

Additionally, some two and a half weeks after announcing via an update on their website and a press release that they would be offering “the option to take up a 12-month subscription to Equifax Protect at no cost” the company has begun offering that directly to affected customers.

However, one EFTM reader has contacted us to outline a major problem with Optus’ communication today.

James became an Optus customer in late 2020, as outlined in the below screenshot of the correspondence at the time.

The email James received today from Optus mentions his personal data breach:

However, in 2020 when James would have provided his ID, James only had a UK passport, and became a citizen of Australia early the following year. So it’s unlikely, if not impossible that Optus has an “Australian Passport” on file for James.

They’ve either taken a one-in-all-in approach to the wording of Today’s email, or they’ve made a fundamental error in their database or communications. Either way, for one person, and no doubt countless others, it’s another way in which a customer can easily lose faith in the Optus system and communications.

Within the 10,200 leaked records already circulating online there are many non-Australian passports listed, from India, Sri Lanka and the United Kingdom. In fact, there are nine United Kingdom passports in that leaked data.

In offering the Equifax identity protection today, this passport bungle raises additional issues for those affected, because the protection offered at Equifax, we believe does not offer any monitoring of overseas passports for fraudulent activity.

Finally, James also points out something I’ve been saying for some time. Optus’ communication continues to push customers to the MyOptus app:

Pretty difficult for former customers like myself and James who cannot log into the app.

Optus CEO Kelly Bayer Rosmarin was pretty quick to front the media two days after the attack, but has been missing in action ever since. As has their communications to customers affected, customers not affected, and customers of subsidiaries like Amaysim or Vaya who simply need a message from Optus saying “Your data was not affected, and we’re sorry about the breach that occurred on our watch and we’re working hard to make sure it never happens again”

As a former customer affected across two previous services, I’ve almost had more communication from Vodafone and Telstra than from Optus in the last three weeks.

It’s time to acknowledge that the nightmare continues at Optus, and a new team is needed to shake things up, sort things out, and restore customer confidence. CEO Kelly Bayer Rosmarin has to step aside, and let a new leadership team steer the ship quickly out of the mud and into some clear air.

These are the questions asked by EFTM of Optus which are still broadly unanswered (known answers in bold)

• (26/9) I’ve had a question I can’t answer – and that is, are non Optus mobile/broadband customers, who signed up to Optus Sport part of the Data Breach?
• (26/9) Given you’ve completed that contact (to the most affected with ID Documents stolen) – are you able to now quantify the number of users in that category who were affected by the attack? (This was answered broadly only in the Video message on October 3)
• (28/9)
  1. is the Equifax offer open yet? (We know this is open)
  2. has Optus started contacting customers (we believe today’s outreach is the first pro-active mention of Equifax to customers)
  3. how are non customers being linked to the Equifax deal? (we know finally today that those with Passports affected are being contacted)
• (28/9) Total number of user details exposed: (answered)
  • Total Number of FORMER customers exposed:
  • Number that included Drivers Licence number (answered)
  • Number that included Passport number
  • And finally, how long will it be until all the total number have been contacted by Optus? (we assume this is complete)
• (30/9) I’m getting a lot of questions from current customers who say they have not heard from Optus.
  • So I wonder, are there current customers who are NOT involved in the breach?
  • I understand enterprise customers are not, but are you able to quantify the number of existing users who are NOT breached?

We’ve heard the company is sorry, and we’ve heard it from the CEO, but that isn’t helping those who simply don’t know what’s going on.