Optus looking to move past the Cyber Attack having waited a month to contact all customers

Optus has come out from hiding to make a public announcement about their Cyber Attack and the actions they’ve taken a full month after the incident occurred, and it’s happened on the same day Optus customers and non-customers report hearing from Optus for the very first time.

EFTM has been contacted by several customers who have heard from Optus directly for the first time since the cyber attack, some impacted, others now.

Dan is an Optus customer who’s heard absolutely nothing from Optus, until today, when this email came through:

Meanwhile Grant sent us this letter he received, which confirms he was impacted by the hack, and his details compromised. This is the first Grant has heard, given he is no longer an Optus customer. However, note the date on the letter:

Sent days after the company “completed contacting” those who had up to date contact details.

Why it wasn’t possible to send a physical letter to everyone at the very moment they had an established list is beyond understanding.

But it gets better.

The company is clearly ready to move on.

In their email to Dan, and other “unaffected” customers, they end by saying

Over the coming weeks we’ll be back to business as usual, sharing with you updates on our latest Living Network tools, new SubHub partners, and we’ll also start to ramp up excitement around our partnerships, including Sydney WorldPride 2023.

Yeah, good idea, business as usual. Nothing to see here.

That paired with the opening line stating “through what has been a challenging time for our customers and Optus.” Poor Optus.

And to top all that off – a new message to their customers published on their website tonight. The message aims to outline in a transparent manner all the things they’re doing.

Here’s what they say “In the spirit of transparency, and to help you to better understand the unchartered and complex territory we navigated, we wanted to share these actions with you.“

1. We went public early with widespread warning
2. We engaged with the government openly, transparently, and quickly, and respected the request of the Australian Federal Police to not speak in specifics about the attack
3. We reconstructed the data set that was exposed
4. We contacted all affected customers
5. We then set about providing individual notification to customers about their specific data exposed, and what they needed to do as a result
6. We apologised, took accountability, and kept our website up to date
7. We complied with requests for information from governments
8. We have shared the lessons learned

The icing on the cake though is this pearler – Thanks to all these actions we are not aware of any harm coming to any customer from the misuse of their exposed data, but we have reminded all customers to remain vigilant. We are aware of 10,000 customer details being released on the web briefly,

This isn’t about the harm that has been done, it’s about the harm that can be done. The scams, the fraud, so much.

But more importantly, it’s about the fact that this letter is ONE MONTH too late.

The letter ends by saying “As we move forward from this cyberattack” – so clearly, the company has its sights on resuming business as normal.

EFTM has reached out to Optus asking just how many current customers were not affected by the hack, and how many former customers were. We don’t expect an answer, as the company stopped communicating with us some weeks ago, despite our clear and strong advocacy for their customers. I still don’t know if Optus Sport customers are affected. Just another unanswered question..

Optus needs to allow externally appointed independent investigations and audits of their security systems, the outcomes of which need to be made public. This, and only this is the way to build trust in customers.

And yes, the same applies to Medibank, both companies can learn from Samsung’s experience with the Note 7 and move forward with success.