Ms Bayer Rosmarin on Tuesday defended the telco’s security of customer information, after previously conceding they should have heightened awareness and look out for any suspicious or unexpected activity across online accounts and bank accounts.

Most affected customers were yet to be contacted when the hack was first revealed, but have been in the days since.

Watch for suspicious activity

“Unfortunately, because this is not the most vulnerable information like financial detail and passwords, we don’t have a simple message of ‘just change your password’,” Ms Bayer Rosmarin told reporters.

“Really what customers can do is just be vigilant. If they receive a notification that a password has been changed on one of their online services or their bank, and they did not initiate that, then assume that they need to report that and get on top of it straightaway.

“So it really is increased vigilance, and just being alert to any activity that seems suspicious or odd or out of the ordinary.”

A hacker claiming to be behind the data breach has demanded $1m in cryptocurrency to avoid the sensitive data being leaked on to the dark web. An anonymous person using the nickname Optusdata published two samples of alleged Optus customer information on data leak website Breach­Forums, declaring that Optus could prevent the sale of the data to cyber criminals if it paid $1m in the cryptocurrency Monero.

Optus alerts vulnerable customers

Optus has contacted customers whose identifying information — including passport and licence numbers — was stolen. It is now contacting those who had other information stolen, such as addresses and contact details, Ms Bayer Rosmarin said on Tuesday.

The hacker has reportedly stolen the drivers licence or passport numbers of some 2.8m Australians, and overall has 11.2m sensitive records, which they are threatening to sell to other cyber criminals.

NSW government acts to reissue licences

The NSW Government is looking to reissue identity documents to those affected by the Optus hack. Digital Minister Victor Dominello announced he was working behind the scenes with Optus and other government agencies to fast track the reissuing of licenses to those affected by the breach.

“Behind the scenes the NSW Department of Customer Service, Transport for NSW, Cyber Security NSW, ID Support and Registry of Births Death and Marriages – are working with Optus to make the process of reissuing of NSW identity documents as seamless as possible,” he said.

“Customers who are notified by Optus that both their driver's licence number and their driver's licence card number have been compromised are strongly advised to apply for a replacement licence.”

Other key steps to take

Scamwatch has suggested Optus customers should do the ­following to protect their personal information:

■ Secure your devices and monitor for unusual activity.

■ Change your online ­account passwords and ­enable multi factor authentication for banking.

■ Check your accounts for unusual activity, such as items you haven’t ­bought.

■ Place limits on your accounts or ask you bank how you can secure your money.

■ If you suspect fraud, you can request a ban on your credit report.

Which kind of information could be affected

The University of Sydney Law School lecturer Derwent Coshott said the information stolen from Optus could be used to open a bank account or secure a loan from an online lender.

The Optus hack has exposed the data of almost 10 million users of the telco’s systems.

Almost 2.8 million customers may have had their date of birth, email and home addresses, phone numbers, driver’s licence and passport numbers hacked.

“The usual customer due diligence requirements (for an online lender) requires 100 points of ID and if it’s being done on ID it’s usually satisfied by providing drivers licence or passport numbers,” he said.

“Even if you don’t have a sufficient amount of information you could get around that.”

Dr Coshott said the kind of data leaked suggested hackers may have accessed Optus’ own customer validation records, noting the customer data stolen fit the bill for the same data demanded by other companies to validate a customer’s ID.

“When that kind of information is held by so many organisations, as a requirement to identify whether a person is a real customer, then there’s always the risk of that information being stolen by someone,” he said.

He said the issue for many people who’d had their records hacked was the difficulty in correcting or changing that data.

“Passport numbers don’t change, drivers licence don’t change,” he said.

Dr Coshott said Optus needed to reveal what steps the company took to ensure that data didn’t fall into the wrong hands and how hard the hackers had to work to get access to sensitive customer data.

“In the case of Optus the question would be did they do what was necessary to mitigate the risk of the data being stolen?,” he said.

Banks move to secure personal information

An Australian Banking Association spokesman said banks had taken “immediate security steps while Optus continues its investigations and works with authorities and agencies”.

“Banks remain vigilant to scams and frauds and are closely monitoring systems and processes following the reported cyber attack on Optus which has resulted in disclosure of customer information,” he said.

“Australian banks are working continuously to increase safeguards … Banks have spent around $19 billion on IT systems to build resilience, including against frauds and scams.”

While scammers can do a lot of damage with personal details, including stealing funds and applying for online loans, finance specialists say using your identity to secure a mortgage in your name is most likely a step too far given the complexity ofhome loan applications and property purchasing processes.

Digital forensics and cyber incident response expert Josh Lemon said the compromised Optus personal data was highly confidential and the cybercriminals’ intentions were currently unclear.

“Identity theft typically sees criminals fraudulently apply for credit, tax return or online services,” said Mr Lemon, from cybersecurity training group SANS Institute.

“It is more likely that anyone who is a victim of identity theft could have difficulty applying for a home loan.”

Ms Bayer Rosmarin said that Optus is receiving increased reports of users being asked to share their passwords over the phone.

“If somebody calls you and says they want to connect to your computer and give them your password, say no, don’t allow that to occur,” she said. “We know that was already occurring before so it might not be related, but it’s a good reminder to people not to fall for that one.

“Also, in terms of contacting our customers, we have not been very specific and prescriptive about how we’re doing that specifically for the reason that we do not want to give people the opportunity to get out in front of us with a phishing attack. We will be contacting our customers, we won’t be telling you exactly how we’re doing that, except to say that we will not be sending any links in SMS and email messages.”

It’s understood that some Optus phone numbers have been sold online via the dark web, as early as a week ago.

“We have heard through the media that this is occurring, and we are still working to validate that that information is relevant and is even Optus data,” she said. “One of the challenges when you go public with this sort of information is you can have lots of people claiming lots of things. So there is nothing that’s been validated and for sale that we’re aware of, but the teams are looking into every possibility.”

The company has turned off online SIM swaps and replacements, instead requiring customers to physically visit an Optus retail store with relevant ID.

“We are in the process of contacting customers who have been directly impacted,” the company said in a statement on its website.

“If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual,”

“If you are a business customer, contact us on 133 343 or your account manager.”

Zero tolerance approach to unfamiliar phone calls

ACCC deputy chair Delia Rickard has labelled a major breach of Optus customers’ data “extremely worrying”.

“We are particularly worried about the impact this will have in terms of scams and fraud for customers,” she told Today.

“The crooks have got access to people’s names, addresses, dates of birth, some email addresses, and in some cases also things like passport numbers and drivers licence numbers.”

“These are all the things that you need for identity theft, and also all the things you need to personalise a scam and make it much more convincing.”

Ms Rickard warned anyone concerned about their data to ensure their devices are secured, and to stay sceptical of any unusual contact.

“We know that when somebody calls you and has your name and a few details you are much more likely to trust them.”

“In this day and age cybercrime is huge. While most agencies are spending a fortune to protect themselves, you can’t say that anyone is 100 per cent safe.”

More Coverage

‘Too many eyes’: Optus hacker deletes data

David Swan, Chloe Whelan

Millions at risk in massive Optus data breach

BEN PACKHAM, DAVID SWAN

Originally published as What Optus customers should do now to protect security after data breach