Newcastle based business Capable Pathways – which provides individual support and case management services to people with disabilities – has been caught up in the mess.

Director James Thompson is an Optus customer who has received notification his work email and ID has been breached.

“My driver’s license has been compromised and not long after I received the notification from Optus I actually started getting emails which were strange, duplicating my business information which was unusual,” Mr Thompson said.

“I have since found out the information that was shared has also gone out onto an internet forum, it’s been quite upsetting.”

The information of one of his clients has also been compromised after the 28-year-old only just received his first letter notifying of a breach.

“He didn’t receive any information initially but he has internet with Optus and he has autism and he was stressing,” Mr Thompson explained.

“He was looking to change internet providers and spoke to someone on the phone who said there would probably be a contractual charge for leaving early.

Mr Thompson was able to secure a new provider for his client of eight years, but it was as soon as he was disconnected, was when Optus paid attention.

“He had no correspondence from Optus but as soon as the modem was turned off, he got a text and an email, Optus asked if there was anything they could do to help him,” he said.

“They’ve had next to no communication with him up until that point.

“All my clients have varying degrees of additional needs and they process things differently, some don’t know anything about it and one client who is computer focused, is terrified.”

He’s accused the telco giant of “putting profit before customers” by not investing in cyber security.

“It’s all well and good Optus is putting things in place now but what about 6-12 months down the track, things have died down, and that’s when hackers attack.”

“It’s outrageous and being terribly managed.”

As Optus scrambles to rectify the problem, it has notified customers – via its website – an independent external forensic review of the cyberattack will be undertaken.

The telco has also welcomed a Federal Government announcement on proposed changes to data sharing regulations, which will enable businesses to share information with approved financial institutions and government agencies, enabling them to apply enhanced monitoring and safeguards.

“Hopefully now Optus is the safest company to be with because all the scrutiny has been on them. Things have to change,” Mr Thompson said.

“I think all the competitors are all looking into their own backyards and thinking they need to get this sorted before it happens to us.”

The serious breach has highlighted the need for stronger cyber security in all businesses.

With October Cyber Security Awareness Month, Australia’s largest small business organisation, My Business, has a firm warning to Optus customers for their account passwords not to be the same as their email passwords.

General Manager of Products Phil Parisis estimates more than 60 per cent of business owners would be using the same email password for their Optus accounts which is a big mistake. 

Employees who also use the same password are vulnerable, as are suppliers and clients.

“This is very serious and has the potential to create a business email compromise storm,” he said.

“Business email compromise (BEC) is when hackers gain unauthorised access to or impersonate an email account to intercept private communications.

“Criminals are then able to intercept financial transactions such as invoices or scam other organisations out of money and goods.”

According to the Australian Cyber Security Commission business email compromise cost $81.45 million during 2020-2021.

Data from the Australian Small Business and Family Enterprise Ombudsman also shows more than half of Australian SME’s (small to medium enterprise) don’t survive a cyber-attack. 

“The reality is that cyber criminals don‘t necessarily target you. Mostly, you become an accidental victim of a large, broad scale attack such as what’s happened to Optus,” Mr Parisis said. 

“It’s also a good reminder for SMEs to look at their own cybersecurity because if it can happen to a huge company like Optus imagine how easily it can happen to them.

“Cybercriminals are savvy, they know that by taking on larger organisations they can then branch out and hit smaller businesses too who knowingly have less resources, time and budget to protect themselves.”

TOP tips for small businesses who believe their data has been compromised:

• Create a human firewall: Building a human firewall or educating yourself and employees is the most effective way of preventing a cyber-attack.
• Password protection: It’s important that passwords are not easy to guess. All businesses should consider a password manager or multi-factor authentication, with passwords regularly updated.
• Limit exposures: Logging on to public Wi-Fi is one of the easiest ways to get hacked, hot spotting to a secure account is a safer option. Likewise be careful with cheap imitation cables and upgrade your systems regularly.
• Be prepared: Have a back-up account ready and know how to access it. Know what will be required to get your account back – have that information ready before the attack happens.
• Pay for an expert: The government is now offering cyber protection insurance to small businesses. This significantly reduces the financial impact of a cyber-attack and can help a business recover faster.
• Update business policies and procedures: Ensure your business processes are up to date to protect, prevent and recover from any suspicious behaviour.

More Coverage

‘Leader, legend’: Experienced pilot dies in ‘freak’ chopper crash

Amy Ziniak

‘Fire. Fire’: Police allege arsonist sounded alarm before fleeing

Dan Proudman and Clare Sibthorpe