Paul Watters – Ionize
The Optus data breach has shown just how exposed everyday Australians are to identity theft. The prospect of millions of customer records – including such sensitive information as driver’s license and passport numbers, security questions, birthdates and so on – falling into the wrong hands exposes the weaknesses in the way our corporate information systems are designed and managed. Note that there is nothing unusual or particular to Optus in these comments – every company you deal with is capturing and storing your information in a way that makes it easy for them to service your needs. You do this every day – banking, insurance, superannuation, even online shopping – your personal data needs to be shared in order for you to function in today’s society.
While you can do a lot to prevent identity theft – such as checking privacy statements, only sharing information where and when you should, and so on – the Optus case clearly shows that data breaches are inevitable. So what can YOU do to respond? In cybersecurity terms, we would say protect yourself as much as you can, but accept the “residual risk” of a data breach, and make sure you respond. Here’s our step-by-step guide to support you:
1. Check if your passwords have been compromised: check haveibeenpwned.com regularly to see if your passwords have been shared in a data breach, or are for sale on the black market. Generate complex passwords where you can, and use a password manager to store them.
2. Monitor your credit score(s): by law in Australia, you have the right to check your credit score. Equifax.com.au and others provide free credit report checking which won’t affect your right to apply for credit in the future. Credit agencies keep track of when people apply for loans, so this will be the first indicator that someone may be trying to take out credit in your name. If you find mistakes or errors, or don’t recognise a check, you can ask that the records be removed. This is one of the most serious issues for consumers – a data breach and an attacker repeatedly trying to get credit in your name could stop you from getting a home or car loan.
3. Block credit applications: using an app like Credit Savvy will block all applications for credit in your name for 21 days. DO THIS NOW if you are an Optus customer. This will give you breathing space to make any necessary changes (such as passwords) that may prevent data breaches. Every 21 days, you can request a further extension. Unless you plan to apply for credit, keep this door shut at all times.
4. Monitor SMS and authentication codes: if you see a suspicious text or authentication message asking for access, this may indicate that someone has accessed one of your accounts and is trying to get authenticated using “two factor” authentication. With two factor authentication, you can only gain access by using both a password and a one time code sent to your phone or an app. Didn’t request a login? Then don’t authenticate, and make sure you contact the company whose service is being targeted.
5. If your data is breached: you can’t change your date of birth, but anything you can change – such as a mobile phone number that is used to receive authentication codes, or a driver’s license number – should be changed if you know that your data has been breached. While doing this may be costly and time consuming, you need to make sure that criminals can’t do much damage to your financial health and wellbeing.
Last words
As we say in the industry, the real cost of security is eternal vigilance – expect an attack, be prepared to respond, and you can minimise any damage or losses.
Further Reading