Optus – the company that has built its brand on the proposition of 'Yes' – is now saying a resounding 'No' to customers who are requesting assistance to change their phone numbers and seek some form of compensation, after the massive data breach which has exposed millions of Australians to the risk of identity theft.
Disgruntled customers have found themselves feeling alone and vulnerable as the telecommunications giant deals with the fallout of the breach, which is believed to include names, birthdates, drivers licenses and / or passports as well as email addresses and phone numbers.
And despite the company's claims that any company can be vulnerable to sophisticated criminal networks utilising advanced systems, preliminary investigations suggest the breach was conducted by a less than sophisticated hacker using basic techniques easily accessible to anyone.
Customers left in the dark
A hacker who has claimed responsibility for the harvest has demanded $1 million USD, or about $1.5 million AUD, for the return of the data.
Optus says it has not responded to the extortion attempt.
And while the amount of the demand may seem link small change for a company like Optus, there are concerns that paying the sum could embolden the same person, or indeed others, to engage in similar conduct in the future.
In addition, there does not appear to be adequate verification that the person is indeed responsible – he or she may be someone attempting to capitalise from the conduct. In that event, the payment will not ensure return of the data. And indeed even if the payment were made, there are reports the data is already for sale on the dark web.
The lack of information is frustrating customers, many of whom are concerned of falling victim to identity theft – which could affect them well into the future.
For its part, Optus is carefully choosing its words, leaving customers in the dark about where they stand or what could happen next.
Despite the CEO's emotional apology on national television earlier this week, many customers feel 'left high and dry'.
To date, the companies' advice is fairly standard, including that affected customers should:
- Be careful of possible scam calls;
- Consider strengthening password and other online security measures; and
- Be on the lookout for more information from Optus in the coming days.
Who is accountable?
For those facing the very real prospect of identity theft, this general advice is just not good enough in the eyes of many.
Some are now refusing to pay their monthly bills, others have been told that to change providers could cost them as much as $1,000 to pay out contracts before they can move on.
One customer who sensibly set up an identity theft monitoring account immediately after being notified that he was affected, which will cost about $15 per month, has been told by the telco that he is not entitled to have that personal expense reimbursed.
It is frustrating to many that Optus is shifting the responsibility to customers, telling them they are accountable for what may occur and that they must take matters into their own hands – effectively denying any legal responsibility or assistance in rectifying the issue.
Many customers have had their trust so severely broken that they will be taking all measures to protect themselves anyway, rather than putting their faith in the company to fix the problem.
Optus says that 9.8 million accounts may have been compromised, while the hacker says he/she has the personal information of 11.2 million people.
This, in itself, has left many customers wondering whether Optus has implemented adequate systems to gauge the extent of data breaches, let alone to protect against them.
In the meantime, an Australian law firm is investigating the possibility of a class action over what is believed to be Australia's biggest data breach to date.
In the wake of the chaos that has ensued, it's become clear that Australia's current data protection laws are completely inadequate when it comes to protecting consumers in such a situation.
A class action lawsuit is one where a group of people are represented collectively in a court of law.
Class action suits originated in the US but over the years other countries such in Europe and Canada as well as Australia have enabled changes to the law so that people can band together to bring civil actions against corporations and companies they believe have broken the law, or been negligent in some way.
In the past day or so, Optus has now offered "the most affected current and former customers" a free 12-month subscription to Equifax Protect, a credit monitoring and identity protection service that can help reduce the risk of identity theft. But many think the service should be offered to everyone who has been affected, not just a select few.
And even though such a monitor may provide some peace of mind, it does not take away the feelings of vulnerability, fear and stress that come as the result of such a significant invasion of privacy, and such a serious breach of consumer trust.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.