Protecting your privacy online in the wake of a data breach

Optus’ recent data breach has left around 10 million customers (approximately 40% of the population) worried about their private data and the potential illegal activity it could be used for if accessed by hackers.

Meanwhile, the rest of the country watches on, knowing this could have happened to any of us. Perhaps not to Optus’s scale, with many experts considering this the worst data breach in Australia’s history, but the reality is we are all at risk of being exposed to a similar situation.

Many Australians sadly didn’t have long to wait: in the weeks since the Optus data breach a number of other companies have had cyber security breaches, including Medibank, Vinomofo and MyDeal (owned by Woolworths), compromising millions of customers’ information. In the case of Medibank’s data breach, sensitive health claim information has also been exposed.

Telecommunications providers, insurers, banks and countless other companies are required to verify our personal information when we sign up for a new account. But the length of time they are required to hold on to that data is not entirely clear-cut in Australian law.

Regardless of how long they’re required to have it, we entrust our data with any number of companies and expect that our information is protected. As even Woolworths themselves has acknowledged that in their case the MyDeal website needed ‘investment in cybersecurity’, it is clear to everyone that more needs to be done to protect customer privacy.

The slew of recent data breaches has sparked further debate over the need to update the 1988 Privacy Act in particular, which has been under review since 2020. In the wake of the Optus breach, the findings of the review will now be much more scrutinised by the public.

The proposed bill will include a significant increase to the penalty companies face for serious privacy breaches, upward of $50 million. The hefty fine will hopefully act as an incentive for companies to focus their efforts on increasing cybersecurity and data due diligence.

Whether or not you’re an Optus, or Medibank, or MyDeal, or Vinomofo customer, there’s never been a better time to educate yourself on why data breaches are so concerning and what can be done to protect your privacy.

What can be done with my data?

Identity theft is a real concern with real consequences.

In the case of Optus, data including customers’ names, dates of birth, phone numbers, email addresses, and even some home addresses and ID document numbers such as driver’s licence or passport numbers have been exposed.

All this information can be used to create new accounts in your name, such as:

• Setting up a credit card in your name and racking up debt
• Applying for a loan in your name
• Posing as you in newly created social media accounts

Or, this information can be used to log in to your own personal existing accounts such as your bank account.

How do I know if my identity has been stolen?

Unfortunately, people often find out their identity has been stolen the hard way – they notice unexplained charges or withdrawals from their bank account, new credit cards they didn’t apply for or their application for a loan is unsuccessful due to a bad credit score.

They might also begin receiving emails from companies they’ve never heard of or been involved with, which is another warning sign.

If you have been affected by any of the recent data breaches, you should have been contacted directly (via email) if your data has been compromised – meaning identity theft could be a risk for you.

What can I do if I think my information has been exposed?

A useful website for finding out if your email or phone number has been in a data breach is haveibeenpwned.com. Simply enter your email or phone number in the search bar and it will tell you which breaches you were ‘pwned in’ (an online term meaning compromised).

If you suspect your information has been stolen and used, you can request a temporary ban on your credit report to prevent any fraudulent loans.

Scamwatch has also provided a number of scams to be on the lookout for in the wake of the recent data breaches, as well as recommendations for what else you can do to help protect yourself.

You can find further tips from the following resources as well:

• Australian Competition and Consumer Commission (ACCC) 
• Office of the Australian Information Commissioner (OAIC) 
• Australian Cyber Security Centre (ACSC) 
• Scamwatch 
• MoneySmart  
• IDCARE

What can I do to protect my data from future breaches?

It is the responsibility of companies to ensure that your data is safe and protected from any privacy breaches. However, there are some steps that you can take to reduce your risk of identity theft or fraud in the situation that your information is exposed.

Scams are getting more sophisticated every day. Even the most digitally savvy of us have almost been fooled by a convincing-looking text message that may look like a delivery notification, but is intended to steal your information.

The first step in protecting your data is to remain vigilant. Don’t click on links in suspicious-looking emails or text messages. Never provide personal information over the phone (legitimate companies will never ask you to read out your password or pin). There’s no such thing as being too cautious, so if something feels off, be sure to trust your gut.

Another important step is ensuring you have unique passwords for each separate account you have online as well as having two-factor authentication enabled. While this can feel like an inconvenience to set up, the peace of mind it will give you is worth it.

Speaking to your financial providers about placing limits on cards or adding additional security questions can also help with detecting fraud early.

What are my rights if my data is breached?

As a customer, you should feel that you can put your trust in businesses that require your personal information to set up accounts.

If you have been a victim of identity fraud, you can report this to the police and also appeal with your financial institution to rectify any unauthorised purchases or loans.

Our class actions team is investigating potential legal action against Optus on behalf of millions of current and former Optus account holders, and potential legal action against Medibank on behalf of millions of Medibank, ahm and international student customers.

If you or someone you know has been affected by either of these data breaches, you can register your interest to be involved in the class action:

> Register your interest in the Optus data breach class action
> Register your interest in the Medibank data breach class action

It costs nothing to take part and you will receive updates about the investigation into any potential action and compensation you may be entitled to.