Optus data breach: an update for APRA regulated entities

On 22 September 2022, Optus reported a cyber-attack resulting in a data breach of approximately 9.8 million customer records. The incident and its impact are still under investigation, however it is suspected that the compromised data may include: customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. This information may be used by the perpetrators to commit identity theft in order to carry out fraudulent transactions. Based on the available information to date, the attack’s exposure is limited to retail customers (and potentially small businesses) while enterprise accounts do not appear to be impacted.

As a matter of priority, all APRA-regulated entities should harden controls on high-risk processes and transactions where possible, e.g. digital customer on-boarding, setting up first time payees etc. This could include control examples such as additional two-factor authentication requirements and call-backs. Entities should also appropriately communicate to their customers to raise awareness and direct customers to reputable sources such as ACSC, Moneysmart and the Office of the Australian Information Commissioner, which outline additional steps customer can take to limit the risk of fraud. 

APRA-regulated entities are also reminded of their notification requirements under CPS234 Information Security regarding security incidents and control weaknesses.

If you have any queries, please contact your APRA supervisory team.