From July 1, 2026, Super for all employees needs to be paid with each pay cycle – NOT at the end of each quarter. Click below for information on what you need to do!
Company – Fiscal Artisans
The Optus Hack – and what you
(and I) need to do with our business data!
It has become common knowledge that Optus has had its database breached.
And this has personal relevance to me, as I am an Optus mobile subscriber, with my business (mobile) number and those of my entire family impacted by the breach. I received the ‘generic’ email from Optus on Saturday (12:51 am. Nice they got it out at a time when it was likely to be buried under a plethora of spam emails), so the awareness of the issue came more from the press reports than the ‘genuine communication’ to its customers.
The key issues we need to look at here are:
- What was taken, and
- How did it happen?
- What does this mean in my situation?
- Stuart, is the data you hold on me safe?
It APPEARS (as Optus has not been crystal clear yet with this information) that their basic database information has been ‘taken’.
This includes:
Full customer name
Date of birth
Phone numbers
Email addresses
Account addresses
They claim that payment details (Bank and credit card numbers?) and passwords have not been taken – just the identification data. But that is bad enough.
Access may also have been obtained to the I.D. document details provided for the ‘100-point check’ each account holder needs to provide.
This would also mean access to items like:
Driver’s licence – state, number and expiry date;
Medicare card number and details; (They have reported that details of at least 35,000 current and expired medicare cards were accessed)
Passport details;
Other items used for verification could be your electricity account details, rates notice, etc.
The danger here is that these details are potentially enough to create a fraudulent I.D. or to assume someone’s identity to do things like:
- Change your bank account details, and get new cards issued to defraud you;
- Alter phone account details, and have your calls and mobile account redirected to someone else;
- Create new credit card accounts in your name that someone else controls (and leave you with a debt or bad credit record).
How did it happen?
While Optus has been claiming that it was a sophisticated attack, it seems the reality is that they left their backdoor unlocked and the lights on. The door might not have been wide open, but it was not far removed from that situation.
Many business systems are set up to ‘talk’ to each other using an interface or ‘API’ to do so.
To explain this, here is an explanation from The New Daily
In basic terms, APIs are ways for computers to pass code between each other (such as instructions). They are often used to enable services such as Google’s weather alerts, which make use of Bureau of Meteorology data.
They are supposed to be safe because companies usually have authentication rules attached to their APIs – but Optus allegedly did not.
“What we’ve seen is there was an API where you pass a phone number, and a phone number’s just … you just keep adding one, and you cover them all eventually,” Mr Hunt said.
“So why was there an API [without user] authentications? That could be a programming error.”
So the system that Optus was using did not have enough security built into it to stop a systematic ‘guessing’ of the key to access the data. It would be like if I could get hold of your ATM card and just keep guessing your PIN time after time without ever being locked out of the process. In time, with enough guesses, I will get access and can get all of your money. In this case, it only takes one correct ‘guess’, and access is obtained to potentially the whole database.
Data security is becoming increasingly important, and more attention needs to be given to this by everyone in business – even if you are a ‘business of one’ and freelancing or self-employed. Again, look at your contact details, the data you hold on your associates, customers, and finance arrangements and think about what data you need to hold – and how secure it is.
It is often considered that your database is one of your greatest assets in a business, and the reality is, that it is also potentially one of your greatest liabilities or risk factors, as you need to ensure you are ‘protecting’ your position and that of your customer base when you undertake your activities.
So, the potential danger here is that the data obtained won’t just impact activity with Optus. It can impact people in other areas.
Like in activity with the Tax Office.
I have been asked by a concerned client to check data on the Tax Agents portal, as it appears that some hackers are trying to change details with the ATO. This could result in tax refunds landing in the wrong bank accounts, GST or other tax claims being made incorrectly, or business entities being created to defraud the government, using false names obtained via a data hack to draw funds out from the ATO.
We will be doing random checks of client data on the ATO site to make sure nothing has changed (and if you are an Optus customer, don’t hesitate to get in touch with us, and I will check your ATO data to make sure it is all ok)
So, what can you do about this?
After spending over 4 hours on the Optus ‘chatbot’ trying to get some clarity on what has been taken – and running into the same brick wall as everyone else on finding out ‘exactly’ what was released, the action that I took was as follows: (and what I would suggest is done by anyone else who is a current Optus Mobile system user)
- Contact VicRoads (or, if you are not in Victoria, your local roads authority) and request a new driver’s licence with a new number. They will also ‘flag’ that the current licence may have been compromised and can’t be used for I.D. verification. I don’t think it will get you out of any speeding or redlight fines, however. Sorry about that!
I found the process with VicRoads took all of 5 minutes and 5 lines of information. So unlike dealing with Optus, it was painless; - Contact Medicare via MyGov, and request a new Medicare card for you and your entire family. They will issue a new card with essentially the same details but ‘moved on’ sequentially. Again, this will override the ‘old’ cards and make the number redundant.Again, the Medicare website has been set up to deal with this Optus issue, and the process is simple.
- Passports – this appears to be a harder scenario. Currently, it does not appear that the Passport office will ‘simply’ process new passports to replace any that ‘may’ have been compromised. And it will come down to finding out precisely what data Optus received and held regarding I.D. for their customers.News Flash! Optus has now agreed (Been made to!) to pay the cost of passports that need to be replaced due to data being released through this breach. The replacement process is still to be determined, so keep an eye on the Passports Australia website and contact Optus to confirm if these details have been accessed. As mentioned above, they are still to provide full details of what data has been accessed and what I.D. documents they retained on their files.
- There are various ‘data monitoring’ sites available (Optus is funding a 12-month subscription to Equifax to those impacted who shout loud enough) that will let you know if changes have been made to any of your accounts. It may take a bit of work to set everything up, but it will only take one notification of fraudulent change to make the subscription worthwhile.
- Contact your banks and financial institutions, change your passwords, online pin numbers, etc. Make sure that the systems are set up to contact you with any changes made on your accounts, so you can act quickly if any suspicious activity has occurred.
The need for security over a business’s data is significant, and everyone in business needs to look at this situation and identify the lessons relating to their own data.
As business owners, we hold a large amount of data on our clients – and also on our suppliers, financiers and associates. And, the more ‘automated’ we make things, the more data we hold to make that possible. E.G. ID numbers such as ACN, ABN, TFN, Director IDs, driver’s licences, bank accounts, addresses, date of birth, etc., are all recorded. If that data is hacked, it becomes easy for an identity to be duplicated or to change and divert the information.
- Look at what data you hold for your customers., clients, suppliers etc., and what security is used to access those details. And what do you need to retain once identification has been confirmed, or the ‘transaction’ has been completed?
How is this stored and saved? Who has access to this data? What checks can you make to see if changes have been made without your knowledge? - What is needed to access your database? – is it just a password, or have you set up 2-factor authentication? Many online systems require this, but I have noted that many people fail to take it up if they can avoid it. The lesson is – DON’T AVOID IT. It is like leaving the key under the mat for your front door. Sure, the door is locked, but finding the key is not as hard as you want to believe it is.
- Do you use the same password for multiple sites? I know, remembering multiple passwords is a Pain in the pass-word, but the frequency of database hacks makes keeping them unique more and more important. You can use programs like Last Pass to keep track of your different passwords – and create unique, hard-to-crack passwords or passphrases for each site you use. This type of system will also ‘flow’ through to all your devices, so you don’t have to keep track of them separately. (At Fiscal Artisans, we are using Last Pass, and it works well on computer browsers and mobile phone systems)Most mobile phones can also help you create unique passwords stored on the phone, so you don’t have to remember them (Just keep your phone security tight!)
- If you use your mobile phone to access most sites, it is not hard to see which sites have duplicated passwords – and which ones have potentially been compromised. You can usually find this in Settings/passwords/security recommendations. Your web browser (such as Google) or your computer setup may help you with this process. Keep them unique, combining UPPER and lower case letters, numbers, and special characters. And don’t use easy-to-remember words or numbers that relate to you, like your birthday, middle name, or kids’ names.
Ok, so what are we doing about this?
This is how we operate in terms of Fiscal Artisans with our data.
- All of our operating system access requires 2FA, meaning that as well as a password, all access requires a code that can only be obtained via my phone (which is pretty much permanently embedded with me). All staff use unique 2FA access, log-ins and passwords for their access to our systems as well.
Unique passwords are used for all systems, and these are kept secure at all times. - All paperwork and related data for clients, such as questionnaires and paper copies of data that have been emailed to our clients, is scanned, then shredded if it does not need to be saved or stored or sent as a hard copy (and the shredded paper is turned into garden compost and worm food!) so no data or client information is disposed incorrectly, or kept beyond the time it is needed.
- Where former clients have ‘moved on’ and are no longer using our services, any data we hold for them is taken ‘off line’ from our systems and kept in a separate archive system until the required period has elapsed. Then, after around 7 years, that data is deleted and completely purged from our systems.
- We only share data that you have agreed to be shared with associates and will always ‘copy you in’ to communications of data provided to third parties like finance associates, legal advisers etc.
- We review our systems frequently to ensure that data is stored correctly, security is maintained at a high level, and superfluous data that is not needed is removed.
We suggest that all business operators look at their systems and determine if changes need to be made to increase their security over the data they hold.
We are happy to assist and advise around your data management, and we can assist you with associates who can provide you with the services needed to improve your data security.
Meanwhile, please check your own systems and make sure that they are as secure as possible.
After all, you wouldn’t leave your front door open or leave the keys in your car would you?
Treat your data with the same level of security.
Enjoy your weekend – and check your data security!
For more information, or to discuss your own data situation, please email me at stuart.smith@fiscalartisans.com.au or call me on 0409788399.
Stuart Smith CPA
Director
Fiscal Artisans.
Australian Domain name changes are about to go live.
Australians have until 20 September 2022 to seek priority allocation of an .au direct domain name that matches their existing domain name.
Anyone with an Australian presence (including businesses, organisations and individuals) can now register a new domain name category, known as .au direct. These shorter, simpler domain names will end in simply ‘.au’ (e.g. mybusiness.au) and complement existing namespaces such as ‘com.au’, ‘net.au’, ‘org.au’, ‘asn.au’, ‘id.au’, ‘gov.au’ and ‘edu.au’.
Existing domain name licence holders have been provided priority to register the .au direct equivalent of their domain names until 20 September 2022, after which domain names that have not been allocated will become available to the general public.
This new option for domain names creates opportunities for businesses, organisations and individuals. However, it could also provide another opportunity for cybercriminals by facilitating fraudulent activity like business email compromise. For example, by registering yourbusiness.au where you have already registered yourbusiness.com.au to impersonate your business.
The ACSC recommends that all Australian businesses, organisations and individuals consider taking advantage of the priority allocation process to register the .au direct equivalents of their existing domain names. In cases where conflicts occur, such as when different organisations own similar domain names (e.g. mybusiness.com.au and mybusiness.net.au), priority allocation will help determine who can register their .au direct equivalent. Until 20 September 2022, registrants of .au domain names licensed before the launch of .au direct have priority to apply for the matching .au direct domain name.
After this date, it may be possible for ‘cyber-squatters’ to register ‘your’ domain name and seek to impersonate your website or use it for various fraudulent activities, or simply ‘squat’ on your name and potentially look to sell your own site back to you.
Businesses, organisations and individuals who have registered a domain name outside of Australia can also consider registering an .au direct domain name. For example, a business that currently holds mybusiness.com should consider registering mybusiness.au. This will prevent cybercriminals from registering these domain names and using them for attempted financial fraud.
You can reserve your .au direct domain name by visiting an auDA accredited registrar.
If your business or organisation is a victim of business email compromise or other fraudulent activity, please report the incident to the ACSC through ReportCyber or contact 1300 CYBER1 for support. auDA also has a complaints process available you can access through their website.
The Federal government has now set up an identification system for all company directors in Australia.
Like your Tax File Number or an ABN, it is a unique identifier used with all entities in which a person holds a director’s position. i.e. the number is ‘attached’ to the person, not the company.
The intention is that this system helps to deal with false directorships or fraudulent director identities. It will also deal with the common situation of multiple names being used for an individual (such as middle names being included or excluded with different directorships.
The number itself is a 15 digit code that adheres to international standard ISO 3166. All Australian Directors will have a number that starts with ‘036’, followed by an 11 digit unique number and a ‘check digit’ that is used to determine the validity of the number being used (This is similar to the TFN and ABN numbers in terms of validity checking)
As of November 1, 2021, everyone who was a director has until November 30, 2022, to apply for a Director ID. Anyone who becomes a company director for the first time between November 1, 2021, and April 4, 2022 must obtain a director ID within 28 days of their appointment. You MUST have a Director ID after April 4, 2022, before you are appointed to your first company director position.
Ok, so what do you need to do to get a Directors ID? It’s simple.
- Register your details with MyGovID. You may have done this already to get your vaccination certificate, medicare details or tax information If not, you will need to supply various ID documents to verify yourself (such as drivers licence, passport, medicare details etc
- Apply for the Director ID via MyGovID.
To make the process easier, I will be sending all current directors on our corporate register system an email with the details of all the companies they are associated with and the direct links to apply for a Director ID. (Note that this includes companies that are solely trustees of trusts or superannuation funds.) It will generally only take a few minutes for you to complete the process.
When you have your Directors ID, could you please forward the details to me so that I can record them in our system? This way, it will ensure that the details appear on your company’s documents as required in the future.
If you have any questions or need more information on setting up your Directors ID, please feel free to contact us!