The Optus cyberattack through the lens of PTSD: blow by blow
This is long - which gives you an appreciation of just how much time, effort and angst was involved in dealing with the fallout of the 2022 Optus cyberattack.
Names have been changed. Times/days are approximate.
Day 1 (Sept 23rd)
An Optus customer, I frown when I see the ABC News story announcing a Cyberattack on Optus.
With PTSD, I’m defaulted to expect worst case scenarios and breaches of trust.
So, by the third re-read, I feel a prickle of unease.
First Centrelink’s RoboDebt, and now this.
Day 2
7am
Optus’ email greets me in my inbox like a headless mouse on a doorstep.
Skipping past the bits which ABC news has already reported, I’m left with an apologetic list of my hacked personal data: name, D.O.B, home and email address, phone number, and the number on the ID I used. Everything, really.
I freeze.
Ignoring the other 9 million cyberattack victims, I immediately feel singled out. In hours, I’ve gone from being just an account number in the Optus crowd to being stalked by a faceless predator.
Anyone with a history of abuse KNOWS that being singled out is dangerous.
I feel threatened, hunted.
10am
Crowds freak me out, so I do almost everything online, which worked, up until yesterday.
Now, horrified, I realise that every organisation and shopping website I’m a customer of, has an online account. And, for convenience, I’ve connected them to the same email address.
Bills, letters from the bank and the hospital, receipts; all of them go to that inbox.
The one that Optus has given the hacker.
3pm
How many online accounts I have!!!!
Each with an email address and a password to change (compulsory combinations of 8+ lowercases, uppercases, numbers, and ‘special characters’). To outsmart the hacker, I make each one incredibly complex, forcing me to record them in a little book, because I’ll never remember them.
Anyone breaking into my house now has all my passwords, in one convenient location.
My PTSD muddle-headedness can’t deal with complicated.
6:15pm
Overwhelmed, I start shutting down ‘unnecessary’ accounts. Frustratingly, some shopping sites, reluctant to lose me, advise lengthy delays in closing my accounts, mockingly stating that they’re going to keep some of my data anyway.
7pm
Exhausted, I reach for my iPhone to change my Apple ID.
One last little task before dinner.
7:45pm
Stubbornly, neither Apple device will recognise my changed ID.
Has this account been infiltrated too?
8:10pm
Agreeing that there are few things in life as stressful as an Apple product which doesn’t work, the Apple expert manages to fix my ipad, but not my phone, as I sob into it. “Just follow the same steps we went through,” he instructs, not understanding the enormity of this task for my trauma-splintered mind…which has already forgotten the original instructions.
Day 3
8am
ABC news says (my??) data is being sold on the dark web, a fact Optus hasn’t yet mentioned. I don’t know much about the dark web, but it sounds like a paedophile ring. I picture them fighting over my bits of data, like naked photos shared between monsters.
The thought is seriously distressing.
Day 4
10:20am
My doctor advises me to apply for something called a credit ban.
12:33pm
I apply to every credit-reporting agency in Australia for a credit ban.
2:30pm
A quick flick to ABC news, and I see that Optus are offering a 12-month free subscription to some credit-monitoring-identity-protecting organisation. BUT. Only the “most affected” individuals will get it, which makes it sound like they’re playing favourites.
Will I be one of the chosen ones? Or not?
2:45pm
Aware that when the other 9 million affected customers read the news, it’ll be impossible to contact Optus, I hurriedly log into the app and type “Connect me to an operator” into the chat speech bubble (a ruse I’ve used before to avoid the robot’s annoying questions).
As I wait for the ‘expert’ to join the conversation, I scan the updates on the Optus website, as they rush to keep pace with the ABC.
2:55pm
Optus’ Dereck is backed into a corner.
He’s confirmed that I’m one of the customers “impacted” by this “unprecedented” disaster, but now he dithers around, copy-pasting sections from the original email I received into his chat bubble, seemingly unaware of the subscription now advertised on his company’s website. Simplifying my questions, then rephrasing them, gets me twenty-minutes of silence until, in desperation, I change my question to “is this chat still open?”
Eventually, Dereck disappears, replaced by Darren, his supervisor who, working fast, provides my unique subscription code within minutes.
I move onto question 2: “what is Optus doing to prevent unauthorised SIM swaps and teleporting?”
He assures me that “temporarily, all changes to accounts must be made in store and requires 100 points of ID”.
I copy-paste the chat into a Word document, ensuring I have everything in writing.
3:45pm
The ID I used with Optus, referred to in their email, would have been my photo ID, I brood.
Perhaps I should replace it?
3:55pm
On the phone to the Department of Transport and Main Roads (DTMR), the operator is deeply sympathetic, as if someone has died.
Indeed, she confirms that there will be no replacement photo ID card in my lifetime, until/unless I can prove that someone is using it illegally. “That number is you, for life,” she says.
Without the ‘proof’ she requires, I must die to cancel the card.
9:30pm
I navigate to the ABC website, for the latest Optus update.
But, as iPad fruitlessly tries to connect, slowly it dawns on me that I have no internet.
10:32pm
Twenty-two minutes on hold, 40 minutes of fiddling and the iinet internet technician is perplexed.
“Highly unusual,” she says. “I’ll pass this on to technical support”.
Increasingly paranoid, I struggle to think this through. Just how clever are these hackers? They have my home address. Do they somehow have my IP address too?
There’s nowhere left to hide.
11:15pm
In tears, I go to bed.
I feel exposed, even under three blankets.
Day 5
7:03am
The internet is back.
The iinet technician is sceptical.
“That’s unusual,” he says. “We’ll monitor it”.
Distrustfully, I change the internet password.
10:27am
ABC news suggests contacting IDCARE for support. Struggling to navigate the Optus situation, IDCARE sounds like a gift from above. Like someone who’ll take over and do this all for me, or at least most of it.
A rapid fill-in of their online contact form and, relieved, I await their response.
10:39am
Haunted by Optus’ claim that my payment details weren’t stolen, I contact my bank for advice. Should I cancel and replace my credit card? Or not? Convinced that I always get everything wrong, I struggle to make decisions at the best of times, so this dilemma is paralysing.
And Maria, the bank’s expert, only makes it worse as she throws the decision back on me with her “do what you like with your card”.
Clearly, my money matters more to me than it does to the bank I keep it in.
I replace the card.
1pm
Credit reporting agency #1 rejects my ban application; they’ve never heard of me.
They’re not subscribers to the dark web.
1:14pm
The reply from IDCARE is packed with generic advice speckled with website links, many of which ABC news has already provided.
Perhaps they deem me unworthy of their ‘care’?
It is like childhood.
2:35pm
ABC says that 10, 000 or so people have had their data released by the hacker.
Without confirmation/denial from Optus, I assume that I’m one of them.
And I can’t do a thing about it.
I am not in control.
The thought is terrifying.
Day 6
10am
Deciding to get this free credit-monitoring-identity-protecting subscription going, once I’ve navigated to the organisation’s website, I see that it’s a simple 4 step process; upload some documents confirming my ID, then stab in the Optus code.
I don’t have a passport or licence, which means scraping together various documents/cards to make up the required 100 points of ID.
So, from the bottom of the wardrobe, I drag out the box which houses my birth certificate.
Prising the lid open, the first thing I notice is the smell, like a decaying rat.
I gasp.
As I pull it out, the certificate droops in my hand, damp, stained. Reeking.
In humid climates, paper goes mouldy. A complication I never foresaw.
The organisation’s submission instructions sternly state that uploaded documents must be legible so, flapping it around, I blow on it, hoping the mould stains will fade as it dries.
Can nothing be easy?
10:55am
Ready to upload the scanned certificate into the submission portal, I pause. How secure is their online submission system?
By pressing ‘submit’ am I just ‘sharing’ more of myself with the world?
I call the organisation to enquire about their online security.
12:50pm
Two hours, three bars of the same melody on repeat, and I’m in tears.
It’s like one of those tap dripping tortures.
“Why is everything so hard?” I scream, stabbing the ‘end call’ button.
If ABC news says this organisation is safe, it must be safe.
1:20pm
It may be safe, but it’s hard to know because the submission system repeatedly crashes, refusing to upload my scanned grotty-looking document.
1:24pm
I complete the online contact form, begging for help (if/when they reply in 5 business days).
3pm
Attempting another call to the credit-monitoring-identity-protecting place, after an hour on hold, the phone cuts out the exact moment someone answers.
Jumping onto the Optus network status webpage, I discover that they’re “completing planned work on a mobile tower in [my] area” during which my “mobile service may experience some issues”. Until October 15.
I throw a mug across the room.
11pm
In a governmental backflip, it seems that I might be able to apply for a new photo ID card after all, free of charge, with just a copy of the Optus email. However…the ABC specifies drivers licences, and my card is a photo ID, not a licence.
Am I eligible for a replacement?
ABC doesn’t know.
Day 7
7am-8am
Multiple calls from iinet to update me about their monitoring of my internet connection.
I mention the Optus cyberattack, in case that’s relevant, but the technicians (in Optus-free South Africa), think I’m referring to some sort of modem that they’ve never heard of.
“Is this new?” They ask.
9:35am
I ring DTMR again, confirming that I can get my photo ID card replaced at any service centre.
9:50am
I’m in a tizz about replacing this photo ID. I wear a mask everywhere to avoid Covid, but at the DTMR the mask will have to come off for the new photo, so unless I can hold my breath for the entire length of time that takes…
On the other hand, I can’t not replace my ID.
What to do???
11:30am
Unable to focus on anything else in my life, I have another go at uploading my scanned ID documents into the credit-monitoring-identity-protecting organisation’s submission system, which now graciously accepts them, allowing me to progress to Step 3 in the application process which, according to the instructions, is where I provide the Optus code.
Except, there is no Step 3, just Step 4 which states that they’re confirming my identity.
At what point do I provide the free-subscription code? They don’t say.
I pick up the phone.
12:35pm
I submit another contact form, begging them to call me.
1pm
Re-reading the original email from Optus, I’m still unclear about which stolen ID number they’re referring to. My photo ID alone isn’t worth the 100 points of ID I’d have needed to provide when I signed up with Optus, so I would have used something else as well. But what?
1:21pm
My Medicare card. That’s what I used, ABC suggests.
I replace my Medicare card.
1:35pm
Do photo ID + Medicare card add up to 100 points?
On Optus’ website, scrutinising the list of acceptable-ID-for-setting-up-an-account, I see that Medicare + photo ID equals only 70 points. From their list, I try to guess what else I would have used to make up the extra 30 points, ruling them out one by one, until I’m left with credit card and pension card as the only possibilities.
Might I have used both???
5:15pm
Optus, ABC, (and inexplicably Telstra), have told me repeatedly to watch out for suspicious calls and SMS.
So that’s why, walking home from Woolies, I’m suspicious when my phone rings.
As cars speed past, it’s difficult to understand what the caller is saying, but with his accent, the guy must be a scammer. Worse, he’s asking for someone with a name like mine, but not quite, which makes him even more dodgy. And that freaks me out.
Screaming “noooo”! I terminate the call, heart racing.
Will a balaclava clad hacker show up at my door to harm me?
Darting home, shadows scare me. Just like when I was a child.
9:15pm
The Optus app’s chat robot has misunderstood my request to “determine what forms of ID have been breached in the cyberattack,” offering me the option to block my own phone number or speak to someone about the cyberattack.
Choosing option 2, I slump on the lounge as the robot attempts to connect me to an ‘expert’.
10:30pm
Every 27 minutes or so a box appears on my screen, prompting me to enter a code sent to my phone. Where was this security feature before?
11:20pm
Giving up, I go to bed.
Day 8
7:10am
Morbidly curious, I log back into the Optus chat, to see if anyone ever answered. And they did! Just 7 minutes before.
10 hours after I initiated the conversation.
Blessedly, Howard is still online, waiting for my response.
Our Q & A should take 5 minutes but, repeatedly sidestepping my question, he seems determined to draw it out.
He has my file in front of him, he can’t deny it. And all I want to know is what ID of mine Optus has but, seemingly as suspicious of me as I am of him, he’s button lipped.
It’s like extracting teeth. I’m not a patient person (explosive rage is a feature of PTSD), so I’m increasingly snappy as I work down my list, ID type by ID type, in the hope he’ll slip up and ‘accidently’ tell me.
Several long pauses, as he squirms, and I think we’ve confirmed that I used photo ID and Medicare card. He won’t say which one was compromised, promising only that “vulnerable” people will be contacted with a list of their compromised ID.
“Am I one of the vulnerable ones?” I ask, aggressively.
He feigns ignorance.
Optus needed to know so much about me when I signed up.
Yet now they seem to barely know my name.
11:30am
The GP clinic insist they left a message. Yet, I never received it.
Calling myself from another number, repeatedly, I confirm that my message service is suddenly, spookily, no longer working.
A coincidence?
Or, has Optus unintentionally ‘given away’ their entire network?
3:14pm
At the Optus store, Andrew, back from his toilet break, diagnoses a “possible” SIM card issue.
So, two minutes, less than 100 points of ID, and despite my mask never leaving my face, he’s swapped my SIM card.
Something which, with their upgraded security, the online Optus ‘expert’ told me no one would be able to do.
Slyly, I suggest that while he has my file open it would be quick and easy to identify what ID I used when I joined up.
Which, he happily does, confirming with a single glance at his screen that I used both photo ID and Medicare card, but nothing else.
Then, he confidently contradicts every bit of information both ABC and his own company have said, assuring me that never in a zillion years would I need to replace either card.
Should I believe Andrew, Optus or ABC?
I go with ABC.
4:50pm
Back home with a hopefully working phone, I suddenly remember that the hospital promised to call by the end of the week, but hasn’t. In fact, apart from the internet company and the GP clinic, the only call I’ve received is the scary one from the scammer.
I pause.
With his accent, my phone issues, and the traffic noise, might I have misheard him?
Was he calling from the hospital????
4:55pm
I yelled at, then hung up on, one of their valued staff members, the hospital thinks.
Luckily, they’re unaware of my PTSD with its panic and paranoia, so it’s easy to blame Optus.
7:15pm
Watching my dinner spin around inside the microwave reminds me that my now cancelled Medicare card is one of the ID I submitted to the credit-monitoring-identity-protecting organisation, which means they won’t be able to verify my identity.
Day 9
Nine days? Is it really?
6:30pm
Munching dinner, I note that, taking a break from Optus, ABC has slid back to Covid, announcing that mandatory isolation ends on October 14.
To most, this would seem irrelevant to the Optus debacle but, as I choke on my carrots, I realise that it is relevant. It so, so is.
In days, the DTMR, where I must replace my photo ID, will be FULL of sniffling germy people who no longer need to isolate, making my journey there Even. More. Hazardous.
The pressure is on. I must get in and out before Oct 14.
Day 13
9:35am
A 40-minute wait in a queue at DTMR, a 5-question form, 2 minutes conversation, and I’m approved for a new photo ID, without ever being asked to remove my mask (“we’re not replacing photos”).
3pm
The credit-monitoring-identity-protecting place, successfully identifying me, allows me to enter the Optus code for my free subscription.
And
My two other credit bans are approved!
This painful saga is about to end!!
In just 4+ weeks.
When my new photo ID card arrives.