As the second largest telecommunications provider in Australia with around 10 million customers (individuals, companies and public sector organisations), it will come as no surprise that the Optus cyber attack resulting in a data breach will go down as one of the largest and most significant data breaches in Australia with huge ramifications for all companies in the future.
It has been labelled by tech experts as a ‘catastrophic breach’ and it will be closely monitored by crisis management professionals and cyber security specialists over the coming months.
The question Optus has not answered is this.
Why did a test database, sitting in a test environment that had inadequate cyber security contain personal sensitive information of 10 million current and former customers?
The data breach will directly impact Optus, its parent company SingTel, its customers, its insurers, various regulators, financial institutions, and international and Australian police for many years to come.
The crisis management and cyber security team at InConsult take a close look at the data breach, identify some strengths and gaps in the response so far and look at why and how the Optus data breach will change the regulatory landscape forever.
How the data breach occurred
According to Optus, on Wednesday 21st September 2022, an Optus data base containing personal and sensitive information of around 10 million customers including names, addresses, dates of birth, phone numbers, email addresses, driver’s licence numbers and passport numbers was compromised i.e. data revealed and stolen by an unauthorised user.
We believe the database was a ‘test’ database, sitting in a ‘test’ environment.
The ‘test’ database however contained ‘real’ data – the test database contained personal sensitive information of current and former customer information (dating back to 2017) because the Telecommunications (Interception and Access) Act 1979 requires telcos to retain a particular set of data for at least two years to enable law enforcement and security agencies to access data, subject to strict controls.
The ‘test’ environment did not have the appropriate cyber security access controls – this has been validated by the hacker(s) on various platforms.
The Australian Federal Police (AFP) say the Internet Protocol (IP) address of the attacker (which can be used used to help track down their location) keeps “moving around” various parts of Europe.
It is believed the attacker is working for a criminal or state-sponsored organisation.
On 24th September, the attacker known as “optusdata” is now on an online forum on the dark web where data is bought and sold, asking for a US$1 million (AUD$1.53 million) ransom to be paid within a week or else they will release the data. Cyber security experts have confirmed the data breach is real and tested a sample of the data by contacting Optus customers directly.
One cyber security researcher (Jeremy Kirk) contacted the hacker(s). He reported “The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn’t have to login. The person says: ‘No authenticate needed. That is bad access control. All open to internet for any one to use.”
If this statement is true, it could be catastrophic for Optus.
Optus have said that the attack was ‘sophisticated’… there is nothing sophisticated about an absence of cyber security controls. But they are right in calling out “sophisticated criminals”. Remember cyber criminals are ruthless, very well organised and well trained. They have an organisation structure, leadership team, revenue targets and pay performance bonuses.
Why is this data breach so significant?
There are a number of reasons why the Optus cyber attack will be significant and have wide ranging consequences:
- The number of people impacted is extremely large. Australia has a population of 26 million people and this data breach impacts around 10 million customers.
- The value of data. The data stolen can result in serious harm to an individual whose personal information is stolen. The data breach may result in identity theft, which can result in many type of scams, fraud and potentially affect peoples finances and credit rating. It may even result in physical forms of harm.
- This data breach falls within Australia’s Notifiable Data Breaches scheme where an organisation must notify (1) the affected individuals and (2) the Office of the Australian Information Commissioner (OAIC) as the data breach is likely to result in serious harm.
- How the response is handled will be heavily scrutinised by the media, customers and regulators.
- Once the dust settles, there will be a comprehensive investigation of both the incident response and the cyber security governance, culture, policies and practices of Optus and Singtel.
Optus’ response to the data breach has inconsistencies
There are many inconsistencies between what is being reported and what Optus is saying. The truth is often somewhere in between!
- Some sources report that the data breach was detected on 14th September 2022 by Optus. Optus claims it was on Wednesday afternoon, 21st September, that it become aware of the data breach. There is often a lag between when a data breach occurs and when it is detected. More clarity is required from Optus.
- An alert was triggered when Optus detected that large amounts of data were being exfiltrated through an Application Programming Interface (API) link. Telco’s often have very old technology and use API’s to enhance communication between different databases.
- A senior executive anonymously told the Australian Broadcasting Company (ABC) that early results from an internal investigation indicate human error is to blame. Later, Optus advised that ‘human error’ was not to blame for the breach. More inconsistency!
- Reports suggest that the compromised Optus data may have been accessed via a method involving no password or security restrictions. Other sources say, unauthorised access to the sensitive information was obtained by breaking through the company’s firewall. Another inconsistency!
- Once the breach was detected, Optus says it started its investigations, shut down unauthorised access and checked for additional vulnerabilities. From experience, this is not a simple process and can take days and sometimes weeks, not hours, depending on the level of complexity.
- Given that Optus is owned by SingTel, and the impact of the incident, there would have been internal escalation to SingTel and investigation by the parent company and this can take days or weeks. What role did SingTel play?
- Sometime between 21st and 22nd September, Optus advises regulators and the Australian Federal Police. Note, Australian law requires notification within 30 days vs 72 hours in the United Kingdom.
- Although Optus says that no financial information/records were breached, Optus has also notified key financial institutions about the cyber attack as the data stolen increases the risk of identity theft and adverse financial consequences. This is commendable.
- Optus confirms that user details have been compromised, but that no payment details or passwords were compromised during the cyber attack. Only time and AFP investigations will confirm this.
- Optus is using the line ‘this matter is currently under police investigation’ to restrict information to it’s customers and potentially avoid media scrutiny. Media blackouts during criminal proceedings and trials are appropriate, but the hackers are likely to be located in Europe and any information provided will not impact any trial.
- Optus’ failure to take control of the crisis and insufficient crisis communication will mean others will take control. The government is looking to direct Optus to provide free credit watch service to customers, there will be legislative changes including much larger fines and there is a class action against Optus currently in progress.
Qualified investigators piece together a timeline of events. There is not enough information provided by Optus at this point but the gaps and inconsistencies are red flags.
Communication speed & frequency
Thursday 22nd September at 2pm AEST, Optus issues a media release via its website and media outlets. Why? Optus believes “trusted media sources” are the “quickest and most effective way” to alert all customers of the attack and communicate the severity of the situation.
Whilst this is a good use of the media, there has not been an update by Optus since the media release last week… not even a holding statement… even though the media is releasing more and more information.
Optus’ CEO has personally apologised for the attack and any harm felt by customers. She says “I’m disappointed it undermines all the work we’ve done,” and “I’m very sorry and apologetic. It should not have happened.” Until we know exactly how this data breach occurred, words will be meaningless to the impacted customers.
Friday 23rd September, Optus starts contacting customers about the breach via a generic email and SMS and prioritises those whose identification documents may have been compromised. Optus says that services, including mobile phones and home internet, were not affected… but it appears all customers have been contacted, even those not impacted, leaving more customer stress and confusion. Not ideal in the current crisis situation.
5 days after the media release, there has been no mention from Optus about financial compensation or aid for customers arising from the cyber attack.
Can Optus pay the ransom?
Paying the ransom to the hackers can be the quick and cheap way out for Optus, but it may be illegal and it will not guarantee that the information is not copied and not released on the dark web in the future.
According to lawyers, there is currently no specific law that prohibits the payment of a ransom demand, BUT, there are provisions under Commonwealth, State and Territory law that prohibit payment in circumstances where the money will be used as an instrument of crime. As it is believed the attackers are working for a criminal or state-sponsored organisation, paying the ransom is not an option.
The Australian Cyber Security Centre also say that there is no guarantee that paying a ransom will prevent it from being sold or leaked online.
What can hackers do with this information?
Selling Optus’ customer personal information will be catastrophic for Optus as this incident will take years to fully resolve.
However, the biggest consequence will fall on the Optus customers. They will need be on high alert for many years to come. The stolen information will allow cyber criminals to steal their identities.
Even a novice hacker, with accesses only to a small amount of personal information (name and email), will be able to steal your identity and create havoc as they can find out more about you from public sources. In Optus’ case, there are over seven data fields breached making identity theft even easier and value of data to criminals even higher.
Scammers can use your personal information to contact you by phone, text or email.
Thieves and scammers can also attempt the following:
- Access the breached email account, change details, reset passwords or look at private emails, documents and attachments.
- Use your email account for email phishing campaigns.
- Use your email account to access social media sites and even photos and information about your family.
- Use your mobile phone number to commit smishing – a phishing attack carried out over mobile text messaging.
- Use a combination of stolen credentials to access money or amend credit or debit card information for fraudulent purchases.
- Applying for credit cards or loans in your name, even online loans that require little interaction.
- Changing your credit card/ bank account billing address so that you don’t notice the fraud until it’s too late.
- Use a combination of stolen credentials for illegal activity:
- filing fraudulent tax returns to get an income tax refund in your name.
- accessing government benefits, such as unemployment, under your name.
- renting an apartment/house or applying for a job in your name.
- committing crimes and giving your name to the police when they’re arrested.
- applying for fraudulent identification such as driver’s licenses or passports.
What Optus customers should do
Follow the advice of Optus. An email from Optus CEO to all customers encourages all customers to be on heightened alert. The email says:
- “Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
- Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
- Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
- If people call you posing as a credible organisation and request access to your computer, always say no”.
Optus said it will not send links in any emails or SMS messages. Optus customers should never click on a link purporting to inform them their personal information has been compromised.
Follow the advice of experts and government regulators including Scamwatch, run by the Australian Competition and Consumer Commission.
In addition to what Optus recommends, we also recommend that you strengthen your compromised email accounts, especially if it used for government accounts and bank related accounts by:
- Using strong, unique passwords.
- Having a different password for every account.
- Using multi-factor authentication.
Legislation must change
In 2020, the attorney general’s department canvassed views on whether people should be given the right to (1) have their personal information erased, as well as (2) increased rights to take direct legal action against companies over breaches. Optus argued against both changes citing increased technical and compliance costs.
The incident will also raise questions about how long telcos should be required to keep the data, what obligations they have to protect it and what compensation customers should be entitled to in the case of failures.
Can we help?
Don’t play the waiting game. The Optus data breach is a timely reminder that cyber attacks are real. Organisations need to get it right 100% of the time, hackers only need to get it right just once.
Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations improve their cyber resilience posture. We have extensive experience in vendor risk management, cyber risk management, vendor audit and assurance, crisis management and business continuity.
If you want help to strengthen your cyber resilience posture, contact us to confidentially discuss your needs.