Optus data leak: When sharing is NOT caring

“It is with great disappointment that I’m writing to let you know that Optus has been a victim of a cyberattack that has resulted in the disclosure of some of your personal information,” this is the email notification of the data breach that was sent to millions of Australians and signed by Telecom CEO Kelly Bayer Rosmarin last week.

Optus, Australia’s second-largest telco, suffered a major data breach on Wednesday, Sept 21, with potentially millions of customers’ personal information leaked by a malicious cyber-attack. Customers’ names, dates of birth, phone numbers, and email addresses may have been compromised, according to Optus. 

Ms Rosmarin said at a video conference that she felt “terrible.” “I’m very sorry and apologetic. It should not have happened. I’m angry that people out there want to do this to our customers,” she said.

Some clients’ street addresses, driving licence information, and passport numbers were also obtained. Then, over the weekend, a user claimed to have the information gained from the attack and demanded $1 million in Monero cryptocurrency on a data market.

The user claimed to have obtained the information using an application programming interface (API) that did not require authentication, which is software that enables two different systems to communicate with one another. Due to Optus’s obligation to retain identity verification records for six years, the cyberattack may have impacted customers as far back as 2017. 

The telco has previously issued privacy guideline amendments allowing consumers to request the deletion of their data. In the aftermath of the hack, Australia intends to change its privacy regulations so that banks can swiftly receive alerts.

Was the Optus data encrypted?

According to Andrew Wilson, CEO of Senetas, the major concern Optus must solve is if the data is secure. Encryption maintains the security of common digital transactions such as online banking and shopping.

“If this is strongly encrypted sensitive data, as it should be, then Optus customers do not need to be alarmed. They likely have years to change their passports and other identity documents before the attackers can read and use what they’ve stolen. If it isn’t, customers need to get onto that process today. That’s quite a difference!”

“Further statements from Optus that this was a very “sophisticated” attack are unsatisfactory. Very sophisticated and increasingly malicious attacks are common. That’s why ‘data protection’ is essential today – and that’s encryption. It is the last line of defence. Whether the stolen data is encrypted or not should be in the first communication about a successful breach. It is concerning that this vital bit of information is missing so far.

“Many have questioned whether the prevention systems like those used by Optus are sufficient, or if the company under-invested in its cybersecurity, and this is the inevitable result. This is unlikely. No cyber-attack prevention system is bulletproof.

“The focus should instead be on regulation – we need comprehensive federal cybersecurity legislation that punishes companies and government agencies that fail to encrypt sensitive data. Not every company can afford the type of prevention systems Optus has, but the lesson must not be that they shouldn’t try or have a last line of defence in place should a breach occur.”

Major overhaul underway

Australia plans changes to its privacy rules so that banks can be alerted faster-following cyber-attacks at companies. According to media reports, the federal government is considering legislation obliging businesses to notify banks if client data is hacked, allowing lenders to monitor impacted accounts for suspicious behaviour.

Over the weekend, Cybersecurity Minister Clare O’Neill stated that the government would announce additional details about the reforms “in the coming days.” Australia has been working to strengthen its cyber defences and, in 2020, planned to invest A$1.66 billion ($1.1 billion) over a decade to protect company and household network infrastructure.

Ajay Unni, CEO and Founder of StickmanCyber, emphasises the need to educate and train business users because they are the weakest link in cybersecurity.

“While having technical defences is a step forward in terms of cybersecurity maturity, I cannot emphasise the importance of training and educating business users as people are always the weakest link regarding cybersecurity. 

“Third-party risk is another area that requires close attention as larger organisations are often infiltrated through their partnerships with external suppliers.

“As the complexity and frequency of cyber threats increase exponentially, it is extremely sad to see Australia under attack from cybercriminals who are finding success in exploiting vulnerabilities to gain unauthorised access to businesses and critical infrastructure.

“Telcos like Optus carry large amounts of information about their customers such as call patterns, incoming/outgoing phone numbers, data/internet usage and other forms of personal information that can be easily exploited.

“The data exposed can now be maliciously used to create fake identities or as a launchpad to further target users individually through spear-phishing campaigns. These campaigns will now be even more effective as cybercriminals have access to more information than just an email address.

“The findings of the Australian Cyber Security Centre’s investigation into Optus’s data breach will reveal the true nature of the attack – whether it was the work of cybercriminals or a state-sponsored attack.

“Optus users need to remain vigilant of any email offering support due to this breach, even if the email appears to be from an authoritative or legitimate source. Optus customers need to do their due diligence regarding cyber hygiene and avoid clicking on any links in emails unless their legitimacy has been validated.”

According to Thales’ global research, – Cyber Threats to Critical Infrastructure 2022, critical infrastructure industries worldwide continue to face severe challenges and gaps in their approach to protection and risk management. 

A lack of protection for cloud-hosted data and apps, along with an increase in the extent and severity of attacks during the last 24 months, has raised the threat level posed by hacktivists and nation-state actors. Security techniques that are no longer appropriate for today’s dynamic threat landscape are increasingly endangering nations, organisations, and people’s lives.

Businesses warned to watch out for scams

Following the Optus data breach, ACCC Scamwatch is urging customers to protect their accounts and be on the lookout for fraud. 

As per ACCC, steps you can take to protect your personal information include:

  • Secure your devices and monitor for unusual activity
  • Change your online account passwords and enable multi-factor authentication for banking
  • Check your accounts for unusual activity, such as items you haven’t purchased
  • Place limits on your accounts or ask your bank how you can secure your money

If you suspect fraud, you can request a ban on your credit report.

More information about how to protect yourself is available on the OAIC website.

Check the Optus website(link is external) for information and contact Optus via the My Optus App or call 133 937.

Leave a Reply