By Staff Writer.
Last week’s cyberattack on Optus is rapidly shaping up as Australia’s worst data breach, with the personal information of over 11 million Australians compromised, Optus facing a USD1 million dollar ransom demand and the Australian Government scrambling to introduce further reforms to better protect customer data.
Since Optus went public with news of the cyberattack, it has emerged the hacker, a person going by the nickname “Optusdata,” found an exposed application programming interface (API) at Optus and went about systematically downloading the personal data of Optus customers.
“Optus left this particular API open on the internet, so you didn’t have to log in to see other people’s data,” Information Security Media Group Executive Director Jeremy Kirk told ABC Radio on Monday, September 26.
“(The hacker) stumbled across this on the internet, figured out how it worked, and then sequentially downloaded all the customer records. Optus did have some security systems that detected the data download, and when they investigated, Optus realised this was the worst-case scenario that they could possibly have.”
On September 23, Optusdata posted on BreachForums, an illicit dark web hacking community forum, that the stolen data trove included details of 11.2 million Optus customers and 3.66 million driving licence numbers. OptusData provided two sample batches, each with the personal details of 100 current and former Optus customers.
“Optus, if you are reading this the price for us not to sale (sic) data is 1.000.000$US! We give you one week to decide,” the post said.
“Buyers, price for user’s data is 150.000$US, prices for addresses data is 200.000$US. Together, 300,000$US. Exclusive sale cost 1.000.000$US total. No sale will be made for 1 week until Optus reply.”
Kirk calls the demand straight out extortion. “This person has accessed an Optus system, downloaded all this data and is saying, ‘if you don’t want me to release this to other people, you need to pay me.’”
While Optus says they are investigating the veracity of the sample data that was posted online, Kirk says there are strong signs the data sample is legitimate. He says email addresses included in the sample data include Optus-assigned email addresses that have not appeared in previous data breaches.
Kirk also visited a resident in his neighbourhood whose details he obtained in the sample data. That person confirmed that the data printout, which included her driver’s licence number, was correct. That person was an Optus customer until 2018.
Current legislation requires telcos to keep customer data for up to six years. “If you want to participate in a modern economy, you have to give up your data,” says Kirk.
Meanwhile, amid claims Optus didn’t do enough to protect its customer data, Home Affairs Minister Clare O’Neil is preparing reforms that will allow companies to more quickly notify financial institutions in the event sensitive customer data is stolen.
“I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future,” the Minister posted online on the weekend.
During a 2020 Federal Government review of the Privacy Act, Optus argued against giving customers more say in how companies handled and stored their data. Optus argued giving customers the right to force companies to erase their data would present “significant technical hurdles.”
Kirk says that whatever happens now, those 11.2 million Optus customers cannot windback the loss of their data. He also says what happened at Optus has happened before and will likely happen again.
“Mistakes happen, and the fact that this API was exposed to the internet was not an uncommon mistake’’ he said. “Other organisations have made the same mistake with almost the same ends.”