In case you weren’t aware, recently one of Australia’s large telecommunication companies Optus suffered one of the largest cybersecurity breaches to date. While the extent of the data breach has yet to be revealed, Optus has 9.7 million subscribers and the data taken allegedly could go back to 2017 and involves former customers.
Allegedly, the data could contain data on over 11 million current and former Optus customers. In any other part of the world, this would have resulted in very large fines. In Australia, no such legislation exists to hold any company accountable for a breach like this.
The data that was taken wasn’t just some names and emails. Some of the data also included passports, driver’s licences and other pieces of identification that could be used to steal someone else’s identity or commit fraud.
It’s an absolute mess. The only thing that rivals the unbelievable scope of the attack is how Optus handled it, or more specifically, did not handle it. Customers had to find out from news stories about the attack. Optus didn’t disclose to customers that their identities might have been compromised.
To date, Optus has not revealed how the attacker got access to the data. But, a journalist contacted the attacker and they confirmed they leveraged a publicly available API endpoint that was unauthenticated. They didn’t need to log in.
While this is being called an attack, it’s incompetence on Optus’ part. The hacker didn’t break into anything, they didn’t even have to perform any complex vulnerabilities or phish an employee to get access.
This kind of attack is so laughably simple, a high school kid with an interest in computers could have performed the same attack and taken data. Your grandma with a little guidance and limited computer knowledge could have been coached to perform the same “attack”. That’s how basic this appears to have been.
How embarrassing. Optus suffered a massive data breach because they left an endpoint open. What makes it even worse, is they clearly had no monitoring in place. Any company with proper monitoring would have noticed what would have been a high number of requests to their api.optus.com.au endpoint, which would have been suspicious.
Alarm bells should have been going off when a spike appeared on their graph showing a higher than usual load on their API server.
And Optus isn’t a small company, they have millions of customers. For a company that made $2.07 billion in profit for the 2021-2022 year, it’s even more embarrassing.
Maybe Optus needs to spend some of that profit on some cybersecurity staff. A search on Seek for Optus cybersecurity jobs yields a single result at the time of writing this and that’s for their Fetch TV service.
In contrast, after Uber got attacked in a large cybersecurity attack, they posted over 80 job listings for numerous cybersecurity roles.
And if your sides weren’t hurting from the laughter already, the parent company that owns Optus, Singtel also owns a cybersecurity company called Trustwave. And for a real belly laugh, all you have to do is read the blurb on that linked page:
“Trustwave, a Singtel company, is a global leading cybersecurity provider with an extensive portfolio of services, and a proven track record of helping businesses securely embrace digital transformation.“
Anyway, after the breach, the silence from Optus and panic, the hacker went online and made a ransom demand for one million dollars in Monero cryptocurrency. As this all unfolded, people confirmed to be implicated in the attack evidenced by the 10,000 users in the leaked data confirmed their data was accurate. And yet, barely a notification from Optus until days after.
In a pathetic attempt to stem the PR nightmare currently enveloping Optus, they offered customers a free subscription to an identity protection service. The laughable thing about their shallow offer is you can already monitor your credit file and other facets of your identification for free. Furthermore, only certain customers are being offered 12 months.
What happens after 12 months? Do hackers stop exploiting data after 12 months? Given the size of the data, if it did get out, it could last crime rings years. Passports and driver’s licences can have notably long expiries.
And just when you thought the situation could not get even more convoluted and weird, the hacker after posting the data of 10,000 former and current customers posted an apology and deleted the original thread and data.
The hacker even went as far as apologising for the inconvenience in their forum post. How do you go from ransoming a large and valuable dataset to deleting it and dropping your ransom demands?
If you want to see the thread yourself and the subsequent replies from other users, you can see the thread here on Breach Forums.
The looming threat of the Australian government and Australian crime agencies hunting you down might have something to do with it. While IPs were allegedly traced to Europe it makes me wonder if the hacker is actually Australian.
Why would a European hacker be afraid of Australian crime agencies? The threat of deportation is real, but it seems likely to me the hacker is Australian (or in the vicinity) and worries the walls are closing in on them. The post starts off with, “Too many eyes” which indicates they know they might be found eventually.
Although, here is a thought. What if Optus did pay the ransom? And the attacker just agreed to keep it quiet and deleted the data? While it appears the attacker is scared, makes you wonder if payment was made and now they’re just holding up their end of the agreement.
After releasing a subset of the data (10,000) the sudden U-turn the attacker made seems very suspicious. And, if Optus did indeed make this payment, would they be obligated to report it publicly?
Or, perhaps thinking about it even deeper, did someone else buy the data before Optus? Maybe someone offered way above the $1m to buy the data and the attacker sold it. It would be the perfect cover, right?
Perhaps the only saving grace of all this is Australia is planning to overhaul its privacy laws. Doing what many other countries have already done to protect its citizens. With these laws, we can only hope the threat of fines and other forms of punishment for serious breaches such as these are bestowed upon companies like Optus who suffer attacks of this scale.