Optus breach casts spotlight on cyber resilience

Risk of identity theft

Past and present Optus customers were warned that their data could be used against them in two main ways. Perhaps the biggest danger is that of impersonation or identity theft. Organisations commonly use dates of birth and home addresses to confirm the identity of customers who contact them by phone, so there is potential for changing account details, or in some cases conducting fraudulent transactions.

While a “100 point” identity check would normally involve sighting the original or certified copies of documents such as a driver licence (60 points), passport (70 points) or Medicare card (40 points), there are situations where organisations use a weaker version of the check that only requires provision of the numbers on those documents.

To help guard against these negative outcomes, Optus has offered to pay for a one-year subscription to credit monitoring and identity protection service, Equifax Protect, for its most affected customers.

The telco has temporarily suspended SIM swaps and replacements as well as changes of ownership unless customers visit an Optus Retail location and present appropriate identification.

The compromised data could also be used to personalise phishing campaigns as well, making it more likely that recipients would click on links resulting in account takeovers, the installation of malware, or other unwanted outcomes.

Other scams related to the breach reportedly involve bogus threats to release the victim’s data unless they pay a ransom, and fake offers to remove the victim’s data from the dark web.

By 26 September 2022, it was established that the equivalent of 100 points of identification had been extracted for 2.8 million Optus customers ­– a substantial subset of the total.

The fact their CEO was able to provide initial details and a public statement seemingly within hours on a national public holiday means that Optus must have a well-established, and well-practiced, incident response plan

According to reports, the Optus customer data was accessed via an application programming interface (API) that had not been secured, allowing anyone who stumbled across it or otherwise knew of its existence to iterate through all possible phone numbers and receive the matching user information.

While that would seem to point the finger at human error as the root cause, Optus denied that was the case but declined to provide more details because the attack was “the subject of criminal proceedings”.

The Australian Federal Police (AFP) launched Operation Hurricane to investigate the matter, and was working closely with Optus, the Australian Signals Directorate and overseas law enforcement agencies. It was subsequently revealed that this included the US Federal Bureau of Investigation.

The AFP was also assisted by the Joint Policing Cybercrime Coordination Centre (JPC3), a partnership between law enforcement, the private sector and industry that aims to combat cybercrime.

“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment,” noted assistant commissioner Justine Gough, who was given the job of leading the AFP’s Cyber Command late last year.

On 26 September, Optus said it had contacted by email or SMS all customers whose ID document numbers had been accessed, although it was still in the process of contacting other affected customers.

False sense of security?

The next day, 27 September, brought a possibly misplaced sigh of relief when the apparent perpetrators apologised to Australians affected by the breach, claiming to have deleted the only copy of the data and withdrawn the ransom demand. Optus confirmed it had not paid the ransom.

The attackers also wrote: “Optus if your reading we would have reported exploit if you had method to contact. No security mail, not way too message. Was mistake to scrape publish data in first place.”

Whether the poor English is an indication that it is not the individual’s first language remains to be seen, as a fluent speaker can deliberately adopt poor spelling and grammar. That said, there have been reports that Optus’s systems were accessed from an IP address in Europe, but that doesn’t mean that’s where the attack was initiated.

Given that the perpetrators demanded a ransom, there is no reason to assume they are telling the truth. For example, it is possible that the data has already been sold to other criminals, security experts warned. And pretending the data has been deleted could increase its value by giving a false sense of security to the affected individuals.

Replacement passports and driver licences

Optus is telling affected customers if they need to change their driver licences which are issued by individual states, but policies for reissuing a licence with a new one vary.

Optus has said it will automatically credit affected customers for the cost of replacing their licences, but Victoria, Queensland, South Australia and Western Australia have announced the usual fee will be waived for those individuals.

Contrary to its normal practice, Victoria is allowing the reissue of licences even if fraud has not actually occurred. The Victoria and Western Australia governments have indicated they will ask Optus to cover the cost of issuing the new licences.

Passport holders can apply for a replacement but waiting times of at least six weeks (and, according to some, several months) are currently being experienced due to the surge in passport applications following the end of Covid-19 travel restrictions.

The fee for an Australian passport is A$308, with an optional A$225 priority fee for faster service. Foreign minister Penny Wong has called on Optus to pay for new passports for affected customers.

The Optus data breach highlights the importance of trained and skilled cyber security professionals to Australian businesses and government agencies

As for Medicare numbers, health minister Mark Butler said the government is considering how best to deal with the situation. That could mean providing affected Optus customers with new Medicare numbers. Currently, only the last digit changes when a Medicare card is reissued, which provides little protection against criminal activity.

A class action may be mounted against Optus. Law firm Slater and Gordon said it was investigating the matter, but members of the class would need to show they have actually suffered a loss as a result of the breach, and that they had tried to mitigate it. The mere exposure of personal information is reportedly an insufficient basis for legal action.

Lessons to be learned

While the exact nature of the breach has yet to be confirmed, a lack of API security is widely regarded to be at least a contributor.

Troy Leliard, solution architect at Noname Security Asia-Pacific, noted Gartner’s prediction that APIs will become the most common attack vector in 2022.

Research recently commissioned by his company also found that nearly half of the organisations had a low confidence in the completeness of their API inventory, and consequently 41% had an API security incident in the past 12 months.

Respondents’ top-cited API security problems include poor API logging practices; problems in API authentication, including lack of authentication in APIs that should require it; and API misconfiguration.

“Even more concerning is an apparent disconnect between what is happening in the real world, and organisational attitudes towards API security. Additional research found that the level of misplaced confidence around API security is disproportionally high in comparison to the number and severity of API related breaches.

“This points to the need and urgency for further education by security and development teams around the realities of API security and is hopefully something that comes out through broader government cyber education initiatives,” Leliard said.

Sean Duca, Palo Alto Networks’ chief security officer in the Asia-Pacific region, wasn’t surprised that a company in the telecommunications sector was attacked.

“Telcos are a prime target for cyber attacks because they build, control and operate critical infrastructure that is extensively used to communicate and store large volumes of sensitive data,” he said, adding that the Optus breach is “another stark reminder of the vulnerabilities that can be leveraged for a well-orchestrated hack, which can happen to any organisation”.

An Australian Computer Society (ACS) spokesperson suggested at least part of the problem is the shortage of skilled cyber security professionals.

“The Optus data breach highlights the importance of trained and skilled cyber security professionals to Australian businesses and government agencies. Securing data and systems is essential in protecting the nation’s digital assets and all Australians’ personal information.

“With Australia needing up to 30,000 cyber security experts in coming years, ACS has been working with education institutions to help address the demand for skilled workers with nine accredited courses at Australian universities.

“While these courses are one way of addressing the need for more people with skills in these fields, we also require industry and government to be investing in both skills and systems to ensure all Australians’ data is secure and our key systems are safe.

“ACS urges Australian governments and businesses to take cyber threats seriously and looks forward to working with ministers, government departments and corporations to secure the nation’s digital economy.”

On the positive side, Synopsys’ head of solutions strategy in Asia-Pacific, Phillip Ivancic, congratulated Optus on its initial handling of the incident.

“From the little we know so far, it looks like the hardworking Optus IT security teams should be commended for their swift actions. The fact their CEO was able to provide initial details and a public statement seemingly within hours on a national public holiday means that Optus must have a well-established, and well-practiced, incident response plan.

“The early reports indicate that the breach was picked up as a part of their continuous assessment framework is another example of important and multi-layered defences,” he said.

The question of data encryption has been raised. Assuming a lack of API security really was involved, then the severity of the breach would have been greatly reduced if the API had delivered encrypted data, leaving the application that consumes the data to take care of decryption.

Also, relatively little public attention has been given to the question of whether all of the data should have been stored. The Telecommunications (Interception and Access) Act 1979 requires service providers to retain “information used by the service provider for the purposes of identifying the subscriber of the relevant service” until two years after the account has been closed.

That means Optus was not to blame for keeping the information, but one of the arguments mounted against the data retention scheme was that it would make service providers attractive targets.

Ironically, Optus reportedly opposed a proposal to amend the Privacy Act to give people the right to have their personal information erased.

Home affairs minister Clare O’Neill has foreshadowed changes to the security regime. They are expected to include measures to ensure banks and other institutions are quickly informed of similar breaches to reduce the risk that the data will be used to facilitate fraudulent transactions.

While the Optus breach is said to be one of the largest to occur in Australia, it is unlikely that it will be the last.