The optus data breach consequences. Reports of data being ransomed & Government’s first response
September 25, 2022 |
When hackers steal data they commonly do it for a reason. The days of student hackers breaching cyber defences for the fun of it are long gone. They have been more a product of Hollywood than reality, with some notable long ago exceptions. Similarly white hat hackers don’t find vulnerabilities and then steal data. They typically find the vulnerability and then notify the company. The Optus breach is more in line with either criminals aiming to turn the product of their theft into money or state based hackers whose aims and motivations are more complicated; disruption, obtaining intelligence data on individuals, data to be used for identity theft and for use in conjunction with other data. State based actors take a much longer view than criminals. There is some evidence that the data, or at least some of it, is being offered for sale on the dark net.
The data breach story has now moved into its second phase, where interested parties use it to push their agendas. The Telcos are making its clear that their compliance obligations in retaining meta data are contributing to privacy breaches. Doubtful. They may contribute to compliance costs and definitely make the consequences of a data breach more significant. So much more to steal (if not properly protected that is). But they do not weaken cyber security defences in and of themselves. There is a real issue about excessive legal requirements to obtain and retain personal information. And the meta data retention laws require telcos to retain masses of data for longer than they would need them not to mention these laws are a continuing pernicious blight on liberal democracy, giving agencies a right to access meta data without a warrant. There is also the general preference for companies to collect and store more personal information than they need and for as long as they can as the Age notes in an opinion piece No, Optus doesn’t need to keep your sensitive information for so long. But none of that is not a cyber security issue, as in protecting personal information from criminal actors. While there may be some regulatory overload on telcos any sympathy must be tempered by the fact that cyber security is a separate issue. The protection of data (even that retained reluctantly) is possible with proper cyber security systems, proper protocols and adequate training. None of which is in abundant supply. Companies give too little emphasis on privacy and spend the bare minimum, often less. Unlike the United States and the United Kingdom, data breaches in Australia do not bring a serious regulatory response by way of civil proceedings, fines or enforceable undertakings. If the worst case scenario from a data breach is a tepid and muted regulatory response and some reputational damage what is the incentive for a company to seriously get its house in order.
According to the ABC the Government is going to legislate to require financial institutions of data breaches. The Australian runs a similar story as well. This is dealing with symptoms not problems and makes a complicated but ineffective privacy regime even more cumbersome.
The ABC story provides:
The Home Affairs Minister is soon expected to announce several new security measures following the massive Optus data breach that saw hackers steal the personal details of up to 9.8 million Australians.
On Saturday, Clare O’Neil and several of her federal ministerial colleagues met with the Australian Signals Directorate and the Cyber Security Centre to discuss the fallout from the devastating cyber-hack.
Under the changes to be announced in coming days, banks and other institutions would be informed much faster when a data breach occurs at a company like Optus, so personal data can’t be used to access accounts.
The ABC has been told the first step to occur will be directing Optus to hand over customer data to the banks so financial institutions can upgrade security and monitor customers who’ve had their personal details stolen.
Privacy protections currently prevent banks being immediately told about a cyber breach that’s relevant to their customers.
On Saturday, Ms O’Neil tweeted a response to the breach, saying changes to the way Australian companies protect customer data were needed.
Across Australia’s telecommunications sector, frustration is growing at the level of federal regulation imposed on the industry, including metadata retention laws, which many blame for contributing to privacy breaches.
“It annoys me that people think Optus and others want this data – it’s necessary for metadata laws – we don’t,” one long-serving telecommunications insider told the ABC.
“People pretend data is gold — it isn’t; it’s uranium – super useful if used correctly and incredibly dangerous to just have laying about.”
Across Australia’s telecommunications sector, frustration is growing at the level of federal regulation imposed on the industry, including metadata retention laws, which many blame for contributing to privacy breaches.
“It annoys me that people think Optus and others want this data – it’s necessary for metadata laws – we don’t,” one long-serving telecommunications insider told the ABC.
“People pretend data is gold — it isn’t; it’s uranium – super useful if used correctly and incredibly dangerous to just have laying about.”
Suggestions of further security measures being prepared by the Albanese government have also been received with skepticism.
“[We’re] satisfying regulations on impossible timelines with effectively a network built in the 1990s,” one senior industry figure told the ABC, speaking on the condition of anonymity.
“We don’t even have a publicly verifiable chronology on how the Optus breach happened yet, the investigation isn’t done and yet somehow we’re rushing in laws — not a great plan.
“If this was a plane crash, we would let the investigators determine the cause before we decided what to do about it — that’s why flying is so safe”.
The Guardian reports in AFP investigates $1m ransom demand posted online for allegedly hacked Optus data that yesterday there was a post on a data market by a person who claimed to be in possession of stolen personal information. There is a similar report in the News. com with Optus data breach: Hacker demands $1.5 million ransom, customer info leaked on dark web.
The Guardian story provides:
Attorney general Mark Dreyfus has been briefed by the privacy commissioner about hack and is seeking ‘urgent’ meeting with telco.
The Australian federal police is investigating after the data of millions of Optus customers exposed during a recent hack was allegedly put up for sale online.
On Saturday morning a post appeared on a data market from a user claiming to be in possession of the information obtained from the breach with a demand for $1m in Monero cryptocurrency.
The user posted a sample of the data. The cybersecurity researcher Jeremy Kirk said the sample appeared to correspond to real-world addresses and people, which suggested the post was genuine.
“Someone is claiming to have stolen Optus account data for 11.2 million users,” he said online. “They want $1m in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels.”
Even if Optus was to pay the ransom, there is no guarantee the user would stick to an agreement not to sell the data elsewhere.
Kirk said he had verified some of the information by speaking to a neighbour whose name and address was contained in the sample.
“I found the person in the dataset. She was working in her front yard. She wants to stay unnamed but confirmed she is a former Optus customer and that her data is accurate. We still need a confirm from Optus on the data but this is all lining up,” he said.
“I explained who I was and handed her a printout of her data (as an aside, kind of a weird experience – shoe leather journalism meets cyberspace). She said it was kind of scary. She hadn’t been contacted by Optus yet.”
This information could not be immediately verified but a spokesperson for the AFP said the agency was aware of claims the data had been put up for sale.
“The AFP is aware of reports alleging stolen Optus customer data and credentials may be being sold through a number of forums, including the dark web,” they said.
“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law.”
The spokesperson warned that it was an offence to buy stolen credentials with those convicted facing a maximum penalty of 10 years in jail.
A spokesperson for the attorney general, Mark Dreyfus, said his office was seeking an “urgent” meeting with Optus to “ascertain the proactive steps they are taking to minimise harm to Australians who’ve lost data”.
“The attorney general has also had several briefings about the Optus hack and the threat it poses to Australians’ private data from the privacy commissioner,” the spokesperson said.
Many customers have reported a nervous wait to be contacted by Optus or having to take matters into their own hands and call the company to find out whether they had been exposed in the attack.
In a new statement on the attack, Optus said it was cooperating with authorities while it was continuing to contact customers who may have had their data stolen.
The company said that since it announced the attack, it had become aware that cybercriminals may begin targeting Optus customers with phishing scams.
It warned customers to be wary of links sent in SMS texts or emails.
“If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click any links.”
The Department of Foreign Affairs and Trade, which overseas the Passport Office, did not immediately respond to questions about whether it would automatically reissue passports of those affected.
A spokesperson instead referred to statements published on Friday which sought to make clear there had been no breach of passport systems.
In one FAQ, under a section titled “Why do I have to pay to replace my passport when this wasn’t my fault”, the answer said: “We weren’t responsible for the data breach.”
Those who are affected are advised that it is up to the individual to apply for a new passport.
Applications to replace a passport cost $308.