Peter A Clarke

Every data breach is different.  There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences.  What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything.  What is not made clear is what defences behind the firewall were in place and were they working.  Did Optus have programs running which detected unusual activity within the system?  What about defences protecting the data itself.  Was there any detection of exfiltration?  A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.

The breakdown of the breaches, in broad terms are:

• exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
• dates of birth, email addresses and phone numbers of another 7 million customers.

Optus’s response to the data breach has been something of a curate’s egg; good in parts.

Optus has adopted a personal approach in response to the breach.  A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017.  It provides:

Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.

It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.

“[I feel] terrible,” Ms Bayer Rosmarin told reporters.

“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers.

“And I’m very sorry, and it should not have happened.”

As The Australian first reported on Thursday Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million of the telco’s users was compromised in one of the nation’s biggest-ever data breaches.

The nation’s top cyber spies at the Australian Signals Directorate are working with Optus to trace the perpetrators of the devastating cyber attack, which exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers. A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen.

The attack, discovered on Wednesday night, comes just days ahead of a visit to Australia by the entire board of Optus parent company Singtel.

It’s understood hackers exploited a weakness in Optus’s firewall. Sources said it remained unclear whether the attack was by a criminal or state-based hacking group.

It’s understood that some Optus phone numbers have been sold online via the dark web, as early as a week ago.

Ms Bayer Rosmarin said that customers who were with the telco as far back as 2017 have been impacted, though the company would not disclose details of how the hack occurred.

“The exact mechanics are subject to a criminal investigation and we won’t be divulging that,” she said.

“Without saying too much, the IP address [of the hackers] kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe, and in terms of the customer data, I think it dates back to 2017.”

The company has turned off online SIM swaps and replacements, instead requiring customers to physically visit an Optus retail store with a relevant ID.

“We are in the process of contacting customers who have been directly impacted,” the company said in a statement on its website.

“If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.

“If you are a business customer, contact us on 133 343 or your account manager.”

PwC partner Rob Di Pietro, who leads the firm’s cybersecurity and digital trust unit, said in an interview that the Optus hack would serve as a wake-up call for many Australian companies, and a reminder of the significant threats posed by hackers.

“With attacks of this nature, where large amounts of personal information are stolen or compromised, the identities could then be sold on the black market, which leads to the risk of identity fraud,” he said.

“Another option will be for the attackers to start approaching impacted individuals with the information they have, to try elicit further information such as financial details. These are things that affected customers should potentially be on the lookout for.”

Notices to customers were sent overnight.  It provides:

Dear , It is with great disappointment I’m writing to let you know that Optus has been a victim of a cyberattack that has resulted in the disclosure of some of your personal information. Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, phone number, address associated with your account, and the numbers of the ID documents you provided such as drivers licence number or passport number. No copies of photo IDs have been affected. It is also important to know that Optus’ network and Optus services including mobile and home Wi-Fi aren’t affected, and no passwords were compromised, so our services remain safe to use and operate as per normal. Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. Our priority is our customers – so while our investigation is not yet complete, we wanted you to be aware of what has happened so that you can be extra vigilant at this time. We are currently not aware of customers having suffered any harm, but we encourage you to have heightened awareness across your accounts, including: Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider. Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. If people call you posing as a credible organisation and request access to your computer, always say no. You would have seen we announced this first in the media. We did this as it was the quickest and most effective way to alert you and all our customers, while also communicating the severity of the situation through trusted media sources. For the most up-to-date information and FAQs, go to optus.com.au. If you believe your account has been compromised, you can contact us via My Optus app – which remains the safest way to contact Optus, or call us on 133 937. We apologise unreservedly and are devastated this could occur. We are working as hard as possible with the relevant authorities and organisations to ensure no harm comes from this unfortunate occurrence.

Warm regards,

This was reported on here. Compared to notices sent in the United States, where notifications have been common for some time, it is a cumbersome document.  That said, it addresses the key issues.

Optus has claimed that human error was not involved.  That position is becoming complicated as unnamed sources from within Optus have indicated that human error may have at least contributed to the breach.  The ABC in ‘Human error’ emerges as possible factor in Optus hack affecting millions of Australians has found an unnamed “senior figure” within Optus who has given enough information to let the ABC report that “preliminary investigations” suggest that an IT programmer has made a mistake which contributed to the breach. That makes makes some sense.  Cyber attacks against an up to date and properly maintained firewall is difficult to the point of not worth the effort. Here the suggested means of entry was a mistake in the use of the Application Programming Interface possibly using a test network having internet access.  And there is the entry point for the hackers. That has been denied by Optus but no meaningful explanation has been provided as to how the breach occurred.  And how data was accessed.  The fact that hackers breached the outer defences of the network does not necessarily mean access to the stored within the network should be vulnerable.

The ABC report provides:

Preliminary investigations by Optus suggest an error by an IT programmer may have inadvertently allowed cyber criminals to steal personal details of potentially millions of customers.

A senior figure inside Optus has spoken to the ABC on the condition of anonymity to offer confidential insights into the early findings uncovered by the telecommunication company’s IT specialists. 

“[It’s] still under investigation, however, this breach, like most, appears to come down to human error,” the Optus insider told the ABC.

“[They] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog, the Australian Communications and Media Authority (ACMA).”

The process allegedly involved opening up the Optus customer identity database to other systems via what’s known as an Application Programming Interface, with the assumption that the API would only be used by authorised company systems. 

“Eventually one of the networks it was exposed to was a test network which happened to have internet access.”

This allowed access to the Optus network from outside the company.

Optus told the ABC suggestions the attack stemmed from human error were inaccurate, but conceded the incident was still under investigation. 

Earlier today, the ABC put specific questions to Optus CEO Kelly Bayer Rosmarin about whether human error involving the company’s API was behind the breach.

“I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so we will not be divulging details about that,” Ms Bayer Rosmarin told an online media briefing. 

“Optus has very strong cyber defences, cyber security has a lot of focus and investment here and so this should serve as a warning call to all organisations: there are sophisticated criminals out there and we really need all organisations out there to be on alert”.

The ABC has been told Optus believes those behind the intrusion scraped the consumer database and about one third was successfully copied. 

Ms Bayer Rosmarin has declined to specify how many customers have had their data breached, but the Optus CEO believes it’s much lower than the “worst case scenario” of 9.8 million.

“We expect the number to be considerably less than that once we’ve worked through the information”.

Former AFP cyber expert says human error likely led to hack

Former Australian Federal Police officer and cyber security expert Nigel Phair said human error was a very likely contributing factor in the massive data breach. 

“Organisations like Optus and many others of that ilk have really good controls around firewalls and identification of intrusions and that type of thing,” Mr Phair said.

Mr Phair, who now runs the Cyber Centre at the University of New South Wales, said big companies such as Optus have many networks and different applications that talk to each other in those networks.

“So, we build APIs so that they can talk to each other and includes things like having a test network where you might test a patch for an upgrade or a security flaw,” he explained.

“Because it’s a test network, invariably there’s not the same amount of controls and security around it because often it only has dummy data in it.

“Often, they’re internet facing because you need to get the patch or the upgrade or whatever it might be off a vendor or supplier via the internet.

“So that could be a way where the criminals have been able to work their way through and bypass what is otherwise very good security mechanisms”.

The breach has led to the usual, and well deserved, call for better protection, such as the ABC story Optus hack renews calls for better protection of customers and their personal data which provides:

Following a data breach, Australians are typically told to change passwords and watch for unusual bank transactions — and after the Optus “cyber-attack” was announced on Thursday, the advice was no different.

For some, this emphasis on individual responsibility instead of better consumer protections is wearing thin.

During a media call on Friday morning, Optus chief executive Kelly Bayer Rosmarin apologised to customers and acknowledged it was difficult to provide immediate advice following the incident.

‘Complicated message’

“There isn’t a simple message like update your passwords or talk to your financial institution,” she said.

“On the one hand that’s good news, but on the other, it’s a more complicated message.”

Instead, she advised “heightened vigilance” across government, companies and customers while Optus determines how many customers have been caught up in the incident.

The company said it would individually contact each affected subscriber about what data had been exposed.

Katharine Kemp, an expert in consumer data privacy at UNSW law school, said Australia’s approach to regulating data breaches focuses on notifying those affected, but doesn’t go much further.

Under the Notifiable Data Breaches scheme administered by the privacy regulator, companies must let customers and the privacy regulator know when a data breach is likely to result in serious harm.

“It does mean that we push responsibility down the line to the individual to deal with the fall out,” Dr Kemp said.

“Most of us don’t have a clue how we would do that when you’re dealing with sophisticated actors.”

More help for customers after data breaches

Optus said it became aware of the intrusion into their network on Wednesday and went public a day later.

But for Optus customers, the type of personal information potentially exposed in the incident means there are not many steps that can be taken beyond being on the lookout for scams and abuse of their details.

According to Optus, the actor was potentially able to access personal identifying information such as names and birthdays rather than passwords or credit card numbers, which can be more simply updated.

“It’s not easy to change your date of birth or your name,” said Kate Bower, consumer data advocate at Choice.

“Telcos are an essential service. People have no choice but to share this information with these businesses.”

Companies should bear some responsibility for the administrative burden customers face following a breach, according to Kathryn Gledhill-Tucker, board member of Electronic Frontiers Australia (EFA).

“Contacting banks, monitoring your credit score, updating your fingerprints, these all take time and effort,” they said in a statement.

“Why should we have to spend what little spare time we have cleaning up messes caused by other people?”

In Optus’s media call on Friday, the chief executive said the company was talking to different providers to supply additional support and monitoring, especially to customers who had identification numbers exposed.

Optus has not announced when and how this will be made available.

A ‘cultural shift’ needed

While Optus is still investigating the incident and has not yet detailed how the actor was able to access so much customer information, Kate Bower said she would like to see a “cultural shift” among Australian companies more broadly.

In past decades, there’s been what Ms Bower dubbed a “data grab culture”. In particular, there hasn’t been a strong incentive to minimise the collection of customer data and to delete it when no longer needed.

This is of particular concern following the Optus incident, as information about past customers as far back as 2017 may have been exposed.

“It’s always going to be balanced.

“Those are questions Optus customers will reasonably have in the coming days and weeks.”

Questioned about the loss of password and drivers licence ID numbers on Friday, the Optus boss said the company is required by law to hold onto identification information for six years.

Optus did not respond to questions about which law Kelly Bayer Rosmarin was referring to, by deadline.

More powers for customers and the privacy regulator

While the full details of the data breach are yet to be known, the incident has also renewed calls for individuals to be given more power to take action following the loss or abuse of their personal data.

The EFA advocates for a private right of action, Kathryn Gledhill-Tucker said.

Currently, Australians aren’t able to sue for serious invasions of privacy.

“When companies fail to protect users and their personal information, there should be consequences that encourage better data handling practices for all companies,” they said.

Ms Bower said the Office of the Australian Information Commissioner needed to be better resourced and given more powers to protect consumers.

“At the moment, the onus is much too much on individuals, who can’t do much but watch and wait,” she said.

The Guardian has dug its way through the submissions to the Attorney General;s review of the Privacy Act and reported on the Optus submission which opposed changes to the Privacy Act which provides:

The incident has raised questions about how long telcos should be required to keep the data, what obligations they have to protect it and what compensation customers should be entitled to in the case of failures.

Personal information is protected by the federal Privacy Act. In a review of the act launched by the Morrison government in 2020, the attorney general’s department canvassed views on whether people should be given the right to have their personal information erased, as well as increased rights to take direct legal action against companies over breaches.

Optus argued against both changes.

The company said in its submission that implementing a right to erase personal data would involve “significant technical hurdles”, and “significant” compliance costs. The costs would far outweigh the benefits, the company said.

Optus first argued in its 2020 submission that giving consumers the power to take direct legal action over privacy breaches could lead to frivolous or vexatious claims, and would not give people greater control over their personal information.

Any substantial changes to the act would “place a further drag on innovation and limit the benefits of digitisation,” the company said.

In an October 2021 discussion paper, the attorney general’s department formally proposed a direct right to action that would allow customers to seek compensatory damages as well as aggravated and exemplary damages.

In its response in January this year, Optus reiterated its opposition to the proposals, arguing the existing processes for consumer complaints were more “flexible”.

Guardian Australia has asked Optus if it stands by the submissions.

The attorney general, Mark Dreyfus, has indicated his department is in the “final stages” of its review of the Privacy Act.