Optus Data Breach, enter the theorists
September 29, 2022 |
As a practitioner in the privacy area I find it fascinating to see how a sophisticated telco has pretty much done everything wrong in responding to the data breach. Its original notification was poorly drafted and vague. Getting a CEO to front the media is a real gamble which did not pay off. Optus is stubbornly refusing to give any insight into what actually happened. It is possible to provide a broad outline without compromising work being undertaken or any commercial in confidence information (which is difficult to see applying). Optus was less than candid about what data was compromised, failing to mention that Medicare numbers were included in the personal information stolen. Optus has been slow in advising its customers what they can do. It has been incredibly miserly in providing assistance through the use of credit reporting. It has grudgingly agreed to pay for the replacement of drivers licences. If it had a data breach response plan, which is doubtful, it was probably drafted by Telstra. It has failed to take control and get ahead of the news cycle and in the process has been attacked from all sides. Much of that is self inflicted though there is an element of opportunism in some of the political attacks.
As an example of Optus’s dreadful communications has been its late and seemingly reluctant advice that Medicare numbers had been compromised. It provided a statement only yesterday. It said:
Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired. All of the customers who have a Medicare card that is not expired will be contacted within 24 hours. There are a further 22,000 expired Medicare card numbers exposed. Out of an abundance of caution we they will also be contacted directly over the next couple of days.
Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.
Our call centres will not have further information to assist on this matter. We are in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take.
Medicare numbers being stolen causes the public incredible concern. But the reality is that they are not nearly as effective as other personal information if criminals want to commit identity theft. Medicare numbers have a specific administrative purpose. They do not open up health records on line (which is a terrible idea and people should avoid agreeing to having their health records on line). They are not a universal identifier like the US Social Security Number. That is no excuse.
Nature abhors a vacuum. If Optus is going to go into the cave and not advise, even in the broadest terms, what happened, then others will have a go. So the theorists have come on board. The Sydney Morning Herald in Experts have two theories on how Optus’ data was breached have vaguely suggested the ways in which the data was accessed. It is as vague as some of the explanations by Optus. It is not a very good analysis but in the absence of the total lack of candour by Optus it is not surprising that theories will start to be proferred. It provides:
As Optus weathers the fallout from the damaging data breach that exposed the personal details of 9.8 million customers, questions have been raised about how protected the data was to begin with.
So, how do companies protect the information of their customers?
Let’s start with the basics: Personally identifiable information, or PII, refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
When any sensitive data is stored digitally, it has become common practice to encrypt that information.
The easiest way to imagine encryption is like a box with a lock, says Damien Manuel, chairperson of the Australian Information Security Association.
Data is put into that box. It’s then locked, and only the people who have the algorithms, or keys, can decrypt that information, or unlock that box.
The key to unlocking this box is with an algorithm or piece of code. “Without that key, that data is essentially gobbledygook,” said Bastien Treptel, founder of cybersecurity services company CTRL Group.
Is encryption effective at protecting data?
If it’s done well, yes.
“There’s a cost that the business bears because the more time you encrypt data, the more places you encrypt, the more complex it becomes to manage,” says Manuel.
In 2019, tech company Canva dealt with Australia’s biggest hack: 139 million users’ data was stolen from the company’s system. But unlike Optus, none of the data was usable.
“Yes, it was bad that Canva was breached, but the system was encrypted, so they couldn’t get the information out of that stolen data,” said Treptel.
Can encrypted data ever be decrypted?
If encrypted data falls into the hands of someone who shouldn’t have access to it, it is possible – although unlikely – that they can “unlock” the encryption to make sense of the data.
This is because as technology advances, specific algorithms or techniques used to encrypt data become defunct.
“The gold standard of cryptography a decade ago is no longer acceptable. You wouldn’t even entertain using it,” said Haskell-Dowland, professor of cybersecurity practice at Edith Cowan University.
The problem is, some organisations may not have updated the encryption methods they used when they originally stored a data set, making that data easier to unlock.
Was the Optus data encrypted?
So far, there has been no concrete explanation for how the data breach occurred. Optus chief executive Kelly Bayer Rosmarin told ABC radio on Tuesday that the hack was a “sophisticated attack that penetrated multiple security layers.”
But experts have two theories on how the data was accessed: The first was that while the data was encrypted, Optus used either outdated encryption methods, or there were many people who had access to the interface where the data was stored.
The other alternative is that the data was not encrypted on the interface, which Optus denies.
“It is not the case of having some sort of completely exposed API sitting there”, Bayer Rosmarin said.
But before that, let’s look at where this data was stored: known as an API.
An API, or Application Programming Interface, is a piece of software that allows information to be sent and received between two parties. Instead of having to encrypt and then decrypt the data between those two parties, users can access the API instead.
“We might use an API between two systems where there is a level of trust between them,” Haskell-Dowland said. “This is all perfectly secure because it’s a direct connection from one system to another … They’re heavily restricted and protected – you’ve got all the security controls wrapped around it.”
But, let’s say that there’s a development team working on a new product, and [they] are given access to this API. Suddenly, there are many groups with access to the API, which means there are more chances for the data to be left unlocked.
“The danger lies when you create an API, and then you open [it] up to the internet and that information becomes accessible by people that you don’t want it to be accessed by,” Haskell-Dowland said.
What lessons are we taking away from how is stored?
Regardless of how the data was breached, experts in the fields say that it is in the interest of both organisations and consumers to reduce the amount of personal information that’s being stored on a company’s internal server.
“In the past, everybody used to think ‘the more data I have, the better off I am’ because you might get some insights, and even monetise that data in some way or give better customer service,” Manuel said.
“We should be thinking of the more data you have, the higher your risk,” he said. “The message should be: only collect the data that you need for the purpose that you need.”