ITP Techblog

Australian mobile network operator Optus said yesterday it had narrowed the number of customers worst affected by a major breach of its systems to 2.1 million people.

The telco on September 22 reported to the Federal Police that 9.8 million current and inactive accounts of mobile and broadband users, effectively representing 40% of Australia’s population, had been breached by hackers in what is considered to be Australia’s largest data breach to date.

If that wasn’t bad enough, it emerged that in addition to names, birthdates, home addresses, phone and email contacts, all information sought after by hackers for use in fraud schemes and identity theft, many accounts had passport and driver’s licence details breached too.

Optus CEO Kelly Bayer Rosmarin in the midst of a PR crisis

In the days following the hack, the usual ransom requests appeared online with the details of 10,000 Optus account holders being posted to the web at one point. However, the hackers then deleted the database, seemingly unnerved at the scale of the response to the hack.

Optus now says that 1.2 million customers need to look at replacing their identification documents, with 900,000 additional accounts featuring outdated ID details. Optus also revealed that consultancy firm Deloitte will undertake a forensic assessment of the breach as part of an external review ordered by Optus CEO Kelly Bayer Rosmarin.

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” she said yesterday in a video update on the Singtel-owned telco’s response to the data breach.

“It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyber attack exists.”

Optus hasn’t revealed the cause of the data breach other than to say that it was “sophisticated” in nature.

But the forensic assessment could serve to be a very useful exercise to inform an often overlooked area of information security involving the APIs (application programming interfaces) that many organisations rely on to feed information between their software applications.

APIs are incredibly useful, but if they are not configured properly, they can lead to unauthorised access to data. Adam Fisher, a solutions architect at US-based cybersecurity company that specialises in API security, told Info Security magazine that an API error likely caused the Optus breach.

“We frequently see internet devices suffer this kind of breach pattern in our work with companies. APIs may be unauthenticated, as in this case, or could be using very simplistic authentication, such as the default basic authentication, which can be easily breached,” he said.

“Telcos and ISPs must adopt strong authentication to protect their devices. In addition, they must understand that the risk of unauthenticated APIs extends beyond data exfiltration.

“Attackers can do more damage than just exploiting the vulnerability to take over user accounts. They can also gain access to all device data that a device may be entitled to access. This exposes them to far greater risks. If a telco’s network equipment can be exploited, an attacker could assume control of the whole network,” Fisher added.

The Deloitte assessment will ultimately flush out the exact cause of the breach, which may have been exacerbated due to customer data not being stored in encrypted form.

In the meantime, Fisher has three key pieces of advice regarding API security:

• Monitor the OWASP API Security Top-10 list, the go-to resource for updates on API security vulnerabilities (62% of all API attack attempts use at least one of the security vulnerabilities listed there).
• Makes sure that API security measures are communicated across the entire organisation. “For example,” says Fisher, “Infrastructure teams may assume that the development team has already managed authentication requirements. They may believe that the API has already gone through a security review when, in fact, it hasn’t.”
• Invest in dedicated API security so that APIs can be constantly monitored for deviations in behaviours that could indicate an attack.

There's another lesson in the Optus data breach the telco's management needs to learn about how to avoid a public relations disaster by responding to a data breach with adequate haste and diligence.