Optus Data Breach: What We Know and What We Can Learn
By Ez Yiap – Cyber Security Consultant (GRC) and Assistant Trainer for the Institute of Data’s Cyber Security Programme.
An IOD alumni who pivoted into cyber security, Ez now helps organisations assess and strengthen holistic cyber security. Ez is passionate about contributing and coaching in the cyber security community.
There’s been a lot of talk in the news lately about the Optus data breach. If you’re with Optus, you’re probably wondering what it means for you.
In this article, we’ll break down everything you need to know about the Optus hack, including what happened, who was affected, and how to protect yourself from future attacks.
What the Hack Happened?
A threat actor(s) managed to access the personal details of millions of Optus customers. Unfortunately, this breach of data doesn’t just impact current Optus customers. Anyone who’s had an account with Optus in the last seven (7) years has likely had their personal data accessed by hackers. As the fallout continued over the past week, updates report that former Virgin Mobile and Gomo (prior Optus subsidiaries) customers may also be impacted in the breach, widening the net of Australians caught.
Data exfiltrated from Optus was seen via a dark web forum post to include customers’ full names, date of birth, addresses, phone numbers, email addresses, driver’s license numbers, passport details and Medicare information.
Pictures and reports focusing on the dark web forums proved that Optus was subjected to a ransom for the data exfiltrated. However, in an interesting turn of events, the forum user with the data advised later, citing the public nature of the incident, that they were withdrawing the ransom demand and apparently deleting the data. It will be impossible to know if all the Optus data has been deleted or not already sold or passed on elsewhere. Optus has stated it did not pay any ransom.
While Optus has said no customer payment information has been compromised, the personally identifiable information (PII) that has been released leaves Optus customers at risk of serious issues such as identity theft and fraud, along with the increased threat of phishing and targeted scams.
Optus has since notified all those affected and offered them free credit monitoring services. They’ve also advised all customers to change their passwords as a precautionary measure. Just over a week on, Optus is even publicly apologising in full-page newspaper ads. But is this enough?
How was Optus hacked?
The exact details of how the cyber-attack on Optus went down have not yet been released. With the ongoing investigation and the Australian Federal Police (AFP) now involved, it may be a long time before the specifics are revealed, if at all.
Several reports, tweets and articles point to the strong likelihood of the cyber-attack resulting from an open Application Programming Interface (API). This software gateway permitted public access to an Optus customer database containing the sensitive PII of millions of customers.
This misconfiguration is considered by many as very serious and possibly negligent, given its simplicity in standard secure development practices. Speculation exists that the API may not have undergone careful secure development lifecycle practices such as a secure code review. It is even possible that penetration testing was not performed on the API, as a simple attack for unauthorised access would likely have been one of the findings.
Optus did not realise the attack was underway until a significant spike in traffic was flagged on the API providing an indicator of compromise and data exfiltration. Optus reportedly shut down the API connection, ceasing data exfiltration and removing threat actor access. Optus has since advised that the hack originated using European IP addresses and that multiple moving IP addresses are extremely difficult to locate the specifics of.
Optus has faced criticism for its stagnant cyber security maturity and resource efforts, despite parent company Singtel also owning the computer security company Trustwave that runs SpiderLabs, a specialised breach investigation, ethical hacking (penetration testing) and threat intelligence team.
What is an Open API?
APIs are used to allow different pieces of software to communicate with each other. Users commonly see APIs in ways where an application (app[s]) needs information from a particular source to provide its overall function or a component of functionality, but it doesn’t have that data itself.
You can take the example of weather apps where the Bureau of Meteorology API is used to pass weather data to the app that displays it and provides features like forecasts, time of rain alerts, UV index etc. Another example is when a website or application connects to the Spotify music database via a Spotify API to provide functions like a Spotify player or playlist working within the website.
APIs that are designed to provide access to sensitive information should never be made public or, in other words, be left open. Just like secure web application development means following industry-standard development against frameworks like the Open Web Application Security Project (OWASP) and National Institute of Standards and Technology (NIST), so do APIs.
OWASP publish a security top ten that all APIs should undergo testing against as a minimum before being put into production. Number seven on the list is Security Misconfiguration.
What Should You Do if You’re Affected by the Optus Hack?
So, if you’re one of the unlucky ones who had your personal information compromised, what can you do?
Well, the first thing is to change your passwords. And not just for your Optus account, but for any other account that uses the same password. If you are not in the habit of switching up passwords routinely and using different passwords for your accounts, there is no time like the present. This is an excellent opportunity to come up with some new, stronger passwords that are difficult to guess.
As a general rule, the best kind of password is long and strong. Using a cypher or a string of familiar words (passphrase) in varying alphanumeric characters can be a valuable way to create stronger passwords that aren’t as easily compromised by activities like brute force attacks.
You should also keep an eye on your credit report and report any suspicious activity to your credit bureau.
Finally, keep an eye out for any phishing emails or calls that might be related to the Optus hack. If you receive anything like this, don’t open it or reply; just delete it. Optus has said they won’t be sending out emails containing any links, so keep that in mind and don’t click on anything you’re not certain about.
Australians may be eligible for a replacement driver’s license and passport, depending on state jurisdictions, and assistance continues to develop with strong consumer and political pressure on Optus to foot the bill.
Check with your transport authority if you are eligible for a replacement driver’s license, and the process to pursue this as it will likely be a long one given the volume of impacted Australians. For all those eligible, a new license and passport are the best precaution possible.
How to Protect Yourself From Future Hacks
In the world we live in, cyber-attacks are a reality everyone needs to be prepared for. In a case like this, where huge organisations have access to such personal user data, it was only a matter of when, not if. But it is a valuable lesson to prioritise cyber security, both for consumers and companies.
Here are the best tips to keep yourself and your information as protected as possible:
- Create and use complex passwords/passphrases.
- Use a password manager solution to assist in the generation of complex passwords, get advice on the strength of your passwords, alerts on password reuse and to vault your passwords on multiple devices.
- Avoid using public Wi-Fi networks whenever possible. A virtual private network (VPN) solution can help by encrypting network traffic if you need to use an unsecured network.
- Regularly check your email against known data breaches on websites like www.haveibeenpwned.com
- Enable two-factor or multifactor authentication on all accounts where possible. Most financial institutions and large organisations you are billed by (utility, telecommunications, shopping etc.) have this facility. You can link multiple steps for verification or to an authentication app like Google Authenticator.
- Limit the data you provide to service providers to only that absolutely necessary to sign-up or engage with them. Be wary of online sign-ups that collect details. Many organisations are required to provide customers with the right to have their accounts and associated data deleted upon request. This is a safe practice when ceasing to use a service we should all utilise as it is often as simple as an email request or check box when closing an account.
What will Optus do to prevent future hacks?
So what’s Optus doing to make sure this doesn’t happen again?
Optus has not provided the details of its increased security measures, but you can sure bet that budget and resources towards cyber security and privacy have increased. With a close eye on the long-term impacts, Optus will be looking to improve cyber security across people, process and technology.
Facing possible class action lawsuits, large fines, financial and reputational impacts, and government scrutiny are all consequences that the public has to hope mean Optus will tighten its cyber security programme. This is not the first time Optus has been subject to a data breach, and typically the way it goes means this will not be the last.
It doesn’t take years to be proactive about cyber security. Learning the foundations and key skills is possible for everyone from all sorts of backgrounds. You may be interested in ensuring your personal cyber security or that of the organisation you work for. Or you may want to join the frontline preventing, defending and responding to cyber security incidents. Institute of Data’s Cyber Security Programme provides the job-ready skills and industry connections for anyone to get started today.