The Optus Hack - A look back at what happened.
How did almost half of all Australians lose their data?
Introduction
On the 22nd of September 2022, Australians woke up to a new world. It wasn’t the pandemic, nor was it war in Europe. It was Optus. The second biggest Australian telecom provider had just reported a massive data breach. 40 percent of Australia’s population had just had their passports, licenses, addresses, phone numbers, and other private information stolen [1].
It only got better from there, Optus claimed and have maintained that the breach was sophisticated [2]. The Australian government however, said the breach occurred because of poor security practices at Optus [2].
With these huge losses and conflicting claims for the cause of the breach, we decided to investigate.
If you like this kind of content, please like, subscribe, and share to help with the almighty algorithm.
Background
Before we get into what happened, we need to answer a question. How did Optus come to hold the data of 10 million Australians (not just adults, but everyone) when their share of the market is only 31% [3].
The answer is unclear.
In 1988 the Australian government introduced the hundred-point check to prevent fraud. Over time this extended by ACMA to mobile phone contracts. The hundred-point check involves providing a primary document worth 75 points and secondary documents worth 45, 35, and 25 points depending on the information contained [4]. Only one primary document can be provided, and the rest should be secondary documents for a total of a hundred points. According to the Attorney General these documents only need to be seen once and don’t need to be stored.
Further under Australia’s privacy laws and the guidelines set out by the Office of the Australian Information Commissioner data must be de-identified and destroyed once the company has no use for it. The maximum penalty for each breach is 2.2 million dollars.
Optus stored these documents and didn’t delete them even when a customer left Optus. This was why Optus leaked the data of 40% of Australians even though they only had a market share of 31% and it would indicate that Optus was and is in breach of privacy laws. However, it is up to the Commissioner to pursue charges, who has interestingly decided not to.
Beyond Optus, we have to ask the question, is it only Optus that is storing personal and private information beyond an acceptable timeframe or is this common practice.
The Attack:
We’ve established that Optus was a juicy target which establishes the motive to why Optus would be targeted. We now need to understand how the attack was carried out and the vulnerability that was exploited.
What we know is what we have been able to piece together from publicly available information.
Our first indication that Optus had been hacked was a post on the breach forums which asked for a ransom. On the 26th the attacker demonstrated that they weren’t bluffing when they released 10,000 records, including passport numbers, license numbers and other details [5]. Unlike other attacks of this nature the demand was small, and the hacker was keen to talk to journalists.
The hacker claimed that there was an unauthenticated endpoint that could be enumerated through, and it would return personal and private information [6]. This sounds pretty complex but what it actually means is as follows.
According to the attacker, Optus left a webpage which showed user information exposed to the internet. To access it all you had to do was type in the URL into the address bar. This specific URL contains a couple of query fields including one called customer ID. Enumerating this field means to increment the field one by one and each ID corresponds to a different customer. The api lacked authentication and authorisation checks that only the right customer would be able to access their data.
Attack Detection:
Optus detected the attack on the 20th, when they received anomalous attack alerts from their platforms. We do not have any public information on what went on in Optus’s war rooms. We can speculate only that everyone was pulling out their hair.
The Response:
When Optus became aware of the issue they reached out to the government and also publicly announced the hack. They also asked Mandiant to investigate the breach. Beyond that, under government pressure, Optus promised impacted customers one year of free credit monitoring and offered to replace passports and licences.
On the government side of the fence, the cybersecurity and home affairs minister Clare O’Neill had to step into the lead the response as Australian laws weren’t “fit for purpose.” [7] The ACSC is continuing to investigate the attack event. However, the minister has stated that the attack was basic and that Optus had “effectively left the window open.”
The Fallout:
At this time no fines have been levied, however it is expected that Optus will face fines. Optus is facing a class action lawsuit. Beyond the financial penalties, Optus has suffered a severe reputational loss and the estimated damage ranges from $120 million to $1.2 Billion. Beyond that there have been reports of significant customer exits. Optus has not revealed if there has been a huge impact on its bottom line, and we expect to see this at the end of the financial year.
Learnings:
Companies have learned little from the Optus saga. Optus’ CEO continued to state that the attack was complex which rings hollow when the minister for cybersecurity considers it a simple. This indicates a lack of care for the pain, suffering that Optus’s customers and former customers have faced.
Beyond Optus, Medibank saw the leak of sensitive health information including abortions and the like. Then Latitude suffered an attack which saw the leak of personal information of 14 million people. Australia has a population of 25 million people and of that only 19 million are adults. That’s the details of 76% of the population that’s just in the wild. The attacks get larger every time and the only way to stay safe is to follow the steps we lay out.
References
[1] https://www.bbc.com/news/world-australia-63056838
[2] https://www.abc.net.au/news/2022-09-26/home-affairs-minister-blames-optus-for-cyber-attack-hack/101474636
[3] https://www.statista.com/statistics/769829/australia-optus-s-retail-market-share-of-mobile-handset-services/
[4] https://www.acma.gov.au/acmas-rules-id-checks-prepaid-mobiles
[5] https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm
[6] https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142
[7] https://www.unsw.edu.au/news/2023/03/australia-to-overhaul-cyber-security-laws--the-legal-implication