An incognito ransom post has shed light on a cyberattack that exposed the personal information of millions of Optus customers.
An anonymous account, “Optusdata”, posted an extortion threat for US$1 million to the telecommunications company on a popular hacking website. The account asked for the sum to be paid in untraceable cryptocurrency Monero within a week or the dataset would be made available to others for purchase.
The account claims to have the details of 11.2 million users (notably more than the ceiling of 9.8 million users affected, according to Optus) — as well as passport and driver’s licence numbers for 4.2 million of them.
The listing included a sample of users’ data. Crikey was able to verify the data of at least one Optus customer listed. This user’s data is not found in the data breach notification service Have I Been Pwned, suggesting that it has not been previously released in other breaches. Other researchers and outlets have also been able to confirm data with other customers. Taken together, this suggests that Optusdata has been able to access Optus customer data — although this does not substantiate the account’s claim about the scale of the leak.
Optus has not confirmed that Optusdata’s database is real. The company said it has been advised by the Australian Federal Police to not offer further comment.
The account told Crikey that they had not yet heard from Optus. They said they would delete the information if the ransom was paid: “Data will not be sold to criminal [sic] if paid. Data will be destroyed and we can retire. If Optus care about there [sic] customers they should pay money. It is small in compared to there [sic] revenue,” they said in a message.
Ransomware attacks are increasingly common as hackers leverage cyberattacks to extract payments from businesses and organisations. Even though many will pay the ransom (80% according to one survey of Australian businesses this year), there’s no guarantee that attackers would follow through on their promise and delete the data obtained.
How did the Optus cyberattack happen?
Reporting by the ABC’s Andrew Greene and BankInfoSecurity’s Jeremy Kirk suggests that intruders used an application programming interface (API) to obtain Optus’ customer data.
In layman’s terms, API is a go-between for two different pieces of software. A popular example is weather APIs; most weather apps get condition information from an API belonging to an organisation like the Bureau of Meteorology, which actually physically collects the data.
In this case, it’s believed that the people behind the cyberattack were able to access an Optus API that did not require someone to log in to access customer data. The suspected API endpoint is offline, meaning there’s no further risk of more information being retrieved.
What happens when millions of Australians have their data leaked?
Optus has contacted all of those caught in the leak. They’ve been advised to watch for phishing attempts and suspicious transactions. These responses place the onus on the individual to be responsible for managing their own harm. Plus individuals have little chance of legal recourse as Australia does not have a statutory tort of invasion of privacy. Unfortunately for them, many of the details in the leak are difficult or impossible to change. That leaves them exposed in the future to these risks.
What of the broader implications for Australia? Governments, businesses and organisations use personal identifying information (PII) to verify people’s identities. The release, or the threat of the release, undermines current systems built on existing standards of verification.
University of Canberra Associate Professor Dr Bruce Baer Arnold said it’s unlikely governments will re-issue passports, drivers licences and other identity objects.
“They are not set up to engage in what approaches population scale re-regulation,” he said.
Australian National University’s Dr Liz Allen told Crikey there are questions about data integrity and the social licence of future data collection, such as the census. Right now, banks have reportedly stepped up monitoring for suspicious activity in response, while Optus is requiring customers to come into their stores to carry out transactions.
What can we do to stop the next Optus hack?
The government’s Home Affairs and Cybersecurity Minister Clare O’Neil is set to announce reforms that would allow telcos to inform banks about privacy breaches, a move currently prevented under existing privacy protections. Coalition’s opposition spokespeople Karen Andrews and James Paterson want to introduce new offences for cyber extortion and ransomware activities. The attack will intensify interest in the results of the long-running Privacy Act review, which are set to be released later this year.
One of the major public policy issues that have emerged from the Optus cyberattack is the question of how much data companies are required to keep — and how much they’re actually keeping. The data held by Optus included many forms of PII data going back as far as 2017, including for former customers.
University of Queensland’s Brendan Walker-Munro said that hyper-collection of data is a common issue with companies.
“We need to start asking these companies why they need to collect and store this information,” he said.
Some have been quick to point the finger at regulation for the amount of data held by Optus. The ABC quoted a “long-serving telecommunications insider” saying as much: “It annoys me that people think Optus and others want this data — it’s necessary for metadata laws — we don’t”.
But the volume and types of data held by the telco go beyond what it is required to keep. This means it’s not just an issue of regulation forcing too much retention; it’s also about the data practices of big companies that have little incentive to treat customers’ private details with care.
Whether or not Optus customer data ends up being sold online, the cyberattack will leave a lasting impact on the millions of Australians who will always fear its release. The question is whether policymakers will seize this opportunity to reform regulations to ensure that something this potentially harmful doesn’t happen again.
“Plus Optus hadn’t encrypted this data”
This, to me, is a criminal error. Considering how trivial it is to do this, the lack of it is an absolute disgrace. If nothing else, any senior IT staff remotely involved in this should fall on their swords.
Perhaps they had encrypted it — on disk — but it would have to be decrypted for supply by their API, which is how this data was accessed. The data was almost certainly encrypted while traveling over the internet, using HTTP TLS of some sort (not weak). The failure, apparently, was the lack of authentication required for access. This would seem to be a critical failure, but security is hard, and much of the web and web infrastructure (of which APIs like these are a part) are designed for public access, and probably default to public access. Adding authentication on top is usually an extra step. Authentication is a hard problem.
No. There are NO EXCUSES for leaving a publically accessible internet-facing API open for ANYONE to copy the identity document of 10 million Australians. This is basic and fundamental function for ANY organisation holding user data especially one in critical infrastructure.
Perhaps, though the data shouldn’t be exposed through an API without authentication. It’s the sort of thing a penetration test should have picked up in a lower environment before the API was allowed to get into production.
It makes me wonder if there are emails that exist of someone in IT security warning of this risk to their bosses.
Even just rate limiting would have helped, what reason could there be for allowing access to more than one customers data per source IP address per day ?
Well, that depends on what the purpose of the API was. If it was for a customer portal, maybe. If it’s for phone shop franchises, that’s a very different proposition. But yes, properly configured log monitoring might have picked this up, but we don’t really know whether this was 10M records downloaded in a deluge, or something that has been quietly extracting these records at a slow enough rate to not trigger an alert. There are still just too many unknowns.
Collecting personal data for third party analysis via (quietly) paid access?
That line struck me as an error on the author’s part. If the attack came through use of an API, then the question of whether the source data are encrypted or not is pretty moot. It may well be, as may be the API traffic/endpoint, but the results of that call are going to be readable, because of course they are. It’s the lack of authentication on the API that’s completely unacceptable.
Not as simple as that – if you have some API that returns user data – for instance the “My Details” option on their website – even if the data on disk and the data in transit are encrypted the stuff you (or someone impersonating you) will see is the unencrypted data – “My Details” is pretty useless otherwise.
This is why banks only show you the last 4 digits of your credit card no matter what.
https://www.zdnet.com/article/optus-gained-exemption-to-store-metadata-unencrypted/
July 2019:
Translation – they didn’t want to spend time & money upgrading their legacy systems.
Everyone involved in that decision should never again be allowed to work in IT!
Thanks for the research.
Actually — this was an error on my part. API access needs to the data to be decrypted (otherwise there’s no point in accessing the API). I’ve updated this.
Ah, fair enough.
As an aside, I wonder what business critical function an API that exposed everyone’s private data was used for legitimately. That sort of thing surely raised huge red flags in any security audit. Like as in critical issues.
Agree there: likely a second level of failure in the API design, having “record identifiers” that were trivially guessable or discoverable, such as a sequence of integers.
The key point here is that they accessed the data THROUGH AN UNSECURED INTERNET FACING API!!!!!
You can’t even call it a hack. Optus left the door open and unsecured.
This is unbelievably shocking and suggests management is utterly unfit to be running an organisation with such important data.
Also, it misses the point to say all is good now that the API is no longer unsecured. Who knows what other security issues Optus has given it will leave such data open and unsecured for anyone on the internet to access.
Time we had something like Europe’s GDPR. Something will real teeth, that also protects the end customer’s rights.
And it has significant penalties: EUR10 Million or 2% of global turnover which ever is HIGHER for the first breach, and EUR20 Million or 4% of global turnover for subsequent breaches. Serious fines designed to make companies protect data with some significant rigour.
We don’t. The lesson of hacks in the US is that it is but a minor hiccup in company share price. Sometimes there is a penalty/fine. But nothing that causes the company to change its ways. Trying to force companies to live to a higher standard will either cause Australian businesses to not be competitive on the global stage or simply drive up cost to the consumer.
Further, and less cynically, companies will rightly continue to focus on initial security and backups/DR planning to deflect or recover from a hack. But hacks will invariably happen again, despite their best efforts or any regulation you care to inflict upon them.
The solution seems to be to ensure that the data collected is not sufficient, unfortunately. We need to move to two-factor authentication – the “something you are” being the critical point. The ubiquitous use of face recognition, fingerprint scanning, etc. on trusted (phone) platforms may be the way forward.
Collecting less data, deleting data that is no longer used… well, the boat has sailed on that, as mentioned in this article. Metadata laws have our hands tied, and the government isn’t going to take a step backward on that.
‘We need to move to two-factor authentication – the “something you are” being the critical point. The ubiquitous use of face recognition, fingerprint scanning, etc. on trusted (phone) platforms may be the way forward.‘
Hmmm, I’d like to see how MFA will work for integrations like this via an API. From what I heard the test network, which was less secure, was inadvertently exposed to the public network. Wouldn’t be the first time that happened. I’ve seen test emails sent to live customers because we forgot to change the email server address. Whoops!
Nothing positive or helpful from Andrews and Paterson. Their suggestions will have impact on the mainly overseas hackers.
I presume you meany “no impact.”
For what it’s worth, I’m pretty sure the ransom note was written by a non-native English speaker.
The “I can retire” was a bit of a give away too. Who could retire on a million and be crowing about it in Australia hey?