The Australian Telco Hack Putting Small Businesses at Risk

On September 22nd, Optus, one of Australia’s largest Telecommunications providers, had up to 10 million records stolen in a breach that is at risk of becoming the country’s largest.

Optus claims that as soon as the breach was detected, they contained and removed access from the attackers. Following the discovery on the 22nd of September, the attacker, under the name “optusdata”, posted a ransom request on the website Breached. This post contained around 10,000 records as evidence that they had compromised Optus. On the 27th, “optusdata” deleted their previous post with the excerpt of data.

To date, not much has been released on how the breach happened or the root cause. This is not uncommon for large organizations. It likely will take even longer to fully understand the incident, due to the total amount of records exposed, as the investigation grows even more tedious.

However, based on an article published by Security Boulevard on October 3rd, it appears that the data was extracted through an exposed API. To make this worse, it is being reported that the API was exposed accidentally for a test environment that had access to production-quality data without proper authentication applied. This is an obvious security whole that a standard security procedure like an API penetration test would have detected.

In short, this may not turn out to have been a sophisticated attack. This breach could have been conducted by a “script kiddie” that found the API and proceeded to use readily available tools to query API endpoints and extract the data.

If this reporting rings true in the coming weeks, this may very well force some additional changes in regulation that have already been proposed. As reported by Reuters and many other outlets, there are already proposed changes to consumer privacy regulations in Australia. In fact, additional regulations and laws may be passed sooner than later.

It is being reported that a 19-year-old was arrested on October 6th, after attempting to conduct an SMS-based extortion campaign against the 10,000 records that were exposed by “optusdata” in early September (The Hacker News). This has placed additional pressure on government officials, Optus, and banks in Australia to protect those who had their data stolen as part of this breach. In fact, the Australian government is already pushing to create a fraud database that is made up of those individuals that had their data stolen for financial institutions to use to help with detecting fraud or identity theft. 

Beyond the initial knee-jerk reaction and conjecture that many politicians and security practitioners are making, there will be a slow trickle of response to this breach going forward.

Unfortunately, now that the data is out there, and unless the reports of “optusdata” deleting the trove of information turns out to be false, there is no way for the affected individuals to secure their data again or get it back into trusted hands.

Going forward, all anyone who had their data compromised can do is monitor their credit and identity to try to detect any fraud that may happen.

While new regulations will seek to prevent future breaches of this kind, this will not make any material change to the events that have already passed.

Adam Hansen