On the 22nd of September 2022, Australian telecommunications company Optus reported that they had experienced a cyber breach affecting nearly 11 million customers, which may make it the worst cyber attack in Australia’s history. Details of this attack are still emerging, however, it has taken a couple of twists in the weeks following the attack, and there are some early indicators as to what occurred.
Details of the Optus attack are generally sparse. Optus described the breach as ‘sophisticated’. However journalist Jeremy Kirk reached out to the purported hacker, who commented that the breach was via an unprotected API endpoint. Reading between the lines on the Twitter thread posted by Kirk, it seems the hacker iterated through a parameter which disclosed customer records, and each different number returned a different customer record.
If there was no authentication or authorisation to interact with the API, as stated by the hacker, then this would have been a trivial attack that could have been conducted by automated tools. It’s something that should normally be identified by a penetration test and could raise further questions about the cyber security approach from Optus.
If anything alludes to the seriousness of the breach, Optus has since offered credit fraud checking services for affected customers, illustrating the extent of the sensitivity of data stolen.
While it stressed that payment details and account passwords were not compromised, the breach is reported to include passport and driving license numbers, addresses, names and dates of birth. Commonly in these breaches, email addresses and phone numbers are leaked and this is the case here, which has led to a spate of phishing attacks against compromised customers after the hacker posted a subset of data along with a ransom demand.
Phishing attacks at these times are particularly troublesome for numerous reasons, given it expands the scope of the attack far beyond just the organisation being breached, and also can lead to more convincing phishing attacks. Victims are likely to be in a panicked state, and contact appearing to be from the compromised company offering information is more likely to succeed, as victims will be concerned about data theft and fraud.
It also appears to have gone a step further, where victims have been contacted directly for extortion, rather than simply phishing, with threats that if they don’t pay, their data will be leaked or sold to other malicious parties. In a strange twist, the hacker apologised and retracted their ransom demand five days after the breach was reported and a day after issuing the initial demand, Unfortunately, the damage was already done, with a subset of the posted data already downloaded and utilised for malicious purposes.
What is a particularly interesting outcome from the Optus Attack is the political impact it has had. The Home Affairs Minister, Claire O’Neill, tweeted her belief that Australia is ‘five years behind where [they] need to be’ when it comes to cyber security and the government have reported they will be investigating reforms to the Australian Privacy Act, including increasing the fines for a data breach. It highlights the gravity of the situation that it is leading to legislative change, following some significant changes earlier this year.
The additional fines, along with two class action lawsuits and hiring Deloitte to assist with the investigation, puts into sharp relief the impact of this data breach, as well as the long term ramifications. The outcome is less likely to be favourable for Optus given this isn’t the first time in recent years they have suffered a data breach; back in April 2020 they disclosed records of 50,000 customers to marketing company Sensis.
This breach follows the pattern of many breaches before it, where an oversight of a simple configuration, in this case, a possible API endpoint, leads to a massive data breach and disclosure of customer details. It is a breach which could have possibly been prevented had a penetration test been conducted, however without further details it is not possible to comment on what testing had been conducted by Optus.
The fallout from the breach also follows a similar pattern, where the affected company has to issue an apology, engage a third party and spend even more money enhancing their security and paying fines. Unfortunately, the human element continues to be very material, with victim customers subjected to extortion and phishing, having entrusted their data to a third-party company. Any who fall victim face a significant financial impact, which is not as easy to recover from as a company of Optus’ size and stature.
As always, ensure the basics are done properly. Make sure your externally-facing services are subjected to proper penetration tests, including API endpoints, storage buckets and other servers. Performing an asset inventory exercise is critical to maintaining an up-to-date picture of your estate, which can then allow you to identify and treat previously unknown assets to reduce your attack surface.
Here at Pentest People, we are actively mitigating the threats and risks that come before a successful cyber attack happens.
To find out more about our services, enquire now.