Last Thursday, Australia’s second-largest telco, Optus disclosed that had been the victim of a Cyberattack. At the time, it wasn’t clear how many customers would be impacted, but in the days since, we have learned that number is around 10 million accounts.
Some of the best coverage of the incident has come from @Jeremy_Kirk, who actually helped verify the technique used by the attacker to obtain the personal data of active and previous Optus customers.
The ‘Hack’ was never actually a hack, instead, it looks like an API endpoint was left unauthenticated, a big no-no in the infosec community, particularly when that API could be used to query customer data. While there was no simple button to click and download the data, a fairly modest programmer could write a script to enumerate through a series of IDs that would return the relevant data for each.
Often APIs have limits that restrict the number of requests per hour, they are also often monitored for irregular use and it seems none of that was in place with this API endpoint. After learning of the attack, Optus has since disabled public access to the API, but you can see some of their Developer portal, which coincidently has an expired SSL certificate since January.
Optus is part of the Singtel Group, which provides communications technology to over 21 countries. Optus has invested more than $22 billion in its mobile network and has more than 8,000 staff. It’s difficult to understand how they could make such a rookie error like this, one that could have consequences for their customers for years to come.
Unsurprisingly there’s a Class Action lawsuit already ramping up from legal firm Slater & Gordon, although it’s unclear if impacted customers would ever see a payout from this incident.
As bad as this weekend has been for Optus and its CEO, it’s certainly not over. The attacker, known under the username ‘optusdata’ has offered Optus an out, pay a ransom of US$1 Million dollars and they won’t sell the data online.
Optus has until Friday 30th, September to make their decision.
This places Optus in a difficult situation, they are facing potentially many, many millions of dollars in fines or compensation to impacted customers, or they could pay the US$1 Million.
Obviously, they are dealing with a complete unknown, someone they cannot trust so they absolutely should not pay the ransom. They could pay the money then still see the customer data spread online and then they’re simply down a million dollars. They would also be seen very poorly by the rest of the corporate community as any payment would be seen as encouraging future attacks if they know payment is successful.
This is incredibly valuable data we’re talking about here. While account details and email addresses are bad enough, the data Optus has and apparently stores, effectively amount to the 100 points of ID we need to take out a new bank account or credit card, apply for loans etc and effectively cause havoc on someone’s credit rating for years to come.
After being strongly encouraged in parliament today, Optus announced it would now pay a 12-month subscription to Equifax Protect for those most affected customers.
An Equifax Protect subscription allows you to:
- Track credit scores over time with monthly credit reports.
- Receive alerts for certain changes in their credit report.
- Receive alerts if their personal information is found on the dark web.
- Gain peace of mind with up to $15,000 insurance cover in the event of identity theft*
- Take control with tips on how to improve and maintain a good credit score.
This service costs A$14.95 per month, making the cost to Optus $180 per year for each of the customers that had a lot of information stolen. On ABC’s 730 Report tonight, Minister for Cyber Security Clare O’Neil outlined that as many as 2.8 Million Australians had significant personal data stolen.
I really hope there are some serious questions being asked inside Optus about how this happened and ensure that it never does again. I actually feel for the people inside the company that effectively went from doing their jobs successfully one day, to working for a company that’s hated the next.
This is bad for all parties, there are no winners here, other than potentially the profiteering attacker. The request was to be paid in Monero, a decentralized crypto that obfuscates transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.
Optus engaged the Australian Signals Directorate and it feels like the only hope for a good outcome for Optus, is that they manage to track down the attacker in the next 4 days. Best of luck.