•   
  •   

Australia It’s too late to undo the Optus hack. How do we stop the next one?

08:21  26 september  2022
08:21  26 september  2022 Source:   crikey.com.au

Optus customers slam telco for failing to protect data in major breach as hackers demand ransom

  Optus customers slam telco for failing to protect data in major breach as hackers demand ransom The hacker who claims to have stolen the personal details of millions of Optus customers has demanded $1.5 million in ransom money as outraged Aussies slam the telco for failing to protect their data. The hacker has warned personal addresses, dates of birth, phone numbers, drivers' licences, and passport details of millions will be leaked if Optus doesn't pay $US1million (AU$1.53million) in cryptocurrency Monero.They claim to have access to the details of 11.2 million Optus customers in a major breach that tech experts at this stage believe is legitimate.

An incognito ransom post has shed light on a cyberattack that exposed the personal information of millions of Optus customers.

(Image: Zennie/Private Media) © Provided by Crikey (Image: Zennie/Private Media)

An anonymous account, “Optusdata”, posted an extortion threat for US$1 million to the telecommunications company on a popular hacking website. The account asked for the sum to be paid in untraceable cryptocurrency Monero within a week or the dataset would be made available to others for purchase.

  It’s too late to undo the Optus hack. How do we stop the next one? © Provided by Crikey

1 in 3 Australians could be caught in Optus cyberattack and they have no recourse

Read More>

The account claims to have the details of 11.2 million users (notably more than the ceiling of 9.8 million users affected, according to Optus) — as well as passport and driver’s licence numbers for 4.2 million of them.

Home affairs minister points finger at Optus, saying hack should not have happened

  Home affairs minister points finger at Optus, saying hack should not have happened Building industry says intense rainfall could cost tens of thousands of dollars after more than two years of labour and material shortages forcing some operators to close

The listing included a sample of users’ data. Crikey was able to verify the data of at least one Optus customer listed. This user’s data is not found in the data breach notification service Have I Been Pwned, suggesting that it has not been previously released in other breaches. Other researchers and outlets have also been able to confirm data with other customers. Taken together, this suggests that Optusdata has been able to access Optus customer data — although this does not substantiate the account’s claim about the scale of the leak.

Optus has not confirmed that Optusdata’s database is real. The company said it has been advised by the Australian Federal Police to not offer further comment.

The account told Crikey that they had not yet heard from Optus. They said they would delete the information if the ransom was paid: “Data will not be sold to criminal [sic] if paid. Data will be destroyed and we can retire. If Optus care about there [sic] customers they should pay money. It is small in compared to there [sic] revenue,” they said in a message.

Optus data breach: Millions of Australians may be able to claim compensation after cyber attack

  Optus data breach: Millions of Australians may be able to claim compensation after cyber attack Kylie Carson, a special counsel specialising in general compensation at Shine Lawyers, said if an Optus customer had a financial loss as a result of the data breach, they may be able to pursue a claim. © Provided by Daily Mail More than 11 million Australians have potentially had their personal addresses, dates of birth, phone numbers, passport details and drivers licences stolen in the cyber security attack last week © Provided by Daily Mail Kylie Carson, a special counsel specialising in general compensation at Shine Lawyers, said if an Optus customer had a financial loss as a result of the data breach, they

Ransomware attacks are increasingly common as hackers leverage cyberattacks to extract payments from businesses and organisations. Even though many will pay the ransom (80% according to one survey of Australian businesses this year), there’s no guarantee that attackers would follow through on their promise and delete the data obtained.

How did the Optus cyber attack happen?

Reporting by the ABC’s Andrew Greene and BankInfoSecurity’s Jeremy Kirk suggests that intruders used an application programming interface (API) to obtain Optus’ customer data.

In layman’s terms, API is a go-between for two different pieces of software. A popular example is weather APIs; most weather apps get condition information from an API belonging to an organisation like the Bureau of Meteorology, which actually physically collects the data.

In this case, it’s believed that the people behind the cyberattack were able to access an Optus API that did not require someone to log in to access customer data. The suspected API endpoint is offline meaning there’s no further risk of more information being retrieved.

Optus data hacker scandal takes ridiculous turn as man sent customer's phone numbers and bills

  Optus data hacker scandal takes ridiculous turn as man sent customer's phone numbers and bills Samuel Leighton-Dore posted screenshots of a conversation he claims to have had with an Optus support worker - who appears to have accidentally sent him private information. 'Now Optus support leaking other people's phone numbers and bill amounts to me,' he posted to Twitter, alongside an image of the chat.

What happens when millions of Australians have their data leaked?

  It’s too late to undo the Optus hack. How do we stop the next one? © Provided by Crikey

The big hack: the banks know it is coming

Read More>

Optus has contacted all of those caught in the leak. They’ve been advised to watch for phishing attempts and suspicious transactions. These responses place the onus on the individual to be responsible for managing their own harm. Plus individuals have little chance of legal recourse as Australia does not have a statutory tort of invasion of privacy. Unfortunately for them, many of the details in the leak are difficult or impossible to change. That leaves them exposed in the future to these risks.

What of the broader implications for Australia? Governments, businesses and organisations use personal identifying information (PII) to verify people’s identities. The release, or the threat of the release, undermines current systems built on existing standards of verification.

University of Canberra Associate Professor Dr Bruce Baer Arnold said it’s unlikely governments will re-issue passports, driver’s licences and other identity objects.

Optus Advanced Security Operation Centre information and video removed amid data hack

  Optus Advanced Security Operation Centre information and video removed amid data hack Optus has taken down any and all content about its $10million security centre, with videos about the cutting edge spot being wiped from its website amid its recent hacking crisis. Up to 10million Optus customers were warned they could be the victim of identity fraud after the telco giant's data systems were hacked, with 10,200 customers already seeing their records released on Monday.The data released included passport, drivers licence and Medicare numbers, as well as dates of birth and home addresses.

“They are not set up to engage in what approaches population scale re-regulation,” he said.

Australian National University’s Dr Liz Allen told Crikey there are questions about data integrity and the social licence of future data collection, such as the census. Right now, banks have reportedly stepped up monitoring for suspicious activity in response, while Optus is requiring customers to come into their stores to carry out transactions.

What can we do to stop the next Optus hack?

The government’s Home Affairs and Cybersecurity Minister Clare O’Neil is set to announce reforms that would allow telcos to inform banks about privacy breaches, a move currently prevented under existing privacy protections. Coalition’s opposition spokespeople Karen Andrews and James Paterson want to introduce new offences for cyber extortion and ransomware activities. The attack will intensify interest in the results of the long-running Privacy Act review, which are set to be released later this year.

One of the major public policy issues that have emerged from the Optus cyberattack is the question of how much data companies are required to keep — and how much they’re actually keeping. The data held by Optus included many forms of PII data going back as far as 2017, including for former customers.

Telstra 'real winner' of Optus hack: Telco denies taking swipe with AFL grand final ad

  Telstra 'real winner' of Optus hack: Telco denies taking swipe with AFL grand final ad The hugely expensive 30-second commercial shows a woman on her phone getting a text, as words appear across the screen saying: '1 text from the boss' and '3 malicious messages blocked'.The hugely expensive 30-second commercial shows a woman on her phone getting a text, as words appear across the screen saying: '1 text from the boss' and '3 malicious messages blocked'.

University of Queensland’s Brendan Walker-Munro said that hyper-collection of data is a common issue with companies.

“We need to start asking these companies why they need to collect and store this information,” he said.

  It’s too late to undo the Optus hack. How do we stop the next one? © Provided by Crikey

Government’s data-sharing bill raises hackles among privacy advocates

Read More>

Some have been quick to point the finger at regulation for the amount of data held by Optus. The ABC quoted a “long-serving telecommunications insider” saying as much: “It annoys me that people think Optus and others want this data — it’s necessary for metadata laws — we don’t”.

But the volume and types of data held by the telco go beyond what it is required to keep. Plus Optus hadn’t encrypted this data, which would hamper its usefulness if leaked. This means it’s not just an issue of regulation forcing too much retention; it’s also about the data practices of big companies that have little incentive to treat customers’ private details with care.

Whether or not Optus customer data ends up being sold online, the cyberattack will leave a lasting impact on the millions of Australians who will always fear its release. The question is whether policymakers will seize this opportunity to reform regulations to ensure that something this potentially harmful doesn’t happen again.

The post It’s too late to undo the Optus hack. How do we stop the next one? appeared first on Crikey.

Optus cyber attack: Telco reveals 2.1 million customers exposed: NRL text, Deloitte review .
Around 1.2 million Optus customers have had at least one number from a current and valid form of identification, and personal information compromised.The embattled telco giant on Monday shed more details on the impact with confirmation that the identification details of 2.1 million current and former customers have been exposed.

usr: 0
This is interesting!