Breach of Optus security

Information, discussions, warnings, and friendly assistance with all your computer-related problems.

Moderators: godfather, Dreamweaver

Post Reply
User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Breach of Optus security

Post by Perrorist »

As so many people's details may have been stolen by hackers, are you likely to be a victim? I've been an Optus mobile customer for at least 20 years and I can't imagine my details being of more interest than what is already known.
"A change is gonna come."

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

Optus Under $1 Million Extortion Threat in Data Breach
(By Jeremy Kirk and Bank Info Security)

Also: Optus Attacker Says Unauthenticated API Endpoint Led to Breach

Australia’s second-largest telecommunications company is facing a US$1 million extortion demand to prevent the sale of what an attacker says are up to 11.2 million sensitive customer records.
The data breach, which ranks as one of the country’s largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 14.
Early Saturday, a person going by the nickname “Optusdata” published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the monero cryptocurrency.
(Image 2)
Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver’s license number, birth date, whether a person owns their home or not and more. The data covers current and former Optus customers.
An Optus spokesperson said on Saturday “we are investigating the legitimacy of this” data.

Leaked Data Appears Legitimate


ISMG found strong signs that the data likely originated with Optus.
One way to figure out if a breach came from an organization it claimed to have come from is to enter the email addresses into Have I Been Pwned. HIPB is a data breach notification service. People can sign up and be alerted if their email address appears in a new breach. An email addresses can also be entered into HIBP to see if it has been in a past breach.
ISMG tested 23 email addresses. Most had appeared in previous breaches, but six had not. That is an indication that the Optus sample data is real.
Also, some personal records do not have a recognizable email address from major providers. Instead, there are email addresses that appear to have been assigned by Optus. For example “no_email82320714@optus.com.au.”
Those addresses also do not appear in HIBP, suggesting that this is the first time those have been breached.
In looking at one of the sample data sets, this reporter recognized a local street address. This reporter went to a residence on Saturday morning and found the woman whose data was exposed. She was working in her yard.
When handed a print out of the data, she confirmed it belonged to her. She was an Optus customer until around 2018. Optus has said it believes the leaked data may date back to 2017.

Breach Source: Unauthenticated API

The Australian broadcaster ABC reported on Friday a possible cause for the breach.
The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet. Optus declined to comment on the explanation and disputed that “human error” may have played a role.
ISMG reached out to Optusdata on the forum where the data samples were released and asked how the data was stolen. The person confirmed the data was exfiltrated from an unauthenticated API. To put it another way, the API did not require anyone to login in order to access its functionality.
Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."
(Image 3)
The API endpoint was api[dot]http://optus.com.au. It’s an odd URL, but Optusdata says it worked to exfiltrate the data because otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. The API was used in part to let Optus customers access their own data.
The same API endpoint was passed to ISMG on Saturday by a separate anonymous source. That person says it was hosted in Google Cloud/Apigee. When Optusdata started frequently accessing that API, it triggered a security alert. A suspiciously high volume of data was coming from that API, which was a signal to Optus of malicious behaviour.
Optusdata says they enumerated the customer records via the "contactid," which is a field that appears in the leaked data samples. It’s unclear how Optus used the “contactid.” By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
Contacted on Saturday night with this information, an Optus spokeswoman said the company did not have an immediate comment.

Notifying Customers

Optus is in the process of notifying those affected. Not all of those affected had the same amount of data exposed. Optus said on Friday it will offer “expert third-party monitoring services” for those at heightened risk. It has also warned customers to be wary of potentially fraudulent emails and text messages.
Optus will face a range regulatory inquiries about its data handling practices, including from the Office of the Australian Information Commissioner, which is the country’s data protection agency.
The Guardian reported that Australia’s Attorney General’s office is seeking an “urgent” meeting with Optus to hear of the company’s plan to mitigate the effects of the breach for those affected.
In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country’s Privacy Act.
Optus opposed giving consumers a right to erase their personal information, citing “significant technical hurdles,” it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.

Note - Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Executive Editor for Security and Technology for Information Security Media Group. He's the creator of "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware, the greatest crime wave the internet has ever seen.
"A change is gonna come."

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

I've been notified by Optus that my details have been revealed.
"A change is gonna come."

mavisbramston
Bronze Member
Posts: 4246
Joined: 26 Feb 2016, 20:32

Re: Breach of Optus security

Post by mavisbramston »

Then there is medibank. What should we do?

User avatar
lynny
Diamond Member
Posts: 74783
Joined: 30 Sep 2005, 17:15
Location: Hobart Tasmania

Re: Breach of Optus security

Post by lynny »

I read that they think the Medibank data breach is bigger than they imagined.

I think it's time for all businesses that collect your data to look at their security systems!

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

What annoys me as an ex-IT manager is that these breaches were due to either sloppiness or ignorance. The Optus breach and at least one other used real customer data in test systems that ran separately from the production environment, so weren't protected in the same way. I never allowed that. I insisted on dummy data being used instead.
"A change is gonna come."

User avatar
lynny
Diamond Member
Posts: 74783
Joined: 30 Sep 2005, 17:15
Location: Hobart Tasmania

Re: Breach of Optus security

Post by lynny »

Medibank say all of their customers have had their data taken.

Totally unacceptable!


(Corrected. Sorry, not Medicare of course!) :embarrassed:
Last edited by lynny on 27 Oct 2022, 17:12, edited 1 time in total.

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

Four million current and former members!
"A change is gonna come."

User avatar
lynny
Diamond Member
Posts: 74783
Joined: 30 Sep 2005, 17:15
Location: Hobart Tasmania

Re: Breach of Optus security

Post by lynny »

:eek

Glad I'm not one.

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

Me too.
"A change is gonna come."

User avatar
Dreamweaver
Global Moderator
Posts: 14551
Joined: 16 Sep 2005, 15:46
Location: Victoria

Re: Breach of Optus security

Post by Dreamweaver »

Medibank - hope it's not Medicare.
I dream, therefore I am.

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

No, not Medicare.
"A change is gonna come."

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

"A change is gonna come."

User avatar
Dreamweaver
Global Moderator
Posts: 14551
Joined: 16 Sep 2005, 15:46
Location: Victoria

Re: Breach of Optus security

Post by Dreamweaver »

Thanks, Perry - "Why are there so many data breaches? A growing industry of criminals is brokering in stolen data"
I dream, therefore I am.

User avatar
Perrorist
Administrator
Posts: 7848
Joined: 17 Sep 2008, 12:36
Location: Tumbi Umbi, Central Coast, NSW
Contact:

Re: Breach of Optus security

Post by Perrorist »

It's highly lucrative.
"A change is gonna come."

Post Reply