In September 2022 Australian telecommunications giant Optus revealed about 10 million instances of data being stolen in what it called a cyber-attack.
Some experts say it may be the worst data breach in Australia's history.
This probable overseas cyber attack incited critical questions to be asked by consumers and Government about how Australia and in particular Telecommunications companies handles data cond confidentiality.
Optus- a Singapore owned telecommunications company- went public with the breach about 24 hours after it noticed suspicious breaches on its network.
Australia's alternate- largest telecoms provider said current and former guests' data was stolen- including names, birthdates, home addresses, phone, and passport and driving licence data. It stressed that payment details and passwords weren't compromised. This is a huge PR and trust disaster for the company.
Those whose passport or licence data were taken- about 2.8 million people's identities were potentially at a" relatively significant" risk of identity theft and fraud, the government has ago said.
Optus said it was probing the breach and had notified police, fiscal institutions, and government controllers. The breach appears to have began overseas, original media reported.
Optus principal superintendent Kelly Bayer Rosmarin called it a" sophisticated attack", mentioning about how the company has veritably strong cybersecurity. She said" Obviously, I'm angry that there are people out there that want to do this to our customers." She summised that she was disappointed that we could not have prevented it." But is this really true? was it unpreventable?
Sydney- grounded tech journalist Jeremy Kirk communicated the purported hacker and said the person gave him a detailed explanation of how they stole the data.
The reporter's story contradicted Optus's claims the breach was" sophisticated", because the alleged hacker said they pulled the data from a freely accessible software interface. They mentioned that no authentication was required and that the data was open to the internet for any one to access.
Could this story actually be about a company trying to avoid culpability for this massive breach to their security and trying to avoid a public backlash by emotionally appealing to the public saying it could not be averted. Are companies really at the mercy of hackers or could numerous organisations such as this one, be under-investing in their cyber security or could they be up to a decade behind in addressing vulnerabilities?
A couple of days after the reported breach, the supposed hacker demanded a ransom of $USD1 Million in an online forum.
They stated that the company had a week to pay or the otherwise the stolen data would be released in batches, the person said.
They demanded the ransom after initially releasing approx 100 records of what they claimed to be Optus customers' perosnal data samples claiming it was part of the hacked data and that it was openly accessible data that anyone could've extracted. Experts claimed that the data appeared genuine.
Another couple of days went by and there was an escalation to thye ransom demand, a person claiming to be the hacker released 10,000 client records and reiterated the ransom deadline.
But just hours later, the alleged hacker apologised- saying it had been a" mistake" and deleted the preliminarily posted data sets.
They mentioned that there were too many eyes and revoked their extortion of selling the data in order to achieve their demands for cash.
With law enforcement and journalists sniffing around, the hacker appears to have come spooked and recalled some of the stolen data stating that they would not release the sensitive data with an apology to Optus for this drama. They offered their condolences to Optus for the trouble that had been caused. I suppose it sunk home to them as to how they could spend a long time behind bars if caught. Although they might be adept at hacking Optus's data, perhaps this illustrates that the hacker is fairly inexperienced at dealing with ransome negotiations and is maybe a youngish person who didnt completely understanding the implications if caught red handed committing cyber crime.
Others however summised that Optus had paid off the hacker - which the company denies and this would be unlikely without strong Police involvement. Or could this be a cover up by the company?
Adding to the problem, others on the online chat forum frequented by the hacker that the exposed data was already released, and had now fallen into clandestine criminal organisations hands and was perhaps already being misued.
It also surfaced some customers' Medical records (the most serious type of data breach) that could give access to medical records had also been stolen, this was perhaps not deliberately revealed when the initial data breach was announced by Optus.
Later in the next couple of days, the company said this had affected nearly 37,000 Medicare cards.
It's potentially Australia's most serious breach. Surely the laws about securing data need tighter review. I wonder if Optus will be seen to have negligently held the data or not?
Optus has been vitriolically attacked through communications from angry guests since the incident occured.
People have been advised to watch out for signs of identity theft and for opportunistic scammers, who are said to be formerly cashing in on the confusion.
A class- action action could soon be filed against the company- could this be for millions of dollars?" This is potentially the most serious breach in Australian history, both in terms of the number of affected people and the nature of the information obtained by the hacker," said Ben Zocco from Slater and Gordon attorneys.
Cyber Security Minister Clare O'Neil from the Australian Government basically stated that Optus hadn't been a victim of a sophisticated attack at all but rather implied it wasnt sophistcated at all. She has called out all of Australia as being behind a decade behind the rest of the world when it comes to cyber security. She criticized Optus, stating that it had effectively left itself open for sensitive data to be stolen. This is a claim rebutted by the Optus CEO who stated words to the effect of Optus having multiple layers of protection. So it wasn't the case of having some kind of fully exposed APIs( software interfaces) sitting out there.
Optus is facing calls to recover the costs of replacement passport and driving licences, as people scramble to cover themselves.
Ms O'Neil refocused the Government's attention to two areas demanding critical reform.
She argues the government should be able to more penalise companies in this situation. In some countries, the company would have faced hundreds of millions of dollars in penalties but Australia's maximum penalty is limited to about $2M, she said.
She also wants to expand cyber-security laws that were previously introduced to include telecommunications companies who feel to have been left to self regulate -by and large to this point.
Security experts have also suggested reforming data retention laws so that telecommunication companies do not have to keep sensitive information exposed. Customers should also have the right to request companies delete their data, experts say.
Optus says it's needed to keep identity data for six years under the current rules.
Other have argued consumers should be be more able to take companies that lose control of their personal information to court, rather of the industry's own self appointed watchdog.
0 Comments