The saddest revelation is it is customers and ex-customers of Optus who need to be from now on forever vigilant.
Optus cannot undo the harm done!
The Australian Government cannot undo the harm done!
As customers we are advised to be extra vigilant because of what another has failed in their duty to have done.
It seems so wrong. It is so wrong.
Should Optus now indemnify every single customer against the outcome of their failures?
True it is not Optus alone who has been caught in like hacks. A curse on digital record keeping and shared data. Try refusing to have your personal data stored on any system. It’s neither a right nor an option, other than to cease to exist or have any identity.
Should there be a penalty of indemnity against customer loss for every business where their systems are breeched? Despite what business might say, it’s not consumers who have demanded digital records and systems. It is business that has sold consumers the idea that digital serves us better. All to the benefit of business.
And that is apparently what customers are now being required to do at the moment. Quote from ITnews.
The telco did say that in response to the attack and data breach that it has “temporarily stopping SIM swaps and replacements, as well as change of ownership [activities]” by its “online, phone and messaging support teams”.
“To protect our customers, these requests can be completed in any of our Optus Retail locations with relevant ID,” it said.
Unfortunately, the modern reality is not whether a company will be hacked but when. There is no such thing as perfect security in a modern IT environment where you rely upon supply chains that you don’t even know exist and operating systems that even the developers no longer understand.
The most important thing Optus and any other large enterprise can do is be prepared. Set up systems to look for unusual activity that might involve attackers. Put some honeypots on your network. And have a plan for what to do when a breach occurs - including communicating it responsibly and letting people know exactly what has been accessed.
It is not clear to me when the Optus breach occurred, or was discovered. This is information that should be published, that will assist Optus customers (and former customers apparently dating back to 2017) to assess how the breach affects them and take any necessary actions.
Early on Friday, Emsisoft threat analyst Brett Callow posted a screenshot on Twitter that purported to show a database of 1.1 million Optus customers’ details, comprising names, email addresses and mobile numbers.
Optus public statements are interesting. There was one claim it was human error, and Optus immediately dismissed and went back to a ‘sophisticated attack’. Which it is may never be known but if it was human error there could be significant Optus liability; if it was a sophisticated attack they may try to get away with an apology.
We’ve had feedback from one family member who has received notification specific to their Optus account. It’s unlikely to settle any concerns. The following from the Guardian r says it as it is.
An elaborate phishing operation involves ‘human error’ - does this make the company liable for a single mistake by a single employee?
It does sound as though Optus may not have employed appropriate safeguards for the data it held, but this is not the same as being, for instance, ‘recklessly indifferent’ to its obligations.
Again, the key is how the company responds and how it communicates with affected customers. Unfortunately Australian law is rather lax in regard to cyber-security, and even now places few obligations on companies to do the right thing.
It’s always a convenient excuse to point a finger to an individual. Hey, look over there!
It’s also wrong, IMHO.
Mistakes happen because of failures of management. Whether it’s a failure to ensure certain procedures are followed, or adequate procedures are in place, or adequacy is regularly independently assessed or ….?
Having managers in place who are capable (competent and diligent) might be more important than anything else. Like most serious failures, there will be a number of contributing factors, all within the scope of management to control.
Hopefully Optus looks at itself seriously from the top down. As a recent ex customer it would be difficult to consider returning under the current regime.
I tend to beleive Optus when they say it was an external attack. The IP addresses used kept ‘moving around’ suggesting a Botnet attack using authorised information requests for customer details as would be used by support functions.
Companies like Optus face problems with information security.
Firstly, Telcos are required by Australian law to keep details of transactions and usage and identifying customer details for law enforcement purposes.
Secondly, Optus would be like many other companies using IT that outsource (and that often means offshore) privileged functions like customer service, technical support, administration, and even application development and testing.
That means access has to be provided by The Internet, rather than internal Intranets which can be more securely controlled.
He said, she said about how it came down but Optus is doing what companies do. eg wringing their hands and wishing those affected well.
A major and serious data breach in the US a few years ago required a class action - finally settled by every affected customer getting a paid (eg free to the customer) 4 year premium credit monitoring subscription with Experian IdentityWorks. It reports phone numbers appearing on the web, social security (eg TFN equivalent) numbers, credit applications, email addresses, driver license numbers and other IDs popping up on the dark web as well as on social media as well as for any account application requiring a credit check. It requires personal involvement to assess what is reported and everything reported is not indicative of a bad person using one’s information, but if say a credit application pops up one can take action quite quickly as alerts are often within hours, not just monthly.
Optus said that its SIM-only brands Amaysim and Gomo, and Optus wholesale services (smaller telcos that use Optus’ networks and platforms, such as Aussie Broadband and Southern Phone) were not impacted by the attack. (source)
Important to note … it is GOVERNMENT that has passed legislation requiring many telecommunications industry companies to record and retain many pieces of information, in particular relating to your ID.
So even if a company wanted to do the right thing (e.g. delete your ID when you cease to be a customer), it is prevented by law from doing so.
Therefore I would like to see the Federal government footing the bill for reissuing all affected drivers licences and passports (with new numbers).
I believe that in the case of drivers licence it is not within your control to renew with a different number (whereas I think that is automatic for a passport).
Given that drivers licence and/or passport are used as primary authentication documents in quite a few important contexts, including processes undertaken with the government itself, the scope for problems arising from this breach is enormous.
I would like to see laws that banany use of the drivers licence except for administering, you know, driving - and similarly for passports.
Both of these statements are true.
However Optus could have done better to store drivers licence and passport numbers encrypted. It is unlikely that they use this information in their day to day operations, even for authentication purposes. It is likely that these fields exist only to satisfy legal requirements.
Storing encrypted is not a panacea but it does protect against some scenarios where you get hacked.
There are legal requirements about storing credit card numbers encrypted. It should be the same for the above numbers (assuming that those numbers continue to be abused).
Likewise Optus could have done better to store sensitive information that is irrelevant to its day to day operations on a different system.
The convoluted and incomplete / difficult to follow explanation that I saw … makes both of these true. Yes, there was human error involved. Yes, it was a sophisticated attack.
As far as I am concerned, any successful attack involves human error - because the humans are still in control and clearly no company intends to be subject to a successful attack.
There was, I believe, human error involved at several different stages in the IT chain e.g. human error in Operations and human error in IT design (and of course there can be human error in IT implementation, although I have not heard that this was a factor in this particular attack).
I got an email this morning to advise that I was affected by the Optus hack. No real surprise, other than that the company took so long to figure out who was affected and notify them.
As for whether the Optus data was stolen by ‘state actors’ or by run-of-the-mill extortionists, we may never know and it may not necessarily make much difference. In the past state hackers have simply been after company secrets, but nowadays countries like North Korea get a lot of their usable currency (mainly USD) through hacking. That means that the fact personal information is being sold online does not mean that the company was hacked by some shadowy criminal group.
They would indeed use verification data like photo id documents for day to day operations like SIM swapping and replacements and mobile number porting, and post-paid account setup and changes.
Now that is compromised, those functions will not be available online or via phone.
Visit to an Optus shop required at present.
I guess I didn’t define “day to day”. I would think that most customers would go years without doing most of those things. So inconvenience and maybe a few extra hours delay to both Optus and the customer to carry out one of those things may be more acceptable.
Ah the joy to look forward to when all phones use eSIMs and SIM swapping is a purely cyber operation that can be compromised at the speed of light without your knowledge …
I got an email too. Very unclear from the email whether it is a generic inform to all customers or specifically for customers who have sensitive identifiers that have been compromised.
and the numbers of the ID documents you provided such as drivers licence number or passport number
Like I remember what of those documents I provided X years ago …
I’ve just had a long chat with Optus via their messaging app about the data breach. We received that email from Optus saying we had been affected by the data breach. But in the chat the customer service officer told me “I’ve checked your account and at this stage I can’t see that you’ve been affected”. And then confirmed Optus have no drivers licence details or passport details for our account (Internet only, mobile account closed 2 years ago).
No response to my question about why Optus management would send such a worrying email if I hadn’t been affected. I have concluded that they don’t really know who’s been affected and who hasn’t! I am just hopeful I can rely on the information that they don’t have drivers licence or passport details on file as this would certainly lessen the risk to us of consequences from the date breach.
