Data Breaches 2022 onward (including Optus)

Optus public statements are interesting. There was one claim it was human error, and Optus immediately dismissed and went back to a ‘sophisticated attack’. Which it is may never be known but if it was human error there could be significant Optus liability; if it was a sophisticated attack they may try to get away with an apology.

2 Likes

We’ve had feedback from one family member who has received notification specific to their Optus account. It’s unlikely to settle any concerns. The following from the Guardian r says it as it is.

5 Likes

An elaborate phishing operation involves ‘human error’ - does this make the company liable for a single mistake by a single employee?

It does sound as though Optus may not have employed appropriate safeguards for the data it held, but this is not the same as being, for instance, ‘recklessly indifferent’ to its obligations.

Again, the key is how the company responds and how it communicates with affected customers. Unfortunately Australian law is rather lax in regard to cyber-security, and even now places few obligations on companies to do the right thing.

2 Likes

It’s always a convenient excuse to point a finger to an individual. Hey, look over there!
It’s also wrong, IMHO.

Mistakes happen because of failures of management. Whether it’s a failure to ensure certain procedures are followed, or adequate procedures are in place, or adequacy is regularly independently assessed or ….?

Having managers in place who are capable (competent and diligent) might be more important than anything else. Like most serious failures, there will be a number of contributing factors, all within the scope of management to control.

Hopefully Optus looks at itself seriously from the top down. As a recent ex customer it would be difficult to consider returning under the current regime.

2 Likes

I tend to beleive Optus when they say it was an external attack. The IP addresses used kept ‘moving around’ suggesting a Botnet attack using authorised information requests for customer details as would be used by support functions.

Companies like Optus face problems with information security.

Firstly, Telcos are required by Australian law to keep details of transactions and usage and identifying customer details for law enforcement purposes.

Secondly, Optus would be like many other companies using IT that outsource (and that often means offshore) privileged functions like customer service, technical support, administration, and even application development and testing.

That means access has to be provided by The Internet, rather than internal Intranets which can be more securely controlled.

2 Likes

He said, she said about how it came down but Optus is doing what companies do. eg wringing their hands and wishing those affected well.

A major and serious data breach in the US a few years ago required a class action - finally settled by every affected customer getting a paid (eg free to the customer) 4 year premium credit monitoring subscription with Experian IdentityWorks. It reports phone numbers appearing on the web, social security (eg TFN equivalent) numbers, credit applications, email addresses, driver license numbers and other IDs popping up on the dark web as well as on social media as well as for any account application requiring a credit check. It requires personal involvement to assess what is reported and everything reported is not indicative of a bad person using one’s information, but if say a credit application pops up one can take action quite quickly as alerts are often within hours, not just monthly.

1 Like

I’ve just cancelled my gomo (optus cheapie) account. I hope I’m safe, but I cancelled anyway, even if.

1 Like

Optus said that its SIM-only brands Amaysim and Gomo, and Optus wholesale services (smaller telcos that use Optus’ networks and platforms, such as Aussie Broadband and Southern Phone) were not impacted by the attack. (source)

6 Likes

Important to note … it is GOVERNMENT that has passed legislation requiring many telecommunications industry companies to record and retain many pieces of information, in particular relating to your ID.

So even if a company wanted to do the right thing (e.g. delete your ID when you cease to be a customer), it is prevented by law from doing so.

Therefore I would like to see the Federal government footing the bill for reissuing all affected drivers licences and passports (with new numbers).

I believe that in the case of drivers licence it is not within your control to renew with a different number (whereas I think that is automatic for a passport).

Given that drivers licence and/or passport are used as primary authentication documents in quite a few important contexts, including processes undertaken with the government itself, the scope for problems arising from this breach is enormous.

I would like to see laws that ban any use of the drivers licence except for administering, you know, driving - and similarly for passports.

Both of these statements are true.

However Optus could have done better to store drivers licence and passport numbers encrypted. It is unlikely that they use this information in their day to day operations, even for authentication purposes. It is likely that these fields exist only to satisfy legal requirements.

Storing encrypted is not a panacea but it does protect against some scenarios where you get hacked.

There are legal requirements about storing credit card numbers encrypted. It should be the same for the above numbers (assuming that those numbers continue to be abused).

Likewise Optus could have done better to store sensitive information that is irrelevant to its day to day operations on a different system.

1 Like

The convoluted and incomplete / difficult to follow explanation that I saw … makes both of these true. Yes, there was human error involved. Yes, it was a sophisticated attack.

As far as I am concerned, any successful attack involves human error - because the humans are still in control and clearly no company intends to be subject to a successful attack.

There was, I believe, human error involved at several different stages in the IT chain e.g. human error in Operations and human error in IT design (and of course there can be human error in IT implementation, although I have not heard that this was a factor in this particular attack).

I got an email this morning to advise that I was affected by the Optus hack. No real surprise, other than that the company took so long to figure out who was affected and notify them.

As for whether the Optus data was stolen by ‘state actors’ or by run-of-the-mill extortionists, we may never know and it may not necessarily make much difference. In the past state hackers have simply been after company secrets, but nowadays countries like North Korea get a lot of their usable currency (mainly USD) through hacking. That means that the fact personal information is being sold online does not mean that the company was hacked by some shadowy criminal group.

1 Like

They would indeed use verification data like photo id documents for day to day operations like SIM swapping and replacements and mobile number porting, and post-paid account setup and changes.
Now that is compromised, those functions will not be available online or via phone.
Visit to an Optus shop required at present.

1 Like

As is their usual habit, the Government is intending to jump in like knee-jerking headless chooks ( mixed metaphor, I know).

1 Like

I guess I didn’t define “day to day”. I would think that most customers would go years without doing most of those things. So inconvenience and maybe a few extra hours delay to both Optus and the customer to carry out one of those things may be more acceptable.

Ah the joy to look forward to when all phones use eSIMs and SIM swapping is a purely cyber operation that can be compromised at the speed of light without your knowledge …

I got an email too. Very unclear from the email whether it is a generic inform to all customers or specifically for customers who have sensitive identifiers that have been compromised.

and the numbers of the ID documents you provided such as drivers licence number or passport number

Like I remember what of those documents I provided X years ago …

1 Like

I’ve just had a long chat with Optus via their messaging app about the data breach. We received that email from Optus saying we had been affected by the data breach. But in the chat the customer service officer told me “I’ve checked your account and at this stage I can’t see that you’ve been affected”. And then confirmed Optus have no drivers licence details or passport details for our account (Internet only, mobile account closed 2 years ago).

No response to my question about why Optus management would send such a worrying email if I hadn’t been affected. I have concluded that they don’t really know who’s been affected and who hasn’t! I am just hopeful I can rely on the information that they don’t have drivers licence or passport details on file as this would certainly lessen the risk to us of consequences from the date breach.

3 Likes

You might be OK. The s**** f**** government legislation requires telecommunications companies to retain your data for 2 years after the account is closed. So if it’s approximately “2 years ago” but actually under 2 years then you are stuffed. If it’s actually over 2 years then you might get lucky and Optus deleted the information at the earliest possible opportunity, but there isn’t a specific legal obligation on Optus to do that.

So you should probably check the exact dates.

Also bear in mind that data breaches are inevitably disclosed after the date that the data leaked out. So you need a little margin for error e.g. let’s take the date of the breach to be September 1 (which in some cases would be woefully optimistic but let’s go with that).

I’ve now received some additional technical information and I am leaning more towards “human error” and less towards “sophisticated attack” (although it was no doubt a well-organised and well-executed attack).


It is ironic that this problem was created by the government in response to the false emergency of “national security” but has had very little benefit to national security while actually creating a massive security problem.

Of course the government was warned that this would happen - and ignored the warnings.

Both major parties are culpable as they were warned extensively and just put their hands over their eyes and ears - and both voted for it to ensure that there was no meaningful parliamentary debate.

1 Like

My more recent dealings and not so recent with Optus always required a Drives License (photo ID) to confirm my ID if in store. Telstra similar, but not so recent. It’s a reasonable assumption that for most customers Optus and Telstra have a copy of that documentation somewhere on their system. If not as a number as a digitised copy of the original.

I’m not too confident of any advice being reliable at this point in time. There is at least one family member who has been notified by Optus they are affected. Approx 24 hrs after being notified they received an SMS followed by an email to say their shared data use had reached nn%. Fair enough, except the messages included web links the customer could use to check their usage, inquire further or add extra data. It may be a fair dinkum Optus message. Can we be certain?

For the average older consumer with basic tech awareness, how should they respond? Asking over the phone a friend who might understand the advice without access to the original message it was suggested it would be from Optus. I wonder how sight unseen any can assure a 100% reliable assessment? Further would Optus actually be sufficiently naïve to be sending out messages with embedded links. Their advice re the data loss was they would not be. Confusing for sure. :roll_eyes:

2 Likes

From registration at birth to death certificate our society, governments and enterprises require certainty of identity.

I see a very different discussion in which information and content is required to establish identity.

The core issue is that what ever we agree as a community to use needs to be securely kept and reliable when needed. The personally relatable content held by Optus is held/replicated in many other data sets, managed by other large enterprises.

It may be more useful to save any divergence on the need for certain personal details to be retained for a seperate topic.

1 Like

An update on additional services to be provided by Optus for those significantly affected…

2 Likes