Data Breaches 2022 onward (including Optus)

More accurately it is a third party breach affecting Telstra employees and some previous Telstra employees. From the poorly written article:

They said Telstra itself was not hacked, but a third party which was offering a rewards program for staff had the data breach in 2017.

Will there be more? Maybe, but not yet.

2 Likes

Given the penchant for outsourcing among all major companies and given the Terms and Conditions that you sign (giving the company the right to share your information with any and all of their third parties) I wouldn’t really distinguish between a breach that occurs in one of their third parties and a breach that actually occurs at the telco. The end result can be the same.

But yes technically Telstra itself was not breached.

Hackers will find the weakest link and if that happens to be a third party, so be it. Plenty of very fruitful hacks have occurred via a third party. :wink:

Another comment from the article:

we believe it’s been made available now in an attempt to profit from the Optus breach

So the Optus breach is doing the “marketing” for the Telstra breach. :wink:

1 Like

‘Coming clean’ is becoming an ‘all-in’ with this breach in July just being revealed to those affected.

3 Likes

Sometimes that’s the way it works.

  • There is the date that the breach actually occurs.
  • Then later there is the date that the breach is detected (if indeed it is ever detected pro-actively by the target).
  • Then later still there is the date that the company can know with certainty what data was exfiltrated when it is posted online (sometimes).

If you detect unauthorised access some time after the event, it can sometimes be really hard to know precisely what data was exfiltrated. It is only when it is posted online that you can know with certainty.

Sometimes it is easy e.g. there have been cases when someone has accidentally left a single file that is some kind of massive data archive in a situation where it is accidentally accessible from the internet, and it has been detected that someone on the internet noticed that the file was accessible and downloaded it. Easy peasy. You know exactly what data was exfiltrated.

Sometimes it is hard.

You can’t tell those affected what you don’t know. The article says that the breach was reported in the media in July so it is unlikely that those affected were not informed much earlier that a breach had taken place. The details of the breach were not relayed to staff until after the leaked information was posted on the internet because that is what confirmed with certainty what was leaked.

This breach was particularly intrusive as it included “medical checks” and “health information”.

The fundamental issue for G4S / Port Phillip prison is how unauthorised access was achieved. The data breach is secondary to that. Clearly their network controls were woefully inadequate if an intrusion at Port Phillip prison was then able to spread through G4S’s entire network.

Is any of this good? No!

1 Like

A post was merged into an existing topic: ID For Mobiles & SIMS

12 posts were split to a new topic: ID For Mobiles & SIMS

A post was merged into an existing topic: ID For Mobiles & SIMS

The latest move in the Optus breach:

Optus given temporary power to share compromised data with banks following hack
Government strengthens powers for telcos to share affected data following Optus hack - ABC News

This is not an unreasonable thing to do but it isn’t really addressing the underlying problems and it could make the problem worse, not better.

It also leaves me personally in an invidious position where the NSW government wouldn’t give me a new NSW drivers licence number but all banks could reject my use of same for identification purposes - and one thing is very clear: it is all happening behind your back, so you won’t be sure what is going on.

The article says that financial institutions will have to undertake to

destroy the information when it is no longer required

but there is no obvious endpoint here - apart from my eventual demise. :wink:

2 Likes

Information from a Tasmanian Government webinar on how to improve business online security made a comment on the breach at Optus. The information indicates that the Optus breach occurred as a result of a test environment. The test environment had access to all of Optus customer information but the test environment URL was accessible externally of Optus. The URL has somehow got into the public domain and anyone with the URL could access the information. The test environment was also not secured with a password which made data extraction a relatively simple process.

1 Like

The original acquirer of the data, posting as ‘optusdata’, has explained how the data was freely obtained using an open API, and the URL used, and a totally unrestricted field in the database that was used to enumerate sequentially through all customer records.

I would not be surprised if this database flaw exists in the current production system, but access controls prevent its exploitation.

Massive fail by Optus on so many levels, that they will have to admit at some point, and end the BS about this being a sophisticated hacker attack.

1 Like

I am thoroughly confused. Was access through an unsecured API or an unsecured database?

Where are you getting this information from?

I received a text message this morning from Optus, providing me with the one time password I needed to access my account. I had not tried to access said (inactive) account, and so called the company. Its support did not give me much confidence.

The main method Optus is using to stop account takeover is to ask for one time passwords even when one rings support. It refuses to delete my account, and had enormous difficulty telling me the last time my account had been accessed (apparently in 2020, but I am not convinced that this answer is entirely correct).

The person I spoke to seemed to have no idea about how phishing might work, or SMS interception, or any of a dozen other ways in which the company might inadvertently provide the wrong person with access to my account.

Accordingly, I have logged into my Optus account (using a one time password that was emailed to me), to see a message that I don’t have any active Optus services (surprise?). I then tried to access my account details, only to be sent back to the home page with the message that I apparently do not have any active Optus services. So I cannot even change my password, let alone delete any payment or other personal information!

Maybe it’s a problem with my browser, which I have set to block all sorts of things. Let’s try another browser. Another one time password, this time text message. Same error that I don’t have an active account with Optus. Seriously, people, am I going to have to spend another phone call trying to change some basic account information?

Not happy Optus!

1 Like

As an IT person for many years, I follow and check in with various Internet sites that deal with IT issues and news.
Here is one and whilst it relies very much on the admissions of a now in hiding ‘hacker’ seems totally plausible to me.

From the references to using the field contactid to obtain the data and that it was ‘scraped’ it looks like the API was some middleware that takes contactid as an argument and returns a corresponding block of data from the database. My guess is that it was taking some time and the hacker didn’t get the whole content because the activity alerted Optus as the hacker had to call the API once for each record and Optus shut the gate before they were finished.

According to that article the problem had several components, one was an API that could interrogate the database without authentication the other was exposing this insecure environment to the web, none of it was a database problem per se. Both are human errors, neither required any sophisticated attack to obtain data.

If even half of this is factual the Optus CEO has been badly briefed or is lying.

3 Likes

It is known that the user of the API got at least 10200 customer records since that was put onto the Internet when Optus didn’t respond to the demand for payment.
Optus knows there are millions of customer records in the database so how much was read before the API was shut down is unknown.

Time will tell. The data is out there.

Meanwhile, Optus has to officially maintain the innocent party to hackers stance since an admission of guilty of stupidity will be little defence in the legal cases that will come.

1 Like

An addition to the list. Costa Group (berries) employee records. Whether it was ‘sophisticated’ as claimed remains to be known. The initial Optus claim about a ‘sophisticated’ attack got shredded fairly quickly. Maybe every attack is ‘sophisticated’ in the minds of executives protecting their companies? Could be this one really was, but early to conclude either way.

Looks like a typical ransomware attack from back on August 21st.
Some affected files recovered and the server restored.

The company is doing the right thing and publically saying they were hacked.

I suspect many do not.

2 Likes

Some fallout most don’t think about, and there are so many similar lapses regarding new Australians from transnational pensions to tax (equalisation) treaties. An interesting comment from the US is for US passport holders not to worry so long as they have their passports in hand - somewhat different from the local version? Or could it be hubris to cap concern?

That jumped out to me too. What the US spokesperson is saying is not wrong and applies equally to any chip passport, regardless of country, including Australia, but that is limited by the fact that the spokesperson clearly didn’t understand the actual problem.

Remember what passports are actually for? What the US spokesperson said applies to this case. Just because Optus data got breached doesn’t mean that someone can clone your US passport and travel across international borders pretending to be you. As long as you still physically have your US passport, there is no need to report it as lost or stolen and get a replacement passport.

However when passports are abused for identification purposes by a telco (as compelled by Australian law) that’s where the problem is - since the passport and basic personal data that was leaked is sufficient for someone else to pretend to be you when setting up a new customer account with a telco. Perhaps they don’t do this **** in the US and that’s why the US spokesperson genuinely didn’t understand.

Again, the onus is on the Australian government to think about the problems here and consider whether they can improve upon the current regime as far as it relates to new arrivals. Clearly the government is in a much stronger position as it relates to new arrivals since the government can very rigidly determine the conditions, restrictions and procedures for entry. Or maybe they just don’t care. No votes in it for sure.

1 Like

The strength of a modern passport is when it is used at a border control and with the supporting government database as a reference/ID check.

The weakness when used as an ID check for financial services is the lack of immediate access to the same level of security.

Is the greater risk someone using your passport details to produce a fake passport or simply using your dob etc to facilitate a scam/fraud by other means? I suspect the second to be most likely.

Aside from border security or for a DL a police officer, does anyone ever check the photos on a doc are correct per the originally issued?