Data Breaches 2022 onward (including Optus)

You might be OK. The s**** f**** government legislation requires telecommunications companies to retain your data for 2 years after the account is closed. So if it’s approximately “2 years ago” but actually under 2 years then you are stuffed. If it’s actually over 2 years then you might get lucky and Optus deleted the information at the earliest possible opportunity, but there isn’t a specific legal obligation on Optus to do that.

So you should probably check the exact dates.

Also bear in mind that data breaches are inevitably disclosed after the date that the data leaked out. So you need a little margin for error e.g. let’s take the date of the breach to be September 1 (which in some cases would be woefully optimistic but let’s go with that).

I’ve now received some additional technical information and I am leaning more towards “human error” and less towards “sophisticated attack” (although it was no doubt a well-organised and well-executed attack).

It is ironic that this problem was created by the government in response to the false emergency of “national security” but has had very little benefit to national security while actually creating a massive security problem.

Of course the government was warned that this would happen - and ignored the warnings.

Both major parties are culpable as they were warned extensively and just put their hands over their eyes and ears - and both voted for it to ensure that there was no meaningful parliamentary debate.

My more recent dealings and not so recent with Optus always required a Drives License (photo ID) to confirm my ID if in store. Telstra similar, but not so recent. It’s a reasonable assumption that for most customers Optus and Telstra have a copy of that documentation somewhere on their system. If not as a number as a digitised copy of the original.

I’m not too confident of any advice being reliable at this point in time. There is at least one family member who has been notified by Optus they are affected. Approx 24 hrs after being notified they received an SMS followed by an email to say their shared data use had reached nn%. Fair enough, except the messages included web links the customer could use to check their usage, inquire further or add extra data. It may be a fair dinkum Optus message. Can we be certain?

For the average older consumer with basic tech awareness, how should they respond? Asking over the phone a friend who might understand the advice without access to the original message it was suggested it would be from Optus. I wonder how sight unseen any can assure a 100% reliable assessment? Further would Optus actually be sufficiently naïve to be sending out messages with embedded links. Their advice re the data loss was they would not be. Confusing for sure.

From registration at birth to death certificate our society, governments and enterprises require certainty of identity.

I see a very different discussion in which information and content is required to establish identity.

The core issue is that what ever we agree as a community to use needs to be securely kept and reliable when needed. The personally relatable content held by Optus is held/replicated in many other data sets, managed by other large enterprises.

It may be more useful to save any divergence on the need for certain personal details to be retained for a seperate topic.

An update on additional services to be provided by Optus for those significantly affected…

Latest I see and hear is that Optus is to offer customers the same thing. Paying for monitoring services to see if personal details have been put onto the Web, and if these details are tried to be used.

I reckon Optus are in a whole world of trouble if technical details I have seen are true.

They put a Webserver API onto the Internet, with a DNS name, that allowed users to not just check their own personal information which is part of their online service, but allowed anyone to scan sequentially through the whole database using linked keys.

If true, this is not a ‘hack’, or sophisticated external attack.

It is a self-inflicted act of stupidity by a company that should know how to do IT.

I can see the point that you are making but really that is a cop out i.e. allowing the government off the hook for discretionary, recent decisions that the government has made.

We most certainly did not agree as a community to those government decisions. Our agreement is not required, as we are a representative democracy, but to the extent that community feedback was sought, the community was 99.99% ignored by the government. The community was wiser than the government.

So when you look at apportioning blame:

1. The criminals, and
2. The government, and
3. Optus

In my opinion, that’s in descending order of responsibility but I understand someone might want to swap 2 and 3.

As you can see from the link in the post two above this one, the government recognises that it is going to get some of the blame and is attempting to proactively avoid blame.

That is along the lines of what I have been reading too.

I am not excusing their self-inflicted problem but would point out that they are not the first company to expose data on the internet like this and they won’t be the last.

Can you explain how this works? Keys and relationships within a database are between different tables@@. I don’t see how obtaining access to one record in one table (the details of one customer) leads to having access to millions of other records in the same table of customer information.

@@ Unless there is a parent-child relationship between records within the same table which is rare and would not be so in this case.

Sorry for my use of ‘keys’. It does not refer to how relational databases work, but how parameters are passed in functions, and how such parameters may be properly validated, or not.

If the function at the front end was, say, get_user_profile, then a list of data would be returned from the back end database. The input parameters would be subject to access controls.

Seems that in this case one part of that data returned could be, and was used, to access data from the database in an uncontrolled manner.

I know the name of that data field, but I will just call it X.

Oh, for the power of modern programming languages!

Surely there was a further step to validate who was making the request and to the relevance of the data record requested? Even for a staff member with a certain level of access or even anon how many requests would be permitted per second, per minute or per hour.

It’s evident Optus have bern able to retrospectively identify what was requested and by whom. This suggests they had the ability to identify unusual levels of activity or access from very early. What else was not in place? It seems an exception that a portion of each customer’s data required infrequently for a very specific and restricted purpose was so readily accessible.

It’s likely we hold very different views on how government functions. Apologies if seeing circumstances differently appears to be “a cop out’.

Is there common ground?
We’ve experienced personal distress in the past due to a Telco’s failure to reliably check identities. It’s easy for us to say government has not gone far enough. Telcos need to ensure they can reliably for any and every service identify each service holder.

Whether it’s a Telco, the NBN Co, or any of the dozens of banks and financial services providers, their customer identification needs are the same. All have a data base of personal identifying details. Even my super provider requires a certified copy of my photo ID these days.

Whatever is needed to be held by any entity to verify one’s identity will always need to be secured. How to do this better is a good question.

Access to the Webserver with inadequate controls was somewhat obscure. And has since been shut down.

Suppose api.gregr.com.au, then api[dot]gregr.com.au as a DNS used to access a test system. Except with real production data.

Feels more like its “whether the company admits to being hacked or not” - are there any left who haven’t been compromised? many probably don’t even know - especially if they outsource their hosting - I know of a couple of breaches, one very sizeable, that never became public and where the company was never (fully) aware, though in one case I know they had their suspicions. I’d suggest if you know someone who has worked in hosting, who says they have never been aware of a compromise or a breach … well, maybe they will run for office one day!

Insider threat is the fear of the moment, surpassing whatever the last popular fear was and until another one takes its place. Externally staged attacks based in insider knowledge, internal attacks with external assistance, there are many permutations. One thing I’d confidently assume from the start is that the truth will be the ultimate casualty in all this.

Am I glad I’m not with Optus? Not really - the nature and extent of data breaches with my current telco will come out sooner or later - it’s ‘a given’ …

It is arguable that the telco does not need to store anything at all. They can verify your identity but not store anything. (The problem there is that the government wouldn’t trust that the telco has verified your identity.)

Alternatively, they could pass the information directly to the government for verification and, if the government chooses to, storing - the government would respond with an unforgeable token that the telco would store so that the government cannot repudiate later on that they provided confirmation to the validity of the identification. While that is a highly offensive option from a privacy point of view, given the obscene level of surveillance that already occurs in the telco and finance sectors, it should be an option that is on the table for discussion.

I remain to be convinced that a telco has to know whether you are legally permitted to drive.

So we should also be looking at better alternatives than the drivers licence as identification. (If a person has neither drivers licence nor passport, what does the telco do? Maybe next time I am becoming a telco customer I will lie and say that I have neither and see what happens.) The point is that a single identifier that is widely abused becomes a greater risk.

Depending on exactly what was the purpose of involving the drivers licence in setting up a telecommunications service, it may be an option to store the drivers licence (salted and) hashed rather than encrypted or in plaintext. (That applies as a possibility whether it is the telco storing it or the Federal government storing it.)

This data leak was foreseeable and was foreseen. The government was told that this would happen. It could easily be that the consequences of this data leak are worse than the problem that the government was attempting to solve.

At the very least the government might relent on the length of the retention period after a customer has ceased to be a customer e.g. 6 months rather than 2 years (and then legislate that the retention period is both a minimum and a maximum). That is just harm minimisation for former customers.

Other countries manage to avoid collecting drivers licence etc. when creating a new telecommunications account.

The bottom line is that a sensible government would be revisiting their own decisions rather than just trying to ensure that the government avoids all blame.

A misunderstanding I think. I didn’t mean a cop out by you. I meant a cop out by the government. This comment was mostly motivated by the link that was in the post two above my previous post where the government is going on the attack (attack is the best form of defence?) because it is obvious that thinking Australians will start to question the government’s own policy decisions and role in this debacle.

This assumes that a government entity is better able to manage/control data than a private sector company. The assumption may be correct, but if it is wrong then a government entity has all of the records - not just for Optus but for all telecoms companies.

But terrorists - and we must protect the kiddies.

This is already possible and becoming more common. We have had experiences with it twice in the past few years.

And available to businesses. Why Optus being a large organisation not using this service needs to be answered (by Optus). If it was used, the released private data would have been limited and less value to criminal minds.

Not entirely. I am suggesting that the telco has met its obligations by passing the id to the government, which the government can verify, and respond with a token that the telco can store - but noone stores the actual id (except the state government department that actually issues the abused drivers licence).

In NSW that’s the RMS. There’s no way round that. The RMS stores everyone’s drivers licence number and all the associated information - and if they get hacked then that state is fully compromised (well everyone who drives anyway).

I actually don’t know how the interface between the Feds and the RMS works. Do the Feds get a regular feed and so have their own copy of the data (to get hacked)? Or do the Feds have an online interface to the RMS?

FWIW the partner had an Optus data SIM about 6 years ago and received an email about her details included in the breach. Timeouts - only in theory?

I was in Optus today and they DO use ID Match. However, in the event it fails to work (which it did), they ask for manual 100 point ID including license and medicare numbers, which are then recorded in their system. I am unsure when they started to use ID Match, so it’s possible some data was stored in their system prior to its use