Australia’s Minister for Cyber Security has blasted claims by telecommunications company Optus that it fell victim to a “sophisticated” hack – the company appears, in fact, to have left an unsecured API open to all.
Optus, Australia's second-largest mobile carrier, disclosed a major data breach on September 22, 2022. “Basic” personal data of 9.8 million Australians has been stolen. “Extensive” personal data of 2.8 million subscribers has also been stolen, including passport numbers and driving licence numbers; a trove for identity theft.
The unknown attacker appears to have gained access to the database through an unauthenticated API endpoint "api.www.optus.com[.]au," which looks to have been publicly accessible as early as January 2019.
Follow The Stack today on LinkedIn
“We should not have a telecommunications provider in this country that has effectively left the window open for data of this nature to be stolen” said Aussie Cyber Minister MP Clare O’Neil on Monday.
When told “you certainly don’t seem to be buying the line from Optus that this was a ‘sophisticated attack’ she responded bluntly to a local broadcast interviewer “well it wasn’t, so, no".
“The scope for identity theft and fraud is quite significant for those 2.8 million Australians” the former McKinsey consultant and Harvard University Fulbright Scholarship added in the broadcast interview.
See also: 7 free cybersecurity tools CISOs can deploy
Australian broadcaster ABC cited a "senior figure" inside Optus on Friday who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
Optus declined to comment on the explanation and disputed that "human error" may have played a role.
Former UK NCSC director Ciaran Martin noted on Twitter: “Good on the Government of Australia and Minister O’Neil for stamping on the usual narrative that ‘this was a highly sophisticated attack blah blah’. Properly understanding the way data breaches work is key to mitigating them in the future,” he emphasised.
Optus meanwhile says it won an exemption that let it keep its legacy systems free from encryption when complying with Australia's data retention scheme, as reported by ZDNet back in 2019.
“Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation", Optus said in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the data retention scheme.
"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," it added in that submission.
In its most recent update of September 26, Optus said: “Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to [credit monitoring service] Equifax Protect at no cost” – an offering critics say is deeply inadequate, with identity theft highly likely to be attempted after that 12 months is up.
“No passwords or financial details have been compromised. The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost. Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams” the telco added this week.