Optus data breach: cybersecurity reforms expected to enable companies to rapidly inform financial institutions

Cybersecurity minister Clare O’Neil set to announce reforms in coming week after millions of telco customers’ data stolen

The minister for home affairs and cybersecurity, Clare O’Neil, is expected to announce reforms that would enable Optus to inform financial institutions about the data compromised in its recent cyber-attack.

O’Neil is expected to announce reforms in the coming week that would enable companies such as Optus to more rapidly provide data to banks following security breaches.

Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.

— Clare O'Neil MP (@ClareONeilMP) September 24, 2022

It comes amid a suggestion that the compromised Optus data may have been accessed via an avenue involving no password or security restrictions.

Optus revealed the massive data breach on Thursday. Details including names, dates of birth, phone numbers, email addresses, home addresses, and passport and driving licence numbers have been stolen.

On Saturday a post appeared on a data market by a user claiming to possess information obtained from the breach, including the details of 11.2 million Optus customers and more than 3.6m driving licence numbers. Two samples each of 100 user records were also posted, as well as a demand for $1m in cryptocurrency.

Jeremy Kirk, the executive editor of the Information Security Media Group (ISMG), who has been in contact with the user, was able to verify some of the information in the sample data and said it appeared to genuinely originate from Optus.

The user claimed to have extracted the data from an unauthenticated application programming interface (API) – software that allows two different systems to talk to each other – meaning that login details were not required to access it.

“If you were an Optus subscriber, and you logged in and you said, ‘Show me my account info’, that’s an API grabbing your account information and bringing it back to you,” Kirk said. “You’re authenticated because you’ve logged in … you don’t have any broader access to anything else.”

Kirk said that the data breach appeared to have occurred because “Optus exposed this quite powerful API that was connected to their entire customer database, apparently. And it was just on the internet.”

The user told Kirk in a message: “No authenticate needed. That is bad access control. All open to internet for any one to use.”

The user’s claims were independently corroborated by a second source, Kirk said.

A spokesperson for the Australian federal police said yesterday that the agency was aware of claims the data had been put up for sale.

Optus chief executive, Kelly Bayer Rosmarin said on Friday that the company was not sure exactly how many customers had their details compromised, but said 9.8 million was the “worst case scenario”.

The cyber-attack has potentially affected customers dating back to 2017, as Optus is required to keep identity verification records for six years. In the past, the telco has proposed changes to privacy laws that would enable customers to request their data be destroyed.

Optus call centre staff have told Guardian Australia that the telco has been swamped with complaints through its online complaints form. Staff say they have not been informed when or if a dedicated hotline will be set up, but have been directed to call each complainant to “resolve the issue”, explaining to customers what people can do to manage their risk individually.

New twist in the #optus hack: heard from frontline call centre staff - who have also had their data stolen - that the telecom has been swamped with complaints through its online form and are being made to call each complainant to "resolve the issue". 1/

— Royce Kurmelovs (@RoyceRk2) September 25, 2022

Optus was contacted for comment.


Donna Lu and Royce Kurmelovs

The GuardianTramp

Related Content

Article image
Singtel confirms 2020 data breach after cyber-attack on Optus
Parent company of Australian telco says that the personal data of 129,000 customers and 23 businesses was obtained in a cyber-attack two years ago

Josh Taylor

10, Oct, 2022 @3:00 AM

Article image
Optus reveals at least 2.1 million ID numbers exposed in massive data breach
Telco says 150,000 passport and 50,000 Medicare numbers have been stolen as it announces independent review

Josh Taylor

03, Oct, 2022 @3:50 AM

Article image
Companies could be forced to delete customer data used to prove ID, Labor suggests
Albanese government considering sweeping overhaul of data retention and privacy laws following massive Optus cyber hack

Paul Karp and Josh Taylor

29, Sep, 2022 @2:08 AM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Optus cyber-attack: company opposed changes to privacy laws to give customers more rights over their data
In its submission to Privacy Act review telco said giving people right to erase personal data would involve ‘significant’ hurdles and costs

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Guardian Essential poll: one in two Australians want stronger privacy laws after Optus breach
Survey finds 51% of respondents support restrictions on amount of data private companies can collect and 47% are worried about governments harvesting personal information

Katharine Murphy Political editor

03, Oct, 2022 @4:30 PM

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM

Article image
Push to scrap Australia privacy exemptions for political parties due to risk of data breaches
Digital Rights Watch says cyber-attacks on political parties in 2019 narrowly avoided a breach that would have caused ‘unimaginable damage’

Sarah Martin

10, Oct, 2022 @4:30 PM

Article image
Optus data breach: who is affected, what has been taken and what should you do?
After a malicious cyber-attack, customers of Australia’s second-largest telco are advised they could be at risk of identity theft

Ben Doherty

22, Sep, 2022 @8:31 AM