Optus data breach: everything we know so far about what happened

Who is the attacker? How was the data accessed? What was taken? Digital security experts explain

In the week since Optus announced it had been the subject of a massive data breach with as many as 10 million customer accounts exposed, solid information about what actually happened has been scarce.

Here’s what we know so far.

Who is the attacker?

Optus has said it was the target of a “sophisticated attack”.

The only person to come forward since then, claiming to have the data is a user called “Optusdata” on a data breach forum. The alleged attacker threatened to sell the data unless Optus paid US$1m in cryptocurrency.

The user later posted what they alleged was 10,000 customer records, before deleting the posts and apologising.

Nothing is known about this person beyond what was on the forum.

Who has the data?

It is not clear whether “Optusdata” is the person responsible for the attack, or whether they are the only person who has access to the data.

In their apology, “Optusdata” claimed they had deleted the only copy they had of the data.

There is no way to verify this. Other attackers could have accessed the data via the same vulnerability, and the data may not have actually been deleted.

“That’s a valid concern as all we have to go on at present is the word of a criminal who had no hesitation to dump more than 10,000 records publicly,” cyber security expert and founder of the website HaveIBeenPwned, Troy Hunt, said.

“Plus, the vulnerability as it’s been described is so trivial it’s entirely possible it was exploited by other parties as well.”

Why did the attacker back down?

That also remains unclear. Optus has said it did not pay the ransom.

Hunt lists data breaches on his website to allow people to check whether their personal information has been compromised. He said ransom demands were not unusual for large data breaches such as that suffered by Optus, but the alleged attacker’s change of heart was unexpected.

“Seeing the hacker back down, apologise and promise to delete the data is very rare. I suspect the amount of exposure the incident received plus the AFP involvement and commentary from high-level politicians spooked them,” he said.

How was the data accessed?

Reports suggest Optus had an application programming interface (API) available online that did not require authorisation or authentication to access customer data.

“In the instance, where a public API endpoint did not require authentication, anyone on the internet with knowledge of that endpoint [URL] could use it,” said senior manager of cyber security consulting for Moss Adams, Corey J Ball.

“If that endpoint was used to access customer data, then anyone on the internet could have used that endpoint to gather customer data.

“Without technical controls for authentication and authorisation in place, any user could have requested any other user’s information. The attacker likely scripted the process to repeat requests from the endpoint until they had collected millions of instances of personally identifiable information.

Optus still hasn’t confirmed how the data was accessed. It maintains the attack was sophisticated, but the home affairs minister, Claire O’Neil, has said the vulnerability was akin to Optus leaving a window open.

What data was taken?

Optus says the stolen data includes names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers.

The dump of records released by the forum user contained all this information.

How common is this method of attack?

“Unfortunately, it can be pretty common,” Josh Lemon, a digital forensics and cyber incident expert at SANS Institute, said.

But he said attackers tended to not target a single organisation. They usually scan across the internet looking for known vulnerabilities and exploiting those vulnerabilities all at once, he said.

“So for a threat actor to specifically just go after [one company] is a little bit unique in that sense.”

What happens next?

Optus customers have been urged to stay vigilant for signs their data has been compromised. State and federal governments are making it easier for those affected to replace identity documents that may have been accessed.

While the alleged attacker has dropped the ransom threat, the criminal investigation is ongoing. The Australian federal police are working with law enforcement authorities overseas, including the Federal Bureau of Investigation in the US, to locate whoever obtained the data, and who tried to sell it.

The federal government is looking at urgent reform in this area, including making it easier to alert banks to which of their customers may have been compromised. It is also considering large fines for companies that allow such a breach to occur.


Josh Taylor

The GuardianTramp

Related Content

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
AFP investigates $1m ransom demand posted online for allegedly hacked Optus data
Attorney general Mark Dreyfus has been briefed by the privacy commissioner about hack and is seeking ‘urgent’ meeting with telco

Royce Kurmelovs

24, Sep, 2022 @7:20 AM

Article image
Federal government under pressure to reveal Optus data breach plan as FBI called in to help
Sources say Labor is considering options including a parliamentary review or inquiry into massive cyber-attack

Josh Butler and Ben Butler

27, Sep, 2022 @8:53 AM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Optus data breach: federal police launch ‘Operation Guardian’ to protect identity of 10,000 victims
AFP assistant commissioner Justine Gough said force wanted to ‘supercharge’ protection from identity crime and financial fraud

Josh Taylor

30, Sep, 2022 @2:05 AM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM

Article image
Optus tells customers affected by data breach they can no longer use passports as online ID
Exposed passport numbers blocked from being used in national Document Verification System

Tory Shepherd

17, Oct, 2022 @7:02 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus data security breach: what should I do to protect myself?
Experts say while ‘there’s no need to panic’, there are steps you can take to ensure you’re not exposed to scams or identity theft

Natasha May

26, Sep, 2022 @6:44 AM