2022 Optus data breach

From HandWiki
Revision as of 18:12, 6 February 2024 by WikiEditor (talk | contribs) (add)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Australian telecommunications data breach

In September 2022, Optus, Australia 's third-largest telecommunications company, suffered a data breach, affecting up to 10 million current and former customers, over a third of Australia's population. Information illegally obtained included names, birthdates, home addresses, phone numbers, email contacts, and passport and driving licence numbers. Conflicting claims have been made about how the breach happened; Optus presented it as a complicated attack on their systems, while an Optus insider and the Australian government have claimed that a human error causing a vulnerability in the company's API occurred. A ransom notice was made, asking for A$1,500,000 to stop the data being sold online. After a few hours, they deleted the ransom notice and apologised for their actions.

Optus has received criticism from government figures, including Home Affairs and Cyber Security Minister Clare O'Neil and Minister for Government Services Bill Shorten, for their role in the attack and for being uncooperative with government agencies and the general public. The government has announced legislation, including allowing information to be shared with financial services and Government agencies, and reforms to Australia's security of critical infrastructure laws, to help the government act for future breaches.[1]

In response to the breach, Optus has agreed to pay for the replacements of passports that have been compromised, commissioned an external review, and given highly affected customers a subscription to a credit monitoring service. Optus has also apologised for the breach. Optus has faced criticism from customers for not being responsive and providing inadequate responses to customers affected. Multiple investigations into the breach and a class-action lawsuit from affected customers are ongoing as of June 2023.

Background

Optus is an Australian telecommunications company, founded in 1981 with the formation of the government-owned AUSSAT, specialising in satellites.[2] AUSSAT was then privatised in 1991 to a consortium of businesses including Mayne Nickless and AMP Limited.[3] Optus is Australia's third-largest telecommunications company, holding a 13.1% market share.[4] At the time of the breach, Optus had around 10 million customers, well over a third of Australia's population of around 26.64 million.[5][6]

Breach

On 20 September, Optus's technical team noticed and investigated suspicious activity on its network. The next day, it was identified that Optus's systems had sustained a data breach, and regulators were informed. On 22 September, the company went public with the data breach, informing news agencies.[5][7] Optus recommended that people increase attention to potential fraudulent activity, but stated that they did not know if the breach had caused any harm to customers. At this point, Optus did not state how many customers were affected, nor if the data taken had caused harm.[8] Information illegally obtained included names, birthdates, home addresses, phone numbers, email contacts, and passport and driving licence numbers.[5]

Screenshot of the ransom note.
Ransom note left by the person believed to be behind the breach

On 23 September, Optus denied claims made by an insider that a mistake had occurred where Optus's API had accidentally been left exposed to a test network that had internet access. They instead claimed a complicated breach had occurred, and that the company had a strong cybersecurity system.[9] The Australian Broadcasting Corporation was told that Optus believed the hacker had scraped the company's consumer database, with only a third of the total data in the database copied and extracted.[9]

On 24 September, Optus and the Australian Federal Police (AFP), now having opened a criminal investigation, received reports that data from the leak was being sold online, and were monitoring the dark web for any attempt of selling data online.[10] The same day, a user on BreachForums posted a ransom note believed to be legitimate by some cybersecurity experts but unconfirmed by Optus and the AFP, demanding that Optus pay $1,500,000 in privacy-focused cryptocurrency Monero. They said that they would release the personal information of 10,000 customers every day that Optus did not pay the ransom until a week elapsed, with a sample of the information of 200 customers. After the week elapsed, they were to sell the data for A$400,000 to anyone who wants it.[11] After a few hours, the user deleted their original post and appeared to apologise for their actions despite no ransom being paid, stating that it was a "mistake to scrape publish [sic] data in first place"[11] and that there were too many people paying attention to the breach. The user noted that they would have reported the exploit that they used if they had the ability to contact Optus, noting the lack of a secure mail/messaging contact or bug bounties.[11]

Government response

Home Affairs and Cyber Security Minister Clare O'Neil alleged that Optus was at fault for the attack, refuting Optus's argument that the attack was complicated. O'Neil also stated that the attack should not have happened, stating: "Responsibility for the security breach rests with Optus[,] and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country".[12]

The federal government announced emergency regulation on 6 October so that drivers licences, Medicare information and passport numbers can be temporarily shared with financial services, the Commonwealth, and state or territory agencies to assist with monitoring the accounts of customers affected by the breach for potential scams or fraud. Financial institutions will have to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators have also been asked to identify and report on changes for financial instructions to identify customers who are at risk of scams and fraud. The changes will be in place for 12 months. Treasurer Jim Chalmers stated that the measures will help protect customers from scams, and to detect fraud.[13]

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, with the government being unable to assist with the clean-up following the breach, or compel Optus to give government services information. She stated that Australian law had no use for the government when needed, as Australia's security of critical infrastructure laws only allowed the government to legally intervene while a data breach was occurring.[14]

Several new security measures have been announced following the breach to protect victims from fraud, including banks being informed of data breaches faster to prevent the use of data to fraudulently access bank accounts.[15] The federal government has also flagged an overhaul of the $1.7 billion cybersecurity plan introduced by the previous government, including additional powers for the government to intervene regarding cybersecurity. The government is also considering a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure" allowing the government to intervene in major data breaches.[16]

In April 2023, the National Office of Cyber Security was founded, albeit with 5 full-time staff members and no additional funding than what was already given to the Department of Home Affairs.[17] In June 2023, Air Marshal Darren Goldie was appointed as Australia's inaugural Cyber Security Coordinator.[18] In November 2023, Goldie was recalled to the Department of Defence regarding a workplace matter, with cyber and infrastructure security head Hamish Hansford to take on the position in the interim.[19]

On 27 February 2023, Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability.[16][20]

The state governments of Queensland, Victoria, South Australia and Western Australia have agreed to pay for the replacement of driver's licenses for people that had their driver's license number compromised by the breach.[21][22] In Victoria, plans to add a second number to driver's licenses was fast-tracked, with all victims of the breach receiving the second number as part of their replacements, with the intention of protecting Victorians from identity theft.[23]

Optus response

Group of buildings photographed from a large courtyard.
Optus's headquarters at Macquarie Park, where the "war room" was located

On the day that the breach was announced, Optus set up a "war room" to deal with the breach at its headquarters in Macquarie Park. This involved around 150 employees and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew Sheridan.[24]

Optus commissioned Deloitte to do an "independent external review" regarding the breach.[25] Optus also signed up its "most affected" customers to get a 12-month subscription to credit monitoring service Equifax Protect after O'Neil requested the company buy credit monitoring for its customers in Question Time.[26] Optus CEO Kelly Bayer Rosmarin deeply apologised for the attack on behalf of the company.[27] Optus has put aside $140 million for costs relating to the breach, including to replace hacked identification documents, the Equifax Protect subscriptions and the Deloitte review.[27] Optus has promised to pay for the replacement of Australian and foreign passports that have been compromised in the breach.[28]

Optus reported that 2.1 million of its customers had had identity documents stolen as part of the hack. Of these, 1.2 million customers, according to Optus, had at least one current, valid number from a form of personal identification stolen. The remaining 900,000 customers had expired identity numbers stolen.[29]

Allegations of a lack of communication from Optus have been made by Services Australia. On 27 September, Services Australia wrote to Optus “asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards”.[14] Minister for Government Services Bill Shorten stated that, a week later, Services Australia had not received any data from Optus. Optus claimed that they were "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take".[14] There was also confusion regarding the number of Medicare ID numbers stolen, with Shorten telling a press conference that around 36,900 ID numbers had been stolen, and Optus identifying that 14,900 ID numbers had been stolen.[14]

Customers have also reported issues regarding communicating with the company. Customers stated that Optus could not confirm if their personal information was part of the data breach after contacting them several times, the company's chatbot failing to understand questions from customers about the breach, poor responses from sales representatives, not receiving a response from Optus at all, and delays in warning customers regarding compromises of personal information. A customer stated that, "Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating".[26]

On 8 March 2023, Bayer Rosmarin restated Optus's claim that the attack was sophisticated, stating at a business summit that “The skilled criminal had knowledge of Optus’ systems and cycled through many tens of thousands of internet protocol addresses in an attempt to evade our automated cyber monitoring”.[30] She also stated that Optus never paid a ransom to the hacker, and that the primary reason for the breach was for other scam purposes.[30]

In November 2023, Bayer Rosmarin resigned as CEO of Optus after the 2023 Optus outage following mounting pressure to resign due to the outage and the date breach.[31]

Legal action

On 6 October, a 19-year-old Sydney man, Dennis Su, was arrested by the AFP in his home at Rockdale for blackmailing 93 Optus customers affected by the breach. He claimed that he would commit financial crimes using their personal data unless they paid A$2000 to him, which none did. He was charged with a count of using a telecommunication network with intent to commit a serious offence and a count of dealing with identification information with intent to commit an offence. AFP Assistant Commissioner Justine Gough stated that he was not suspected of being responsible for the breach, and warned people to not click on links claiming to be from Optus.[32] Su pleaded guilty in November 2022. He did not go to jail due to a guilty pleading, his age and showing remorse for his actions, instead receiving an 18-month community corrections order.[33]

The Office of the Australian Information Commissioner (OAIC) has launched an investigation into the breach, concerning Optus's handling of the personal data of customers, focusing on whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether the information collected was necessary for Optus to keep. Australian Communications and Media Authority is also investigating the breach, focusing on whether Optus breached its obligations regarding the protection and disposal of personal data.[34] OAIC was given $5.5 million to investigate the breach over two years by the federal government in its October 2022 budget.[25]

A class action has been launched by law firm Slater & Gordon, alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data". The ongoing class action has been joined by 100,000 current and former customers, wanting compensation for losses, including the time to replace identification documents, and the stress caused. Optus has stated it will defend its actions.[35][36] In court, Slater & Gordon lawyers requested that the Deloitte report be released to the public, arguing that it could reveal the possible causes for the data breach. Optus declined to do so, despite Bayer Rosmarin stating in March 2023 that Optus would release "share key recommendations and learnings"[37] from the report.[37][38]

See also

  • 2023 Optus outage
  • Telecommunications in Australia

References

  1. Crozier, Ry (2022-10-01). "Australian police, banks join forces to monitor leaked Optus dataset" (in en-AU). itnews. https://www.itnews.com.au/news/australian-police-banks-join-forces-to-monitor-leaked-optus-dataset-585938. 
  2. "LOWDOWN - Australia's History in Satellite Technology". 2007-06-08. https://web.archive.org/web/20070608034807/http://www.lowdown.com.au/sat_assat.html. 
  3. "OPTUS CHOSEN TO TAKE ON TELECOM" (in en). 1991-11-20. https://www.afr.com/politics/optus-chosen-to-take-on-telecom-19911120-k4nsp. 
  4. Bradstock, Emma (2022-08-18). "Largest Internet Providers In Australia | Plans & Prices" (in en-US). https://www.canstarblue.com.au/internet/largest-internet-providers-australia/. 
  5. 5.0 5.1 5.2 Turnbull, Tiffanie (2022-09-29). "Optus: How a massive data breach has exposed Australia" (in en-GB). BBC News. https://www.bbc.com/news/world-australia-63056838. 
  6. "National, state and territory population, June 2023 | Australian Bureau of Statistics" (in en). 2023-12-14. https://www.abs.gov.au/statistics/people/population/national-state-and-territory-population/latest-release. 
  7. Smith, Paul (2022-12-21). "Inside the Optus hack that woke up Australia" (in en). https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm. 
  8. McElroy, Nicholas (2022-09-22). "Optus says customer information compromised in cyber attack" (in en-AU). ABC News. https://www.abc.net.au/news/2022-09-22/optus-hit-with-cyber-attack-impacting-customers-/101466036. 
  9. 9.0 9.1 "Optus rejects insider claims of 'human error' as possible factor in hack affecting millions of Australians" (in en-AU). ABC News. 2022-09-23. https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846. 
  10. Belot, Henry (2022-09-24). "AFP monitoring dark web amid allegations stolen Optus data may be sold online" (in en-AU). ABC News. https://www.abc.net.au/news/2022-09-24/afp-monitoring-dark-web-for-stolen-optus-data-sold-online/101471256. 
  11. 11.0 11.1 11.2 "An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach" (in en-AU). ABC News. 2022-09-27. https://www.abc.net.au/news/2022-09-27/optus-data-breach-cyber-attack-hacker-ransom-sorry/101476316. 
  12. Evans, Jake (2022-09-26). "Home affairs minister says Optus 'left window open' for cyber criminals" (in en-AU). ABC News. https://www.abc.net.au/news/2022-09-26/home-affairs-minister-blames-optus-for-cyber-attack-hack/101474636. 
  13. Evans, Jake (2022-10-06). "Optus given temporary power to share compromised data with banks following hack" (in en-AU). ABC News. https://www.abc.net.au/news/2022-10-06/optus-given-power-to-share-data-with-banks-following-breach/101507396. 
  14. 14.0 14.1 14.2 14.3 Crozier, Ry. "Services Australia struggles to gauge exposure to Optus data breach". https://www.itnews.com.au/news/services-australia-struggles-to-gauge-exposure-to-optus-data-breach-585944. 
  15. Speers, David; Greene, Andrew (2022-09-28). "Federal government to unveil new security measures following massive Optus data breach". ABC News. https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364. 
  16. 16.0 16.1 Evans, Jake (2023-02-26). "Federal government to rewrite cyber laws after Optus, Medibank hacks" (in en-AU). ABC News. https://www.abc.net.au/news/2023-02-27/national-cyber-office-to-be-established-in-wake-of-optus-hack/102026156. 
  17. "Govt fires up National Cyber Security Office". https://ia.acs.org.au/article/2023/govt-fires-up-national-cyber-security-office.html. 
  18. ACSM Admin (2023-06-23). "Australia’s New National Cyber Security Coordinator - Australian Cyber Security Magazine" (in en-US). https://australiancybersecuritymagazine.com.au/australias-new-national-cyber-security-coordinator/. 
  19. Bajkowski, Julian (2023-11-15). "O’Neil’s National Cybersecurity Coordinator sent back to Defence" (in en-US). https://www.themandarin.com.au/234849-oneils-national-cybersecurity-coordinator-sent-back-to-defence/. 
  20. Foster, Jeffrey (2023-02-28). "Australia has a new cybersecurity agenda. Two key questions lie at its heart" (in en). http://theconversation.com/australia-has-a-new-cybersecurity-agenda-two-key-questions-lie-at-its-heart-200714. 
  21. "Optus data breach: What to do about replacing your driver's licence and passport" (in en). https://www.sbs.com.au/news/article/optus-data-breach-what-to-do-about-replacing-your-drivers-licence-and-passport/1ifnlrd2p. 
  22. Cowie, Tom (2022-10-29). "VicRoads to issue almost 1 million free driver's licences after Optus hack" (in en). https://www.theage.com.au/national/victoria/vicroads-to-issue-almost-1-million-free-driver-licences-after-optus-hack-20221029-p5bu08.html. 
  23. Cowie, Tom (2022-10-29). "VicRoads to issue almost 1 million free driver's licences after Optus hack" (in en). https://www.theage.com.au/national/victoria/vicroads-to-issue-almost-1-million-free-driver-licences-after-optus-hack-20221029-p5bu08.html. 
  24. Smith, Paul (2022-12-21). "Inside the Optus hack that woke up Australia" (in en). https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm. 
  25. 25.0 25.1 Branco, Jorge (2022-10-26). "Privacy watchdog given $5.5 million to investigate Optus cyber breach". https://www.9news.com.au/national/federal-budget-2022-optus-hack--oaic-given-55-million-to-investigate-telco-cyber-breach/d0f7fee4-e59f-4f2e-906c-ddb31ba78429. 
  26. 26.0 26.1 Taylor, Josh (2022-09-26). "Optus customers exasperated by chatbots and 'rubbish' communication after data breach" (in en-GB). The Guardian. ISSN 0261-3077. https://www.theguardian.com/business/2022/sep/27/optus-customers-exasperated-by-chatbots-and-rubbish-communication-after-data-breach. 
  27. 27.0 27.1 Samios, Zoe (2022-11-10). "Optus hack to cost at least $140 million" (in en). https://www.smh.com.au/business/companies/optus-puts-aside-140m-to-replace-customers-hacked-identity-documents-20221110-p5bx4g.html. 
  28. Conifer, Dan; Xiao, Alison; Bogle, Ariel (2022-11-03). "Optus promises to pay cost of replacing foreign passports compromised in data breach" (in en-AU). ABC News. https://www.abc.net.au/news/2022-11-03/optus-replace-foreign-passports-data-breach/101604176. 
  29. Crozier, Ry. "Deloitte brought in to examine Optus data breach". https://www.itnews.com.au/news/deloitte-brought-in-to-examine-optus-data-breach-585966. 
  30. 30.0 30.1 Muroi, Millie (2023-03-08). "Optus boss says 'skilled criminal' behind cyberattack, admits telco lost customers" (in en). https://www.smh.com.au/business/companies/optus-boss-says-skilled-criminal-behind-cyberattack-admits-telco-lost-customers-20230308-p5cqf9.html. 
  31. Swan, David (2023-11-20). "Optus CEO Kelly Bayer Rosmarin resigns" (in en). https://www.smh.com.au/business/companies/optus-ceo-kelly-bayer-rosmarin-resigns-20231117-p5ekw8.html. 
  32. Lapham, Jake (2022-10-06). "Sydney teen demanded $2,000 from Optus customers as part of data breach scam, AFP says" (in en-AU). ABC News. https://www.abc.net.au/news/2022-10-06/sydney-19-year-old-man-charged-alleged-use-optus-data-/101508404. 
  33. "Sydney man avoids jail over scam texts using Optus hack data". 2023-02-07. https://www.9news.com.au/national/teen-dennis-su-scammer-avoids-jail-after-text-messages-court-sydney-new-south-wales/b3fa1cf1-1a68-4063-8087-b0882e8b990f. 
  34. Borys, Stephanie (2022-10-11). "Optus facing new probes over data hack, could be forced to pay millions in compensation" (in en-AU). ABC News. https://www.abc.net.au/news/2022-10-11/information-commissioner-acma-investigate-optus-data-hack/101522800. 
  35. Jackson, Lewis (2023-04-21). "Australia's Optus hit with class action over cybersecurity breach" (in en). Reuters. https://www.reuters.com/business/media-telecom/australias-optus-hit-with-class-action-over-cybersecurity-breach-2023-04-20/. 
  36. Bonyhady, Nick; Abbott, Lachlan (2023-04-20). "Class action lawsuit launched against Optus after devastating hack" (in en). https://www.smh.com.au/business/companies/class-action-lawsuit-launched-against-optus-after-devastating-hack-20230421-p5d26n.html. 
  37. 37.0 37.1 Baird, Lucas (2023-03-08). "‘No victims’ of Optus data hack: CEO" (in en). https://www.afr.com/business-summit/no-victims-of-optus-data-hack-ceo-20230308-p5cqfg. 
  38. Tarabay, Jamie (2023-09-20). "Massive Australian Ransomware Attack Has Victims Demanding Answers" (in en). Bloomberg.com. https://www.bloomberg.com/news/newsletters/2023-09-20/massive-australian-ransomware-attack-has-victims-demanding-answers.