Menu

The Optus hack: How 10 million people got pwned

Sep 29, 2022 •

Millions of Australians will need new drivers licences and passports, after Optus’s lax data management exposed the details of around 10 million Australians to a hacker.

So why did Optus hold so much data on millions of Australians? Why wasn’t it held more safely? And what do we need to learn from this? Today, Toby Murray on how millions of Australians are now exposed.

play

 

The Optus hack: How 10 million people got pwned

790 • Sep 29, 2022

The Optus hack: How 10 million people got pwned

[Theme Music Starts]

RUBY:

From Schwartz Media I’m Ruby Jones, this is 7am.

Millions of Australians will need new drivers licenses and passports, after Optus’s lax data management exposed the details of around 10 million Australians to a hacker.

The Prime Minister says Optus should be footing the bill for new ID documents and has called the hack a ‘wake up call’ for corporate Australia.

But why did Optus hold so much data on millions of Australians? And - why wasn’t it held more safely?

Today, Associate Professor at the University of Melbourne Toby Murray, on the state of data security in Australia… and what we need to learn from the Optus hack.

It’s Thursday, September 29.

[Theme Music Ends]

Archival tape -- Reporter 1:

“First tonight a major security breach impacting possibly millions of customers of one the country’s biggest telecommunications companies…”

Archival tape -- Reporter 2:

“Well, Optus today has revealed a major data attack on its systems. What amounts to a widespread breach of private information.”

Archival tape -- Reporter 3:

“Phone numbers, email addresses, dates of birth, even passport details. A cyber attack against telecommunications giant Optus has compromised the identities of more than 9 million Australians.”

RUBY:

Toby, one week ago now, we learnt that there had been this large scale cyber attack on Optus and that potentially millions of customers had had their information stolen. So let's go back to that time. Tell me about Optus’ initial response.

TOBY:

Yeah. So on Thursday Optus reported that they had suffered a cyber attack and they issued a press release saying that they had shut down the attack and were starting to contact people who might have been affected. But at that stage they weren't saying exactly how many.

Archival tape -- Kelly Bayer Rosmarin:

“Unfortunately we became aware late yesterday there was unusual activity that was a cyber attack and unfortunately some unknown actors have managed to access our customer’s information.”

TOBY:

Emails from Optus, they started to land in people's inboxes late on Friday …and then they kept trickling into different people's inboxes over the course of the weekend.

So the data that has been reported to have been stolen here includes things like people's names, dates of birth, their mobile phone numbers, their street address information …driver's licence numbers or passport numbers or as we've learnt on Tuesday, Medicare card numbers also. And the reason why this is so concerning is because that data together allows an attacker, for instance, to target you for identity theft. So they may use that data to impersonate you and apply for a loan in your name or take out other kinds of credit in your name.

So I myself as an Optus customer, I got my email around Saturday evening, my wife, she got hers on Saturday morning.

RUBY:

That must have been an alarming email to get.

TOBY:

Yeah, well, I sort of expected it was coming, but it certainly was alarming to realise that yes indeed I was one of the people impacted by this breach and in my case that some identity information in particular driver's licence number or passport number had been exposed as a result of this breach. And so I immediately began to think...what should I be doing to protect myself?

RUBY:

Okay. And so it wasn't long after that first announcement from Optus and these emails that the very first post on a message board appeared. Can you tell me about that?

TOBY:

Yeah, that's right. So on Saturday, a post appeared on a message board, and this is on a site where people who have stolen data from companies then post messages trying to sell that data and to make money out of it. And so a post appeared from someone claiming to possess information from the breach, including details of 11.2 million Optus customers, and they posted two samples of the data which included 100 records each to prove the veracity of their claims.

RUBY:

Okay. And so I suppose the very first question that you have, when a person turns up online claiming that they have access to all of this personal information, is are they legitimate? Did those data samples match the information of Optus customers?

TOBY:

Yeah, you've got to prove that indeed, what you're offering in this case really is legitimate. And it was important for these attackers to do that because they were asking for a million in US cryptocurrency from Optus to not reveal that data to others.

Archival tape -- Jeremy Kirk:

“Optus. If you are reading a price for us to not sale data is 1 million USD. We give you one week to decide.”

TOBY:

So it's really interesting. In this case, an information security journalist, Jeremy Kirk, pretty quickly made contact via the forum, I believe, with these purported attackers, and was able to look at the data … trying to verify whether that data was indeed legitimate. And Jeremy found someone who lived down the road from him who was mentioned in that data and talked to them directly.

Archival tape -- Jeremy Kirk:

“There was a woman working in her front yard and I had printed out her data and said, Is this your? Explain to her what was going on and then said, Is this your data? And she said, Yes, that's my data.”

TOBY:

And so was very quickly able to determine that, yes, indeed, this did look legitimate.

So on Saturday the AFP confirmed that it was aware of the report and is using its specialist capabilities to monitor the dark web, as it said and other technologies, and will not hesitate to take action against those who are breaking the law, saying also that it is an offence to buy stolen credentials and those who do face a penalty of up to ten years imprisonment. So by then we knew this was a legitimate threat and indeed the AFP was taking it seriously.

RUBY:

Right. Okay. So the Federal Police are looking into it, but how does Optus handle things at this point? Because they're dealing with what seems increasingly likely to be this very real attempt to hold the company ransom, essentially asking for a million U.S. dollars. So what's their response, to, to that attempt to extort money from them?

TOBY:

So initially the response from Optus here was a little bit patchy.

Archival tape -- Chris Smith:

“Sally! You couldn’t be working for an Optus company at a better time couldn’t you really?”

Archival tape -- Sally Oelerich:

“Thank you Chris, thank you for having me on.”

TOBY:

On Monday, the 26th, the Optus Director of Corporate Affairs, Regulatory and Public Affairs, Sally Oelerich, gave an interview in which she struggled to explain what had happened or whether or not the person claiming to have the information was legitimate.

Archival tape -- Sally Oelerich:

“We have not been approached for… obviously that's on the Internet, but no one's picked up the phone and called us, so to speak. I cannot actually validate whether that's even legitimate. And part of that is part of that is just, you know, again, it's under investigation.”

TOBY:

And indeed if you look at how Optus has communicated with customers since this breach has occurred, in some cases it's taken them quite a while to communicate with customers, with different customers.

They've explained that different kinds of data has been exposed, but without really explaining exactly what data has been exposed to customers.

So in many cases, customers have been left to guess a little bit about precisely, you know, whether it is your driver's licence or whether it is your passport. And if it is your passport, was it the one from four years ago or was it the one that, you know, you got last year when you got your passport renewed and therefore, how should you respond? So I think in that case, Optus' response publicly here has certainly left some room for improvement.

RUBY:

And all of this became a lot more important on Tuesday morning, didn't it? Because that's when we were told by this same person that they had actually released some of the data. Can you tell me about that?

TOBY:

Yeah, absolutely. So on Tuesday morning, the purported attackers posted another message online saying essentially they were now going to release the personal information of 10,000 people in that data set.

In an effort to turn the heat up on Optus and force them to pay the ransom demand they had issued a couple of days earlier.

And they said that they would continue to release a further 10,000 each day until Optus paid up.

RUBY:

We’ll be back in a moment.

[Advertisement]

Archival tape -- Sky News Reporter:

“Ross you broke the story this morning that the person who hacked the Optus customer database had taken down that database…and apologised?”

Archival tape -- Ten News Reporter:

“Bizarrely yesterday the hacker has apologised, deleted the post with the stolen data and withdrawn their ransom demand.”

Archival tape -- Nine News Reporter:

“We will not sell data to anyone. We can’t if we even want to. Personally deleted data from drive. Only copy. Very sorry to you.”

RUBY:

So Toby, after making good on initial threats to start releasing personal data, the Optus hacker seemingly changed their mind. So tell me what happened?

TOBY:

So after posting the 10,000 records online on Tuesday, the attackers then followed up with a second message saying that actually they had decided to delete the data, that they would not be releasing any further information and apologising to Optus and to the 10,000 individuals whose data they'd released. And as far as I can tell, this is in response to the Federal Police announcing that they've instigated an operation, including overseas counterparts, to move against these attackers.
So it seems that after having turned up the heat on Optus, the attackers have now decided that it's time to lay low in the hopes that they won't be caught for this breach.

RUBY:

Right. So after all of that, then it seems like perhaps these Optus customers won't have their data sold online.

TOBY:

I think that's far from clear. So I'm still concerned that my data may be exposed in future. There's no guarantee that these attackers really have deleted their copy of the data or that they didn't pass on the data to others and didn't pass on the data to others in the meantime. Or that indeed they might not decide once the heat has died down, to try to monetise this data in a way that's a little more quiet than the approach they took this week.

This incident is a reminder of many things. One of which is how much of our information we are handing over to companies and we are entrusting to them. Data breaches are an almost daily occurrence, and so having handed out data to so many companies, it's almost inevitable that at some stage it's going to be breached. And this is certainly a very timely reminder of why we need better privacy regulation and better protection for consumers to help mitigate these risks in the future.

RUBY:

Right and so if that is the case - that these companies, they hold so much information, and that data breaches are so common, inevitable even — why do these companies keep this level of information about customers on file?

TOBY:

That's a really good question. So the reason that these telecommunications companies in particular collect so much information is because they're required to, by law in particular under the data retention regime, they're required to collect identity information from people who sign up to their services, and they're required to keep that information while the person is using the telecommunication service and to hold onto it for two years afterwards.

And the reason why that legislation requires that kind of retention is so that that data can then be used by law enforcement for their investigations of crimes.

And as we've seen in the case of Optus, very simple errors can be made in these web applications that these companies are developing that might allow the data to be stolen exactly as it has here.

RUBY:

Okay. I mean, it's pretty clear, I think, that Optus was not doing a very good job of protecting this data. But it sounds like there is an argument to be made here that it isn't entirely their fault that something like this has happened, given that it's actually they're being required to keep these vast amounts of data by the Australian Government.

TOBY:

Yeah. So I think we can place blame at a number of places for this particular incident and for why we might expect to see similar incidents again in the future looking at this particular incident. Look, the primary blame has to rest with the attackers, but also with Optus itself. In this case, it was a simple vulnerability. This was not a sophisticated attack. And this kind of vulnerability that the attackers exploited is really inexcusable. It just shouldn't exist in these kinds of publicly facing systems. But we also need to look at what the regulatory landscape has created incentives that allow for this data or require for this data to be collected in the first place. That means that companies are not being held to account for when the data is breached. For instance, we've already seen the Minister for Home Affairs and Cyber Security, Claire O'Neill, point out that had this breach occurred in Europe that Optus would be liable for hundreds of millions of dollars, whereas in Australia it's only maybe a couple of million that they're liable for. And so there aren't enough incentives in place in the current regulatory regime to actually place the onus on companies like Optus to make sure that their systems are secure and to therefore reduce the chances of these kinds of breaches occurring.

RUBY:

Mm and it seems like neither Optus or the government are really doing a lot at the moment that would actually help the people whose data has been taken, people like you. It seems like you're largely on your own trying to work out what to do next?

TOBY:

Unfortunately, that's largely true for the 10,000 individuals who have had their data exposed publicly on Tuesday. I certainly hope that Optus will be offering them free credit monitoring because those individuals are very much at risk of having their identity stolen and therefore being used to apply for loans and similar in their name.

While the responsibility has largely been left on individuals to help deal with this breach, we have seen reports earlier this week of potential class action lawsuits that may result from this breach. We haven't seen a strong history of class action lawsuits as a result of data breaches in Australia. So this would certainly be a watershed moment were that to occur, a successful class action here would not only allow affected consumers to band together to try to get some remediation and protection from this breach. But would put companies on notice that they may well indeed be financially liable for breaches that occur in the future. And ultimately that would be a good thing for helping them to improve their cybersecurity practices and to protect their consumers.

I think there's also room for a cultural change in companies in Australia as well, though if you look at the US for instance, when data breaches occur, it's standard practise for companies to offer free identity theft protection for consumers, including things like free credit monitoring, but also things like insurance customers can claim against if they suffer fraud or identity theft as a result of the breach or even services to help them reclaim back their identity in the event that it is stolen. With breaches in Australia at the moment, it is not commonplace for those kinds of services to be offered for free to customers. And we've started to see a change here with this particular breach with Optus and I very much hope that this cultural change is something that will be accelerated by the current breach.

RUBY:

Toby thank you so much for your time.

TOBY:

Thank you very much for having me Ruby.

[Advertisement]

[Theme Music Starts]

RUBY:

Also in the news today,

Liberal Leader Peter Dutton has announced his support for Labor’s national anti corruption plan which was introduced to Parliament on Wednesday saying, “it had got the balance right”.

As the Greens and a number of Independent MPs already back the bill, with the Coalition's support it is likely to pass into law.

And...

Hurricane Ian is expected to make landfall in Florida on Wednesday, and 2.5 million people have been issued evacuation orders.

The category three Hurricane has already devastated Cuba, with two people reported dead and significant damage to buildings nationwide. The island nation experienced a total power blackout, leaving 11 million people in the dark.

I’m Ruby Jones, this is 7am. See you tomorrow.

[Theme Music Ends]

Millions of Australians will need new drivers licences and passports, after Optus’s lax data management exposed the details of around 10 million Australians to a hacker.
Anthony Albanese has announced Optus should foot the bill for new ID documents and has called the hack a ‘wake up’ for corporate Australia.
But why did Optus hold so much data on millions of Australians? Why wasn’t it held more safely?
Today, associate professor Toby Murray from the School of Computing and Information Systems at the University of Melbourne - on how millions of Australians are now exposed – and what we need to do about it.

Guest: Associate professor, Toby Murray.

Listen and subscribe in your favourite podcast app (it's free).

Apple podcasts Google podcasts Listen on Spotify

Share:

7am is a daily show from The Monthly and The Saturday Paper. It’s produced by Kara Jensen-Mackinnon, Alex Tighe, Cheyne Anderson and Zoltan Fecso.

Our technical producer is Atticus Bastow.

Brian Campeau mixes the show. Our editor is Scott Mitchell. Erik Jensen is our editor-in-chief.

Our theme music is by Ned Beckley and Josh Hogan of Envelope Audio.


More episodes from




Subscribe to hear every episode in your favourite podcast app:
Apple PodcastsGoogle PodcastsSpotify

00:00
00:00
790: The Optus hack: How 10 million people got pwned