2022 Optus data breach

The 2022 Optus data breach occurred in September 2022 to Australian telecommunications company Optus. The breach affected up to 9.7 million current and former customers, with information stolen including names, birthdates, home addresses, phone and email contacts, and passport and driving licence numbers.[1]

Breach

Around 22 September, Optus noticed suspicious activity on its network. It was then identified that Optus's systems had sustained a data breach. Around 24 hours later, the company went public with the data breach.[1] Optus recommended that people have "heightened awareness" for fraudulent activity, but stated that they did not know if the breach had caused any harm to customers. At this point, Optus was unable to give numbers as to how many customers were affected, nor if the data taken had caused harm.[2]

Ransom note left by the person that is believed to be behind the breach

On 23 September, Optus denied claims made by an insider that a human error where Optus's API had accidentally been left exposed to a test network that had internet access, instead claiming that a sophisticated breach had occurred, and that the company had a strong cybersecurity system. Optus also published information that the intrusion had scraped the company's consumer database, with only a third of the total data in the database copied and extracted.[3]

On 24 September, Optus and the Australian Federal Police (AFP), now conducting a criminal investigation, received reports that data from the leak was being sold online, and were monitoring the dark web for any attempt of selling data online.[4] The same day, a user on BreachForums posted a ransom note believed to be legitimate by some cybersecurity experts, demanding that Optus pay $1,000,000 ($1,500,000 AUD) in Monero, and stated that they would release the personal information of 10,000 customers every day that Optus did not pay the ransom until a week elapses, with a sample of the information of 200 customers. After the week elapsed, they were to sell the data for $300,000 ($400,000 AUD) to anyone who wants it.[5] After a few hours, the user deleted their original post, and appeared to apologise for their actions, stating that it was a "mistake to scrape publish data in first place", and that there were "too many eyes" on the breach. The user noted that they would have reported the exploit that they used if they had the ability to contact Optus, noting the lack of message, secure mail or bug bounties.[5]

Governmental response

Home Affairs and Cyber Security Minister Clare O'Neil alleged that Optus was at fault for the attack, refuting Optus's argument that the attack was complicated, and that it should not have happened, stating that "responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country."[6]

The federal government announced emergency regulation on 6 October, so that drivers licences, Medicare information and passport numbers can be temporarily shared with financial services, and Commonwealth, and state and territory agencies, to assist with monitoring the accounts of customers affected by the breach for potential scams or fraud. Financial institutions, however, will have to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators have also been asked to identify and report on changes for financial instructions to identify customers who are at risk of scams and fraud. The changes will be in place for 12 months. Treasurer Jim Chalmers stated that "These new measures will assist in protecting customers from scams, and in system-wide fraud detection."[7]

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, as Australia's security of critical infrastructure laws (SOCI laws) only allowed the government to legally intervene while a data breach was occurring. The government could not assist with the clean-up following the breach, or compel Optus to give government services information. O'Neil stated, ""The laws…provided absolutely no use when we actually needed them."[8]

Several new security measures have been announced following the breach to protect victims from fraud, including banks being informed of data breaches faster to prevent the use of data to fraudulently access bank accounts.[9] The federal government has also flagged an overhaul of the $1.7 billion AUD cybersecurity plan introduced by the previous government, including a new cyber office and additional powers for the government to intervene regarding cybersecurity, as well as considering a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure" allowing the government to intervene in major data breaches.[10]

Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability.[10][11]

Optus response

Optus has commissioned Deloitte to do an "independent external review" regarding the breach.[12] Optus also signed up its "most affected" customers would get a 12-month subscription to credit monitoring service Equifax Protect, after O'Neil requested the company buy credit monitoring for its customers in Question Time.[13] Optus CEO Kelly Bayer Rosmarin apologised for the attack on behalf of the company, saying that "We are deeply sorry." Optus has put aside $140 million AUD for costs relating to the breach, including to replace hacked identification documents, the Equifax Protect subscriptions and the Deloitte review.[14]

Optus reported that 2.1 million of its customers had had identity documents stolen as part of the hack. Of these, 1.2 million customers, according to Optus, "have had at least one number from a current and valid form of identification, and personal information, compromised." The remaining 900,000 customers had expired identity numbers stolen.[15]

Allegations of a lack of communication from Optus have been made by Services Australia. On 27 September, Services Australia wrote to Optus “asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards.” Minister for Government Services Bill Shorten stated that, a week later, Services Australia had not received any data from Optus. Optus claimed that they were "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take." There was also confusion regarding the amount of Medicare numbers stolen, with Shorten telling a press conference "about 36,900", and Optus identifying "14,900 valid Medicare ID numbers".[8]

Customers have also reported issues regarding communicating with the company. Customers stated that Optus could not confirm if their personal information was part of the data breach after contacting them several times, the company's chatbot failing to understand questions from customers about the breach, poor responses from sales representatives, not receiving a response from Optus at all, and delays in warning customers regarding compromises of personal information. A customer stated that, "“Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating.”[13]

On 6 October, a 19-year-old Sydney man was arrested by the AFP in his home at Rockdale for blackmailing 93 Optus customers affected by the breach, claiming that he would commit financial crimes using their personal data unless they paid $2000 AUD to him, which none did. He is being charged with a count of using a telecommunication network with intent to commit a serious offence and a count of dealing with identification information with intent to commit an offence, with a combined maximum penalty of seventeen years' jail if found guilty. AFP Assistant Commissioner Justine Gough stated that he was not suspected of being responsible for the breach, and warned people to not click on links claiming to be from Optus.[16]

The Office of the Australian Information Commissioner (OAIC) has launched an investigation into the breach, concerning Optus's handling of the personal data of customers, focusing on whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether the information collected was necessary for Optus to keep. Australian Communications and Media Authority (ACMA) is also investigating the breach, focusing on whether Optus breached its obligations regarding the protection and disposal of personal data.[17] OAIC was given $5.5 million to investigate the breach over two years by the federal government in its October 2022 budget.[12]

A class action has been launched by law firm Slater & Gordon, alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data." The ongoing class action has been joined by 100,000 current and former customers, wanting compensation for losses, including the time to replace identification documents, and the stress caused. Optus has stated it will defend its actions.[18][19]

References
  1. "Optus: How a massive data breach has exposed Australia". BBC News. 2022-09-29. Retrieved 2023-05-16.
  2. "Optus says customer information compromised in cyber attack". ABC News. 2022-09-22. Retrieved 2023-05-16.
  3. "Optus rejects insider claims of 'human error' as possible factor in hack affecting millions of Australians". ABC News. 2022-09-23. Retrieved 2023-05-16.
  4. "AFP monitoring dark web amid allegations stolen Optus data may be sold online". ABC News. 2022-09-24. Retrieved 2023-05-16.
  5. "An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach". ABC News. 2022-09-27. Retrieved 2023-05-16.
  6. "Home affairs minister says Optus 'left window open' for cyber criminals". ABC News. 2022-09-26. Retrieved 2023-05-16.
  7. Evans, Jake (2022-10-06). "Optus given temporary power to share compromised data with banks following hack". ABC News. Retrieved 2023-05-17.
  8. "Services Australia struggles to gauge exposure to Optus data breach". iTnews. Retrieved 2023-05-18.
  9. Speers, David; Greene, Andrew (2022-09-28). "Federal government to unveil new security measures following massive Optus data breach". ABC News. Retrieved 2023-05-17.
  10. Evans, Jake (2023-02-26). "Federal government to rewrite cyber laws after Optus, Medibank hacks". ABC News. Retrieved 2023-05-17.
  11. Foster, Jeffrey (2023-02-28). "Australia has a new cybersecurity agenda. Two key questions lie at its heart". The Conversation. Retrieved 2023-05-19.
  12. "Privacy watchdog given $5.5 million to investigate Optus cyber breach". www.9news.com.au. 2022-10-26. Retrieved 2023-05-18.
  13. Taylor, Josh (2022-09-26). "Optus customers exasperated by chatbots and 'rubbish' communication after data breach". The Guardian. ISSN 0261-3077. Retrieved 2023-05-18.
  14. Samios, Zoe (2022-11-10). "Optus hack to cost at least $140 million". The Sydney Morning Herald. Retrieved 2023-05-18.
  15. "Deloitte brought in to examine Optus data breach". iTnews. Retrieved 2023-05-18.
  16. Lapham, Jake (2022-10-06). "Sydney teen demanded $2,000 from Optus customers as part of data breach scam, AFP says". ABC News. Retrieved 2023-05-17.
  17. Borys, Stephanie (2022-10-11). "Optus facing new probes over data hack, could be forced to pay millions in compensation". ABC News. Retrieved 2023-05-17.
  18. Jackson, Lewis (2023-04-21). Osterman, Cynthia (ed.). "Australia's Optus hit with class action over cybersecurity breach". Reuters. Retrieved 2023-05-17.
  19. Bonyhady, Lachlan Abbott, Nick (2023-04-20). "Class action lawsuit launched against Optus after devastating hack". The Sydney Morning Herald. Retrieved 2023-05-20.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.