Jump to content

2022 Optus data breach

This is a good article. Click here for more information.
From Wikipedia, the free encyclopedia
(Redirected from Optus breach)

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

Government figures, including Home Affairs and Cyber Security Minister Clare O'Neil, and Minister for Government Services Bill Shorten, criticised Optus for its role in the attack, and for being uncooperative with government agencies and the public. The government announced legislation, including the allowance of information-sharing with financial services and government agencies, and reforms to Australia's laws on security of critical infrastructure to help the government act in the event of future breaches.[1] In response to the data breach, Optus agreed to pay for the replacements of compromised passports, commissioned an external review, and gave seriously affected customers a subscription to a credit monitoring service. Optus also apologised for the breach. Customers criticized Optus for not being responsive and providing inadequate responses to those affected. As of June 2023, investigations into the breach and a class-action lawsuit from affected customers were ongoing.

Background

[edit]

Optus, an Australian telecommunications company owned by Singtel, was founded in 1981 with the formation of the government-owned satellite-communications company AUSSAT.[2] AUSSAT was privatised in 1991 and sold to a consortium that included Mayne Nickless and AMP.[3] In 2022, Optus was Australia's third-largest telecommunications company with a 13.1% market share.[4] In September 2022, Optus had around 10 million customers, comprising more than a third of Australia's population of around 26.12 million people.[5][6]

Breach

[edit]

On 20 September 2022, Optus's technical team noticed and investigated suspicious activity on its network. The next day, Optus's systems were found to have sustained a data breach and regulators were informed. On 22 September, the company publicly announced the data breach and informed news agencies.[5][7] Optus advised the public to be vigilant for potential fraudulent activity but stated it did not know whether the breach had caused any harm to customers. Optus did not state how many customers were affected or whether the theft of data had caused harm.[8] Illegally obtained Information included names, dates of birth, home addresses, telephone numbers, email contacts, and passport and driving-licence numbers.[5]

Screenshot of the ransom note.
Ransom note left by the person believed to be behind the breach

On 23 September, Optus denied an insider's claims a mistake in which its application programming interface (API) had accidentally been left exposed to a test network that had access to the Internet had occurred. The company also said a complicated breach had occurred and that it had a strong cybersecurity system.[9] The Australian Broadcasting Corporation (ABC) was told Optus believed the hacker had scraped the company's consumer database, and that a third of the data in the database had been copied and extracted.[9]

On 24 September, Optus and the Australian Federal Police (AFP), which had opened a criminal investigation, received reports data from the leak was being sold online and were monitoring the dark web for any attempt to sell the data.[10] The same day, a user on the website BreachForums posted a ransom note; some cybersecurity experts believed the note was genuine but Optus and the AFP did not confirm its genuineness. The note demanded Optus pay $1,500,000 in the privacy-focused cryptocurrency Monero, provided a sample of data from 200 customers, and said the data thieves would release the personal information of 10,000 customers every day if Optus did not pay the ransom until a week elapsed. After the week elapsed, the thieves would sell the data for A$400,000 to anyone who wanted them.[11] After several hours, the user deleted their original post and appeared to apologise for their actions despite no ransom being paid, stating it was a "mistake to scrape publish [sic] data in first place"[11] and that too many people were paying attention to the breach. The user noted they would have reported the exploit they used if they had the ability to contact Optus, noting the lack of a secure mail, a messaging contact and bug bounties.[11]

Government response

[edit]

Home Affairs and Cyber Security Minister Clare O'Neil said Optus was at fault for the attack, refuting Optus's argument the attack was complicated. O'Neil also stated the attack should not have happened, stating: "Responsibility for the security breach rests with Optus[,] and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country".[12]

On October 6, the federal government announced an emergency regulation to temporarily allow drivers licences, Medicare information, and passport numbers to be shared with financial services, the Commonwealth, and state and territory agencies to assist monitoring of accounts of customers affected by the breach for potential scams or fraud. Financial institutions had to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators was asked to identify and report on changes to financial instructions to identify customers who were at risk of scams and fraud. The changes were in place for 12 months. Treasurer Jim Chalmers stated the measures would help protect customers from scams and detect fraud.[13]

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, its inability to assist with the clean-up or compel Optus to give government services information. She stated Australian law had no use for the government when needed because Australia's laws governing security of critical infrastructure only allowed the government to intervene while a data breach was occurring.[14]

Following the breach, several new security measures to protect victims from fraud, including banks being more-quickly informed of data breaches to prevent the use of data to fraudulently access bank accounts, were announced.[15] The federal government announced an overhaul of the $1.7 billion cybersecurity plan introduced by the previous government, including additional powers to intervene in cybersecurity. The government also considered a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure", allowing the government to intervene in major data breaches.[16]

In April 2023, the National Office of Cyber Security was founded with five full-time staff and no additional funding beyond what was already given to the Department of Home Affairs.[17] In June 2023, Air Marshal Darren Goldie was appointed as Australia's inaugural Cyber Security Coordinator.[18] In November 2023, Goldie was recalled to the Department of Defence regarding a workplace matter, and cyber-and-infrastructure security head Hamish Hansford took on the position in the interim.[19]

On 27 February 2023, Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability.[16][20]

The state governments of Queensland, Victoria, South Australia and Western Australia agreed to pay for the replacement of driver's licences for people whose driver's licence numbers were compromised by the breach.[21][22] In Victoria, plans to add a second number to driver's licences were quickly enacted; all victims of the breach received the second number as part of their replacements, to protect Victorians from identity theft.[23]

Optus response

[edit]
Group of buildings photographed from a large courtyard.
Optus's headquarters at Macquarie Park, where the "war room" was located

On the day the breach was announced, Optus set up a "war room" at its headquarters in Macquarie Park, New South Wales. This involved around 150 employees, and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew Sheridan.[24]

Optus commissioned Deloitte to perform an "independent external review" regarding the breach.[25] Optus also offered its "most affected" customers a 12-month subscription to credit-monitoring service Equifax Protect after O'Neil requested the company buy credit monitoring for its customers in Question Time.[26] Optus CEO Kelly Bayer Rosmarin apologised for the attack on behalf of the company.[27] Optus reserved $140 million for costs relating to the breach, including the replacement of hacked identity documents, Equifax Protect subscriptions, and the Deloitte review.[27] Optus promised to pay for the replacement of compromised Australian and foreign passports.[28]

Optus reported 2.1 million of its customers had had identity documents stolen in the hack. Of these, 1.2 million had at least one current, valid number from a form of personal identification stolen. The remaining 900,000 customers had expired identity numbers stolen.[29]

Services Australia accused Optus of a lack of communication. On 27 September, Services Australia wrote to Optus "asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards".[14] Minister for Government Services Bill Shorten stated a week later, Services Australia had not received any data from Optus, which said it was "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take".[14] There was also confusion about the number of stolen Medicare ID numbers; Shorten told a press conference around 36,900 ID numbers had been stolen and Optus said 14,900 ID numbers had been stolen.[14]

Customers also reported having problems communicating with Optus. Customers stated Optus could not confirm their personal information was part of the data breach. Customers reported after contacting Optus several times, the company's chatbot failed to understand customers' questions about the breach, sales representatives gave poor responses, they did not receive a response from Optus at all, and there were delays in warning customers of compromised personal information. One customer stated: "Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating".[26]

On 8 March 2023, Bayer Rosmarin restated Optus's claim the attack was sophisticated, stating at a business summit: "[t]he skilled criminal had knowledge of Optus' systems and cycled through many tens of thousands of internet protocol addresses in an attempt to evade our automated cyber monitoring".[30] She also stated Optus never paid a ransom to the hacker and that the main reason for the breach was other scam purposes.[30]

In November 2023, Bayer Rosmarin resigned as CEO of Optus after the 2023 Optus outage; there had been mounting pressure on her to resign due to the outage and the data breach.[31]

[edit]

On 6 October 2022, the Australian Federal Police (AFP) arrested a 19-year-old Sydney man Dennis Su in his home at Rockdale for blackmailing 93 breach-affected Optus customers. Su said he would commit financial crimes using the customers' personal data unless they paid him A$2,000, which none did. He was charged with one count of using a telecommunication network with intent to commit a serious offence and one count of dealing with identification information with intent to commit an offence. AFP Assistant Commissioner Justine Gough stated Su was not suspected of being responsible for the breach and warned people not to click on links claiming to be from Optus.[32] Su pleaded guilty in November 2022; he did not go to jail due to a guilty plea, his age, and remorse shown for his actions, and he received an 18-month community corrections order.[33]

On 11 October, the Office of the Australian Information Commissioner (OAIC) launched an investigation into the breach, Optus's handling of customers' personal data, whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether Optus needed to keep the collected information. The Australian Communications and Media Authority (ACMA) also launched an investigation into the breach, focusing on Optus's obligations to protect and dispose of personal data.[34] The federal government gave OAIC $5.5 million to investigate the breach over two years in its October 2022 budget.[25]

Law firm Slater & Gordon launched a class action alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data". The ongoing class action was joined by 100,000 current and former Optus customers who wanted compensation for losses, including the time to replace identification documents and the stress it caused. Optus stated it would defend its actions.[35][36] In court, Slater & Gordon lawyers requested the public release of the Deloitte report, arguing it could reveal the possible causes of the data breach. Optus declined to release the report despite Bayer Rosmarin stating in March 2023 Optus would share "key recommendations and learnings"[37] from the report.[37][38] In November 2023, Optus lost a bid to keep the report confidential.[39]

See also

[edit]

References

[edit]
  1. ^ Crozier, Ry (1 October 2022). "Australian police, banks join forces to monitor leaked Optus dataset". iTnews. Archived from the original on 30 September 2022. Retrieved 17 October 2023.
  2. ^ "Australia's History in Satellite Technology". The Lowdown. 8 June 2007. Archived from the original on 8 June 2007. Retrieved 3 January 2024.
  3. ^ Gray, Joanne (20 November 1991). "Optus Chosen to Take on Telecom". Australian Financial Review. Retrieved 3 January 2024.
  4. ^ Bradstock, Emma (18 August 2022). "Largest Internet Providers in Australia". Canstar Blue. Archived from the original on 10 June 2023. Retrieved 10 June 2023.
  5. ^ a b c Turnbull, Tiffanie (29 September 2022). "Optus: How a massive data breach has exposed Australia". BBC News. Archived from the original on 16 May 2023. Retrieved 16 May 2023.
  6. ^ "National, state and territory population – September 2022". Australian Bureau of Statistics. 16 March 2023. Retrieved 3 April 2024.
  7. ^ Smith, Paul (21 December 2022). "Inside the Optus hack that woke up Australia". Australian Financial Review. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  8. ^ McElroy, Nicholas (22 September 2022). "Optus says customer information compromised in cyber attack". ABC News. Archived from the original on 23 September 2022. Retrieved 16 May 2023.
  9. ^ a b Greene, Andrew (23 September 2022). "Optus rejects insider claims of 'human error' as possible factor in hack affecting millions of Australians". ABC News. Archived from the original on 24 September 2022. Retrieved 16 May 2023.
  10. ^ Belot, Henry (24 September 2022). "AFP monitoring dark web amid allegations stolen Optus data may be sold online". ABC News. Archived from the original on 18 May 2023. Retrieved 16 May 2023.
  11. ^ a b c Maguire, Dannielle (27 September 2022). "An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach". ABC News. Archived from the original on 3 October 2022. Retrieved 16 May 2023.
  12. ^ Evans, Jake (26 September 2022). "Home affairs minister says Optus 'left window open' for cyber criminals". ABC News. Archived from the original on 27 September 2022. Retrieved 16 May 2023.
  13. ^ Evans, Jake (6 October 2022). "Optus given temporary power to share compromised data with banks following hack". ABC News. Archived from the original on 9 October 2022. Retrieved 17 May 2023.
  14. ^ a b c d Crozier, Ry. "Services Australia struggles to gauge exposure to Optus data breach". iTnews. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  15. ^ Speers, David; Greene, Andrew (28 September 2022). "Federal government to unveil new security measures following massive Optus data breach". ABC News. Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  16. ^ a b Evans, Jake (26 February 2023). "Federal government to rewrite cyber laws after Optus, Medibank hacks". ABC News. Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  17. ^ Sadler, Denham. "Govt fires up National Cyber Security Office". Information Age. Retrieved 3 January 2024.
  18. ^ ACSM Admin (23 June 2023). "Australia's New National Cyber Security Coordinator - Australian Cyber Security Magazine". Retrieved 3 January 2024.
  19. ^ Bajkowski, Julian (15 November 2023). "O'Neil's National Cybersecurity Coordinator sent back to Defence". The Mandarin. Retrieved 3 January 2024.
  20. ^ Foster, Jeffrey (28 February 2023). "Australia has a new cybersecurity agenda. Two key questions lie at its heart". The Conversation. Archived from the original on 19 May 2023. Retrieved 19 May 2023.
  21. ^ Yosufzai, Rashida; Bahr, Jessica. "Optus data breach: What to do about replacing your driver's licence and passport". SBS News. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  22. ^ Cowie, Tom (29 October 2022). "VicRoads to issue almost 1 million free driver's licences after Optus hack". The Age. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  23. ^ Cowie, Tom (29 October 2022). "VicRoads to issue almost 1 million free driver's licences after Optus hack". The Age. Archived from the original on 3 June 2023. Retrieved 15 June 2023.
  24. ^ Smith, Paul (21 December 2022). "Inside the Optus hack that woke up Australia". Australian Financial Review. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  25. ^ a b Branco, Jorge (26 October 2022). "Privacy watchdog given $5.5 million to investigate Optus cyber breach". www.9news.com.au. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  26. ^ a b Taylor, Josh (26 September 2022). "Optus customers exasperated by chatbots and 'rubbish' communication after data breach". The Guardian. ISSN 0261-3077. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  27. ^ a b Samios, Zoe (10 November 2022). "Optus hack to cost at least $140 million". The Sydney Morning Herald. Archived from the original on 13 November 2022. Retrieved 18 May 2023.
  28. ^ Conifer, Dan; Xiao, Alison; Bogle, Ariel (3 November 2022). "Optus promises to pay cost of replacing foreign passports compromised in data breach". ABC News. Archived from the original on 3 November 2022. Retrieved 20 May 2023.
  29. ^ Crozier, Ry. "Deloitte brought in to examine Optus data breach". iTnews. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  30. ^ a b Muroi, Millie (8 March 2023). "Optus boss says 'skilled criminal' behind cyberattack, admits telco lost customers". The Sydney Morning Herald. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  31. ^ Swan, David (20 November 2023). "Optus CEO Kelly Bayer Rosmarin resigns". The Sydney Morning Herald. Retrieved 3 January 2024.
  32. ^ Lapham, Jake (6 October 2022). "Sydney teen demanded $2,000 from Optus customers as part of data breach scam, AFP says". ABC News. Archived from the original on 6 October 2022. Retrieved 17 May 2023.
  33. ^ Guelas, Joanna (7 February 2023). "Sydney man avoids jail over scam texts using Optus hack data". www.9news.com.au. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  34. ^ Borys, Stephanie (11 October 2022). "Optus facing new probes over data hack, could be forced to pay millions in compensation". ABC News. Archived from the original on 13 October 2022. Retrieved 17 May 2023.
  35. ^ Jackson, Lewis (21 April 2023). Osterman, Cynthia (ed.). "Australia's Optus hit with class action over cybersecurity breach". Reuters. Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  36. ^ Bonyhady, Nick; Abbott, Lachlan (20 April 2023). "Class action lawsuit launched against Optus after devastating hack". The Sydney Morning Herald. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  37. ^ a b Baird, Lucas (8 March 2023). "'No victims' of Optus data hack: CEO". Australian Financial Review. Retrieved 4 October 2023.
  38. ^ Tarabay, Jamie (20 September 2023). "Massive Australian Ransomware Attack Has Victims Demanding Answers". Bloomberg.com. Retrieved 4 October 2023.
  39. ^ Taylor, Josh (10 November 2023). "Optus loses court bid to keep report into cause of 2022 cyber-attack secret". The Guardian. ISSN 0261-3077. Retrieved 7 March 2024.