3 minute read
Optus Data Breach
Optus Data Breach: Lessons we all should learn
IT HAS BEEN A LITTLE OVER 3 WEEKS SINCE THE ANNOUNCEMENT OF THE OPTUS DATA BREACH AND MORE IS BEING UNCOVERED EVERY DAY. MORE ALARMING THAN THE INFORMATION OF 11.2 MILLION AUSTRALIAN CUSTOMERS BEING LOST IS THE NEWS THAT THE CAUSE OF THE BREACH WAS AN UNAUTHENTICATED API.
Optus have been vague in confirming the cause of the “breach” and have insisted that a full, independent audit is underway, although the details will NOT be made public.
Why does this matter? If the reports are accurate, as they seem to be, there was no actual breach of security systems. No hack. No stolen or lost credentials. Just shoddy data protection.
It appears that an API (programming interface for different systems to communicate) was built to allow the retrieval of customer information. This API was accidentally exposed to the internet; error 1. In addition, the API did not have any authentication built into it. Therefore, anyone could query the API to retrieve information without proving who they were or why they needed the information; error 2. And finally, the data was organised in such a way, that you simply submitted the request using a sequential number to retrieve information; error 3. So any person with a moderate amount of programming skill simply had to run a looped query to retrieve personal information on Optus customers.
This points towards a lack of corporate governance and there are 4 fundamental questions for Hire companies, in the wake of the breach. 1. Why did Optus retain personally identifiable information (such as DL and passport) on past customers when it was no longer needed? Do you have a data purging policy and regularly get rid of data you no longer have a need to retain? 2. Where was the technical oversight / peer review of the API? When it comes to developing any external access to information, do you have adequate technical review of what is being designed, developed, and deployed? 3. Where was the Management oversight? Do you allow IT to develop whatever they want without good justification and good corporate governance? Every new system that is added to your environment is a new opportunity for data loss. IT are not responsible for data protection,
EVERYONE in your organisation is, and it is a management responsibility to ensure a data safety culture exists. 4. What kind of vulnerability monitoring were Optus conducting? Good monitoring should have picked up this behaviour quickly as “suspicious” or “unusual”. 11.2 million records transgressed the Optus network to a 3rd party. What else haven’t they noticed? Do you have suspicious behaviour monitoring in place to identify suspicious or unusual activity? Even simple things like suspicious O365 logins?
Not all hire companies need the level of monitoring and governance that Optus should have had in place as a provider of critical infrastructure. However, all Hire companies should be driving a culture of Cyber Safety. And that starts at the very top of every business.
Hotline IT have recently developed a 3-Tier certification system (Cyber Essentials, Cyber Safe and Cyber Secure) for Australian businesses. This practical approach to Cyber Security combines major standards from around the world, in a way that Australian businesses and business leaders can understand. If you have concerns about how you relate to current best practice security standards, please contact Hotline IT for an assessment. It is free for all members.
