Hackers claiming to be behind the breach of personal information about millions of Optus customers have demanded the company pay US$1 million in cryptocurrency Monero to stop them from selling the data.
News of an Optus breach broke during last Thursday’s National Day of Mourning with the telco saying someone had accessed data on "at most" 9.8 million users including names, dates of birth, phone numbers, email addresses, physical addresses, driver’s licence, and passport numbers.
A hacking forum user claiming to be the Optus attacker soon posted about the breach, saying they had a database containing personal information of 11.2 million Optus users.
The attacker gave Optus one week to pay the extortion price before customer data would go on sale.
Optus said it has been in contact with relevant authorities including the Australian Federal Police and the Office of the Australian Information Commissioner.
Journalists like Jeremy Kirk accessed a sample data set and found enough unique details – that is, information that hadn’t been previously disclosed in breaches – to verify the data as likely being sourced from Optus.
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol pic.twitter.com/l89O8w1oCO
— Jeremy Kirk (@Jeremy_Kirk) September 24, 2022
Kirk then shared his interaction with the hacker who explained that they scraped the data from an unauthenticated, internet connecting API.
The attacker ran a script enumerating through the ‘contactid’ field, scraping customer data one-by-one until the high volume of requests eventually triggered a security alert.
Optus has refused to comment on the technical aspect of the attack, instead saying it was the work of a “sophisticated” attacker who used European IP addresses to mask their real location.
In a statement sent to the media on Saturday evening, Optus said the Australian Federal Police had advised to not comment on “certain aspects of the investigation, including verifying the authenticity of customer information published on the internet”.
On Monday, Optus said it had sent emails to all customers who had their driver’s licence and passport numbers accessed.
“We encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Optus CEO Kelly Bayer Rosmarin said in an initial statement.
Better protections needed
Home Affairs Minister Clare O’Neil responded to the Optus breach by pre-announcing legislative changes that would see banks informed of breaches sooner to help protect customer accounts.
But there are calls for the government to go harder on companies like Optus who fail to adequately secure customer data.
Digital rights advocacy group Electronic Frontiers Australia took particular exception to the way these data breaches have an imbalanced effect on individuals who did nothing wrong.
“Government regulations require Australians to hand over our private information to government departments and private businesses. We are given no choice in the matter,” EFA said in a statement.
“When those organisations fail to keep our private information secure, we are the ones that suffer. We are the ones that must scramble to determine if we are at risk, often without any help from the people who we were forced to give our information to.
“It is time for the people who keep failing to keep our private information safe to take responsibility for their failures. They are to blame, not us.”
Australian Computer Society (ACS) CEO Chris Vein said the breach demonstrates why it's so important we train the estimated 30,000 cyber security still needed in the coming years.
“Securing data and systems is essential in protecting the nation’s digital assets and all Australians’ personal information,” Vein said..
“ACS urges Australian governments and businesses to take cyber threats seriously.”
This article was updated on 26/9/2022.