In the aftermath of the Optus hack, considering that Optus hasn't done – and still not done – a great job in managing the PR of the incident.
I want to reflect on the breach, list what I know, what I don’t know, and what I’ve learned so far and recommend.
Firstly, my all-time favourite quote that I borrow from Air Crash Investigation: "Incidents and breaches don't just happen, they are a chain of failed controls".
Break any failure in the chain and this data breach could have been avoided.
So, what do we know about the Optus breach so far?
- From the little information available to us, this was not a sophisticated attack, it was a simple and almost straightforward attack. People with basic knowledge of APIs can execute such attacks fairly easily
- It appears that the API has no rate limiting. I don’t know what the intent of the API was in the first place, but the absence of rate limiting certainly allowed the attacker to exfiltrate a large amount of data before being detected
- It appears that the API, before being released to the internet, has not undergone any penetration testing that could have easily picked up the issue.
- An API without authentication, in 2022, really?
- It appears that Optus has little or ineffective data classification handling procedures
- From the data released, it also appears that Optus has a little or ineffective data retention policy. There were too many sensitive leaked records should have been long gone
- It appears that Optus has little or ineffective monitoring for its web-facing infrastructure
- It appears that Optus hasn’t established proper data masking for sensitive data. I would bet this database is easily accessible within the Optus network
- The suggested penalty under the Australian Privacy Act will possibly be less than what Optus currently spends on stationery
- Essential 8 requirements would not have prevented the breach from happening. Australian companies should consider the Essential 8 as the bare minimum, that is, the floor instead of the ceiling of their security program
- Regardless of how I feel about Optus, I wish this was a unique case, but it is not. From my experience and exposure, I know for a fact that many other private and public entities (local, state, and government) have terrible security controls and data handling, much worse than what Optus currently has
- The regulatory requirement regarding data retention is convoluted, confusing, and complex. Just visit Public Records of Victoria (PROV) and search for ‘data handling’ – you’ll find many retention requirements that contradict and confuse anyone attempting to venture in there.
What we don’t know:
- How long that portal was made publicly available. It could have been sitting there for years
- If someone else detected the same portal and has been extorting that data without triggering any alert
- Who from within Optus and its large partner web ecosystem have had access to this data
- If someone at Optus made an extract of that data in Excel for legitimate business purposes
- How many replicas of the same customer-sensitive data or the same portal are lurking around Optus systems and networks
- If there are other portals publicly available that could expose similar sensitive data or which are connected to the same backend database
- I am almost sure, yet can’t be 100% sure, that someone in Optus has detected and attempted to report this issue only to be burdened by the organisation’s bureaucracy.
What I think the lessons learned from this are:
- The payment gateway for handling sensitive credit card payment has existed for years now. I fail to understand why personal information gateways isn’t a thing
- There should be a unified cyber security standard or best practice that Australian companies should comply with. This would be applicable to companies larger than a certain size or turnover, or if handling sensitive data relative to their size and turnover
- Penalties on large businesses like Optus should be commensurate with the records and the data breach. For example, the IBM data breach calculator estimates that on average, a breach costs companies $140 per record. In my opinion, companies should be facing penalty equivalent to the same amount
- Data handling and classification for any entity, big or small, that stores or processes sensitive data should be mandated
- Data retention policy must be easy, simple, and mandated. Companies cannot and should not be storing sensitive data “for historical or marketing purposes” forever. These are like cardboard boxes in your garage – once they serve their purpose, they are fire hazards and must be disposed of.
While this breach is a sum of multiple control failures, human error, and somehow accumulation of failed controls, this unfortunately will not be the last. I firmly believe that organisations, big or small, need to find a best practice that they should adopt to ensure they have layered controls that can detect, protect, and monitor events and incidents to stop these attacks from happening.
Louay Ghashash is chair of the ACS Cyber Security Committee. He has more than 22 years' experience in information security across number of industries and has acted as Chief Information Security Officer (CISO) across a number of Non-for-Profit and Retails and FSI. Louay has solid experience in providing security advisory for senior managers and Board of Directors.