Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Australian Telco Optus Investigates Scope of Large BreachOptus CEO Apologizes and Says Incident Is Under 'Criminal Investigation'
Australian telecommunications firm Optus is continuing to investigate a data breach that may be one of the largest ever in the country (see: Australian Telco Optus Warns of 'Significant' Data Breach).
In a press conference and in interviews on Friday, Optus CEO Kelly Bayer Rosmarin apologized for the incident but did not reveal many details, saying the breach is under "criminal investigation."
"I'd like to start off by making sure that it's clear that we are apologizing to all of our customers," Rosmarin says. "We know that this attack creates great concern."
The attackers accessed names, birthdates, phone numbers and email addresses. For some customers, driver's licenses and passport numbers may have been exposed, according to a news release. The data goes back to 2017, Rosmarin says. No financial data or passwords were exposed.
"We don't know who these attackers are and what they want to do with this information," she says.
Optus has so far not said how many customers are affected, but the operator has around 10.2 million subscribers. Rosmarin says Optus is going to notify those affected, starting with those for whom the most data was exposed.
Information Security Media Group contacted several threat intelligence companies that closely monitor the dark web, where stolen data is traded and offered for sale. No data connected to the latest breach appears to be offered.
If a state-sponsored actor breached Optus, it's unlikely the data would be sold. If the breach was caused by data broker cybercriminals, the data may be sold in small, private circles first rather than in big batches. The data is useful to cybercriminals for a variety of activities, including phishing attacks, SIM swapping and identity theft.
Optus is Australia's second-largest telecommunications company, providing landlines, mobile connectivity, internet and cable access, leased lines and more. It is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group.
Encryption in Play?
Optus said later on Friday that the personal data was encrypted and that there were "additional security solutions enabled," according to a spokesman.
"Unfortunately, due to the sophistication of the attack, the hackers were still able to gain access," the spokesman said.
The Australian Federal Police, which is investigating the breach, has requested that Optus not "discuss certain details as it might compromise their ability to find the bad actor," the spokesman says.
Rosmarin was pressed earlier in the day on the security controls around the data. She was asked four times by a Sky News Australia journalist whether the customer data was encrypted, according to a video. She responded that because of the ongoing investigation, "we are not at liberty to disclose details about the data, where it resides, how the attack happened."
"I'm sorry - I just don't understand why you can't say whether any of it is encrypted or not," the journalist said.
Rosmarin said that encryption is one method that Optus uses to protect customer information, along with other defensive measures.
"Unfortunately, in addition to our customers who listen to all the information we are getting out there via the media, there are bad actors who also read the media and so we are restricted in what we can say," Rosmarin said.
"But if it's encrypted, that just makes you harder to hack, doesn't it?" the journalist asked.
Encryption would certainly stop an attacker from reading or using the data without a decryption key. But if the attackers had access to an account with permissions to read the data - which appears to be the case here - use of encryption at certain points would be irrelevant.
No Ransom Demand
Rosmarin said Optus had not received a demand for ransom, and she did not indicate that data had been encrypted by the attackers. That likely eliminates the possibility of a ransomware attack.
Since Optus has not received a ransom demand, that could mean whoever took the data isn't trying to extort the company.
On Thursday, The Sydney Morning Herald reported that the source of the breach may have been a vulnerable API, or application programming interface. Rosmarin acknowledged that people are "hungry for details" but when asked about that report, she reiterated that the breach is under investigation.
"We will not be divulging details about that," she said.
The ABC then reported on Friday afternoon that the breach may have been caused by human error. An API for an Optus customer identity database was opened to a test network that "happened to have internet access." APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet.
The ABC quoted a "senior figure" inside Optus, but the company says the report is inaccurate.
Rosmarin did say during the press conference that investigators noticed IP addresses originating from Europe accessing Optus' systems. The servers are likely not where the attackers originate, however. Cybercriminals typically use other hacked servers or other systems to shield their true location.
"The IP address kept moving," Rosmarin says. "It's a sophisticated attack."