The minister for home affairs and cybersecurity, Clare O’Neil, is expected to announce reforms that would enable Optus to inform financial institutions about the data compromised in its recent cyber-attack.
O’Neil is expected to announce reforms in the coming week that would enable companies such as Optus to more rapidly provide data to banks following security breaches.
Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.
— Clare O'Neil MP (@ClareONeilMP) September 24, 2022
It comes amid a suggestion that the compromised Optus data may have been accessed via an avenue involving no password or security restrictions.
Optus revealed the massive data breach on Thursday. Details including names, dates of birth, phone numbers, email addresses, home addresses, and passport and driver’s licence numbers have been stolen.
On Saturday a post appeared on a data market by a user claiming to possess information obtained from the breach, including the details of 11.2 million Optus customers and more than 3.6m driver’s license numbers. Two samples each of 100 user records were also posted, as well as a demand for $1m in cryptocurrency.
Jeremy Kirk, the executive editor of the Information Security Media Group (ISMG), who has been in contact with the user, was able to verify some of the information in the sample data and said it appeared to genuinely originate from Optus.
The user claimed to have extracted the data from an unauthenticated application programming interface (API) – software that allows two different systems to talk to each other – meaning that login details were not required to access it.
“If you were an Optus subscriber, and you logged in and you said, ‘Show me my account info’, that’s an API grabbing your account information and bringing it back to you,” Kirk said. “You’re authenticated because you’ve logged in … you don’t have any broader access to anything else.”
Kirk said that the data breach appeared to have occurred because “Optus exposed this quite powerful API that was connected to their entire customer database, apparently. And it was just on the internet.”
The user told Kirk in a message: “No authenticate needed. That is bad access control. All open to internet for any one to use.”
The user’s claims were independently corroborated by a second source, Kirk said.
A spokesperson for the Australian federal police said yesterday that the agency was aware of claims the data had been put up for sale.
Optus chief executive, Kelly Bayer Rosmarin said on Friday that the company was not sure exactly how many customers had their details compromised, but said 9.8 million was the “worst case scenario”.
The cyber-attack has potentially affected customers dating back to 2017, as Optus is required to keep identity verification records for six years. In the past, the telco has proposed changes to privacy laws that would enable customers to request their data be destroyed.
Optus call centre staff have told Guardian Australia that the telco has been swamped with complaints through its online complaints form. Staff say they have not been informed when or if a dedicated hotline will be set up, but have been directed to call each complainant to “resolve the issue”, explaining to customers what people can do to manage their risk individually.
New twist in the #optus hack: heard from frontline call centre staff - who have also had their data stolen - that the telecom has been swamped with complaints through its online form and are being made to call each complainant to "resolve the issue". 1/
— Royce Kurmelovs (@RoyceRk2) September 25, 2022
Optus was contacted for comment.