A tech expert has refuted claims the Optus cyberhack that exposed millions of customers’ sensitive details was ‘sophisticated’, saying hackers accessed a ‘goldmine’ in a simple security breach.
Optus customers past and present have potentially had their personal addresses, dates of birth, passport details, drivers licences, phone numbers and email addresses stolen last week in Australia’s largest data breach.
Optus CEO Kelly Bayer Rosmarin described the cyberhack as a ‘sophisticated attack’ that compromised the records of 9.8 million people in the ‘absolute worst case scenario’.
However, tech expert and editor of EFTM.com Trevor Long said he wouldn’t call the data breach a ‘hack’ as the telco company’s security was ‘just not good enough’.
Optus labelled the cyberhack, which saw nearly 10million Aussies potentially have their personal data stolen, as a ‘sophisticated attack’ (stock image, Optus shop front)
‘If we are to believe the hacker, this was not even a sophisticated hack, it’s not even a hack,’ Mr Long told Daily Mail Australia.
‘They were able to exploit an internal system and access information in a simple security breach.
‘It’s a goldmine for identity fraud and hackers and now there’s already 10,000 people whose details are readily available to scammers.’
Mr Long explained the hacker was able to find the address of the telco’s central computer containing the database of customer records and information.
The hacker, known as ‘Optushack’, allegedly requested the records and was given access to the information without having to provide authentication or a password.
If true, Mr Long has labelled the lack of security as a ‘fundamental flaw’ in Optus’ cybersecurity defences.
‘If the hacker is telling people about their access to the API [Application Programming Interface] being so simple and not authenticated, it’s simply a breach and that makes this even worse,’ Mr Long said.
Tech expert and editor of EFTM.com Trevor Long (pictured) said the cyber attack was a ‘simple security breach’ and claimed Optus’ defences were ‘just not good enough’
Mr Long said Optus needs to have a ‘look at themselves’ as he believes the data was not encrypted despite the telco company claiming it was.
‘It’s like someone with a really large home going on holiday. They lock every door and every window but unfortunately those locks were either picked or left slightly ajar,’ Mr Long said.
WHAT IS AN API?
An application programming interface (API) is a way for two or more computer programs to communicate with each other.
It is a type of software interface, offering a service to other pieces of software.
APIs provides a way for applications to work with each other and deliver the information requested without user intervention by using a simple set of commands.
Acting as messengers, APIs deliver one application’s request to another and return a response in real time.
To gain specific information from a program a user has to make a request using a specific list of commands.
Once requested, the other program processes the commands and sends back the requested information.
‘In either case, no one is doubting Optus has security but unfortunately the security wasn’t good enough this time.
‘Most importantly, Optus says the data was encrypted but I don’t believe it was. For a hacker to get access to the information and decrypt it, is in and of itself an even bigger deal.
‘I think the information was not encrypted and it should have been and that’s where they probably should have had a bigger look at themselves and their security.’
In a bizarre post on Tuesday morning, ‘optushacker’ claimed there were ‘too many eyes’ on them and said they would not sell or leak the hacked data.
In broken English, optushacker said: ‘Deepest apology to Optus for this. Hope all goes well from this’.
The hacker also claimed they would’ve told the telco about their vulnerability but there was no way of getting in touch with them.
‘Optus if your (sic) reading we would have reported exploit if you had method to contact,’ the apology continued.
‘No security mail, no bug bountys, no way too message. Ransom not paid but we don’t care any more.’
The extraordinary backflip comes hours after the cybercriminal threatened to release another 10,000 records every day for the next four days if a $1.5million ransom was not paid.
The customer records the hacker has released so far included passport, drivers licence and Medicare numbers, as well as dates of birth and home addresses.
The hacker wrote they couldn’t delete more data even if they wanted to because they had ‘personally deleted data from drive’ which they claim is the only copy.
In a bizarre post on Tuesday morning, ‘optushacker’ claimed there were ‘too many eyes’ on them and said they would not sell or leak the hacked data of up to 10 million Australians
It comes after the hacker, known as ‘Optushack’, appeared on the dark web demanding Optus to pay a ransom of $1.5million or they would release another 10,000 records every day for the next four days
Mr Long said the event was a reminder that strong personal security is needed and urged Australians to use two-factor authentication and update their passwords.
‘This event is a great reminder for everyone that we need strong security ourselves,’ Mr Long said.
‘It’s a good time to come up with a new and strong password for your bank, your email, and for things like your social media sites and set-up two-factor authentication.
Those two things will give you great security across your service and most of your platforms.’
The data breach, which ranks as one of the country’s largest ever, is under investigation by the Australian Federal Police.
On Monday, Home Affairs Minister Clare O’Neil launched a scathing attack on Optus in parliament for allowing a ‘basic’ hack and said the government was looking at ways to mitigate the fallout.
‘The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,’ Ms O’Neil said.
‘We expect Optus to continue to do everything they can to support their customers and former customers.’
Mr Long explained the hacker gained access to the telco’s central computer, which housed a customer database, and was able to download information without authentication or a password (stock image, hacker working with laptop)
Ms O’Neil said the government was looking to work with financial regulators and the banking sector to see what steps could be taken to protect affected customers.
‘One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,’ Ms O’Neil said.
‘In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.’
Prime Minister Anthony Albanese said the data breach was a ‘huge wake-up call’.
As the government prepares to introduce new cybersecurity measures, Mr Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.
On Monday, Optus announced some customers will be offered a 12-month subscription to the security monitoring service Equifax Protect.
‘The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost,’ Optus said in a statement.
‘Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams.’
What Optus has said about the breach:
How did this happen?
Optus was the victim of a cyberattack. We immediately took action to block the attack which only targeted Optus customer data. Optus’ systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.
Has the attack been stopped?
Yes. Upon discovering this, Optus immediately shut down the attack.
We are now working with the Australian Cyber Security Centre to mitigate any risks to customers. We have also notified the Australian Federal Police, the Office of the Australian Information Commissioner, and key regulators.
Why did we go to the media first instead of our customers?
The security of our customers and their data is paramount to us. We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly.
What information of mine may have been exposed?
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers. Customers affected will be notified directly of the specific information compromised.
Optus services, including mobile and home internet, are not affected. Messages, voice calls, billing and payments details, and account passwords have not been compromised.
What should I do to protect myself if I suspect I am a victim of fraudulent activity?
We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts, including:
Look out for any suspicious or unexpected activity across your online accounts, including your bank accounts. Make sure to report any fraudulent activity immediately to the related provider.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
How do I contact Optus if I believe my account has been compromised?
If you believe your account has been compromised, you can contact us via My Optus App – which remains the safest way to contact Optus or call us on 133 937 for consumer customers. Due to the impact of the cyberattack, wait times may be longer than usual.
If you are a business customer, contact us on 133 343 or your account manager.
How do I know if I have been impacted?
We are in the process of contacting customers who have been directly impacted.