Beleaguered telecoms company Optus has called in consultants from Deloitte to perform a full and independent forensic review of its security systems after a cyberattack that led to one of the largest data breaches in Australian history.
The massive cyberattack, first detected on 14 September, is now the subject of an ongoing federal police investigation dubbed ‘Operation Hurricane’ and is thought to have led to 2.8 million records containing personally identifiable information being exposed.
Attackers are said to have infiltrated the Optus system through an API used to test a customer ID system. It is thought a “human error” left the API externally visible, allowing the unidentified hackers to gain access.
Owned by Singapore Telecommunications (Singtel), Optus has 9.8 million customers which is about 40% of the population of Australia, where the attack took place.
Minister for home affairs and cybersecurity, Clare O’Neil, called it a “basic hack” and questioned how a telecom operator “left a window open for data of this nature to be stolen”.
Optus CEO Kelly Bayer Rosmarin contracted Deloitte to examine the security systems, controls and processes used by the company, as well as a forensic investigation of the attack to determine how it came about and where faults might sit within the system or procedures.
Bayer Rosmarin told media that the investigation will determine in part how it responds to the incident, apologising and recognising the “significant concern it has caused many people”.
“While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong,” she declared, adding that the review “will help ensure we understand how it occurred and how to prevent it from occurring again.”
She said the review in part was to rebuild trust with customers, and understanding what led to the attack was an important part of that process.
Optus cyberattack: reports of fines ‘speculative’
The Singtel board also clarified that any reports of fines or costs it faces linked to the attack were “speculative” and “couldn’t be relied upon”. Law firm Slater and Gordon is said to be preparing a class action lawsuit against the company, but Optus says it has yet to receive any notification of this, with its board adding that the business’s lawyers have been instructed to advise on any possible action which “would be vigorously defended”.
“Singtel is continuing to evaluate the potential financial implications arising from this matter and any material development will be disclosed to the market on a timely basis,” the board wrote in a statement.
The data was posted on a popular data breach website, with the criminal behind the breach asking Optus to pay $1m in the Monero cryptocurrency within a week to prevent the whole cache of data being released. Security company ISMG says it has analysed some of the information and that it appears to be genuine.
Optus was ordered to provide free credit monitoring for those impacted by the breach and warned there would need to be a review of how the Australian government regulated against cyberattacks on critical infrastructure.
O’Neil admitted that Australia’s regulation of cybersecurity was “five years behind” other countries and that there was a need to review the legislation and bring it up to date.
Attacks on telecoms companies and internet service providers are on the rise. A report from the International Data Corporation says 37% of telcos have been targeted by distributed denial of service (DDoS) attacks in the past year. Such attacks have led to 35% of telecoms companies suffering from loss of business.
The UK has recently announced a new set of regulations for telecom networks that would protect against cyberattacks, or hold those companies to account. The Telecoms Security Act sets out specific actions for public telecom providers that consider supply-chain risks and protecting equipment from attack.