Optus has been lambasted by Australia’s minister of cybersecurity for falling victim to a “basic hack” which has led to one of the biggest data breaches in the country’s history, with the records of just under 10 million customers being compromised. Australia could now change its cybersecurity rules in the wake of the breach, its prime minister has warned.
The breach, first detected on 14 September and revealed last week, is now the subject of a federal police investigation known as “Operation Hurricane”. It is thought 2.8 million of the stolen records contain personally identifiable information.
Australia’s second-biggest mobile network, Optus has 9.8 million customers, some 40% of the Australian population.
Optus data breach: a ‘basic hack’
In an interview today, Australia’s minister for home affairs and cybersecurity, Clare O’Neil, said she believed the attack stemmed from “quite a basic hack”. O’Neil said: “We should not have a telecoms operator in this country which has effectively left a window open for data of this nature to be stolen.”
It has been reported that the hacker infiltrated the system through an API being used to test a system for identifying customers. An Optus insider told Australian broadcaster ABC News that “human error” meant this API allowed people outside the company to access customer data. Optus denies this and says investigations into the cause of the incident are ongoing.
The data was posted on a popular data breach website, with the criminal behind the breach asking Optus to pay $1m in the Monero cryptocurrency within a week to prevent the whole cache of data being released. Security company ISMG says it has analysed some of the information and that it appears to be genuine.
O’Neil announced that she has ordered Optus to provide those affected with free credit monitoring, and said there ought to be consequences in the form of fines for companies who suffer breaches like this, admitting that Australia’s cybersecurity regulation was “five years behind” that of other countries.
Australia’s prime minister Anthony Albanese said these rules would be changed following the breach, which he described as a “wake-up call” for businesses. “We want to make sure … that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well,” he said, in comments reported by Reuters.
The Australian Federal Police has launched Operation Hurricane to find the cybercriminal behind the attack, and is working with overseas law enforcement agencies. “Criminals who use pseudonyms and anonymising technology can’t see us, but I can tell you that we can see them,” warned assistant police commissioner Justine Gough.
Telcos like Optus are being targeted by cybercriminals
Attacks on telecoms companies and internet service providers are on the rise. A report from the International Data Corporation says 37% of telcos have been targeted by Distributed Denial of Service (DDoS) attacks in the past year. Such attacks have led to 35% of telecoms companies suffering from loss of business.
Research from Check Point shows that communications was the third most attacked sector in the last year, with the volume of attacks up 51% from 2020.
The Optus data breach should be heeded as a warning for all telecoms companies and ISPs says Curtis Simpson, CISO at Armis. “For wireless operators, whose landscape is significantly evolving and has changed monumentally in recent years, protection involves having continuous visibility and insights into the behaviour of all assets,” Simpson says. “Of particular importance are unmanaged assets with the potential to disrupt critical operations and/or client services; this includes IoT devices, OT infrastructure, and cellular IoT."
UK regulation on telco cybersecurity is coming
While Australia scrabbles to update its cybersecurity rules, the UK is implementing a new set of regulations for telecoms networks to ensure protection from just this sort of attack.
The Telecoms Security Act, which comes into force on 1 October, has been developed with the National Cyber Security Centre (NCSC) and telecoms regulator Ofcom, and sets out specific actions for UK public telecoms providers. These include taking into account supply chain risks and “protecting software and equipment which monitor and analyse networks and services".
“We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use,” said the NCSC technical director Dr Ian Levy. “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future."