9M Australians affected by Optus data breach
optus.com.auI’ve seen Optus “computer security” in action. I use quotes for a reason.
There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.
You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.
They had operating system versions in production that were in my university text books… in the late 1990s.
Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.
And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.
They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.
Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.
You can tell how broken their tech is when you try and use the website. Half the pages just fail to load. I don't mean time out, I mean, they think they are finished loading but most of the page is missing.
Don’t confuse the failings of their consumer-facing systems with the madness behind that facade.
The equivalent of what I was describing in terms of a web experience would be having to use a dialup modem to sign up for an account via Netscape Navigator 4. With a login secured using SSL… version 1.0.
I wish I was exaggerating, but their systems literally date back to that era and have comparable limitations in terms of supported network protocols.
Hahaha holy shit is GSMIS still running? In all it’s TUI glory?
When I left, the mobile division had its customers split between three different systems; GSMIS, Focus and Arbor. The poor customer service reps would have no idea which one any given user was in when the phone rang. The only way to figure it out was to ask the person for their phone number, then type that number into each backend and see which one returned a result.
Telstra's got something similar going on with their management systems - three platforms and two incomplete migrations in progress for seemingly the last eternity.
I tried to sign up for Optus in around 2007? They had this contract system you agreed to over the phone . I spent ages saying “yes” in different ways because it couldn’t pick up my kiwi accent. Eventually I managed to agree and got the worst internet experience ever. Moved to TPG after the contract finished.
maybe the same or a different determination that was levelled against them? https://web.archive.org/web/20170218203327/https://www.oaic....
the 100,000’s of open management ports is pretty lol
> Non-production on the same network was not to be touched.
Unsurprisingly, you're were absolutely correct.
"An early investigation suggests hackers were able to breach Optus through a test network"
'Human error' emerges as factor in Optus hack affecting millions of Australians https://www.abc.net.au/news/2022-09-23/optus-hack-likely-res...
from the twitter link ..."The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use. The API endpoint was api[dot]http://optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data."
In Australia, due to counter terror laws, you can't get a phone sim without providing verifiable government ID. So the consequence of that is that they phone companies have a really large amount of sensitive information. This information loss should be treated like a workplace death. Or a toxic spill. things will only change when a CEO goes to jail for this sort of obvious negligence. It may be harsh, but until there's real consequences, nothing will change.
Optus CEO Kelly Bayer Rosmarin did an interview with ABC today, and said "some of the customer information is information you would find on Facebook or LinkedIn such as name, date of birth, phone number and email address".
Umm...no. Most people do NOT publicise that information to the public.
Agreed. Until a CEO goes to jail for something like this, it'll continue to become a "pay the fine and move on" situation.
Worth keeping in mind that Optus recently hired Gladys Berejiklian, which may say something about the character of the company:
https://finance.yahoo.com/news/optus-appoints-ex-nsw-premier...
For international readers, Gladys Berejiklian was the Premier of the state of New South Wales, and resigned as Premier once it became public that she and her boyfriend were being investigated by the Independent Commission Against Corruption. Optus is the job she accepted while the corruption investigation continued.
https://au.finance.yahoo.com/news/gladys-berejiklian-resigns...
It's probably not from prepaid SIM ID checks. Telcos are forbidden from retaining your passport/drivers licence details after your identity has been verified [1].
[1] https://www.legislation.gov.au/Details/F2017L00399 (Section 6.4)
> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised.
Geez, ID document numbers is such a big thing. Now hackers can basically call most institution and impersonate victims. this is quite huge
It shows why we need to rapidly embrace the idea that knowledge of an ID document number and its associated personal details is insufficient proof of identity.
this brings up a very important question - how does one verify one's identity with a business? Esp. online, without having to meet in person at some sort of branch/store?
Some kind of identity provider, like https://www.mygovid.gov.au/ or https://www.digitalid.com/personal
Yes it’s pushing the problem somewhere else, but at least I’m not giving copies of my ID to every little shit of a business.
Why the hell were they storing it? just delete it after marking the account as verified.
Even if it needs to be verified afterwards, the numbers could be bcrypted with high enough iteration count to make them impossible to brute force but easy to verify every few years if necessary... Say 10sec per id?
Yup. It's massive.
OP here.
Some more information here (not my preferred source, but oh well): https://www.news.com.au/technology/online/hacking/up-to-9-mi...
It seems around 2.8m have had 'all' data stolen (including ID, address, etc), and around 7m 'just' names, DoB and numbers/e-mail addresses.
Apparently Optus is working on sending personalised details to customers.
What a monumental stuff up.
Myself included. All data listed, though they couldn't specify if it was my passport or driver's license number. I haven't been a customer with them for over 5 years.
FYI optics is Australia's second largest telecommunications provider. This would be the worst known databreach in Australian history.
It is interesting that compared to identity theft announcements from many US corporations they are direct, apologize and state the authorities they are working with. I imagine there's less fear of the legal consequences of not having a tight response as the culture isn't as litigious.
The recent update to Cyber Security legislation in Australia specifically states that any major breach must be reported to the Australian Cyber Security Centre within 24 hours of becoming aware of it. "MAJOR" being subjective, but this easily qualifies.
There are significant penalties for not disclosing within this time period, which is why I think we are seeing this reported before Optus has a clearer plan of how to deal with it.
As a customer of Optus and cyber security trained professional, I'm very frustrated, to say the least.
Thank for that extra info on the obligatory reporting. Good for consumers to know now. I feel like this report could take months to come out in the US.
DOB, name and address are typically enough details to commit severe identity theft, at least back in 2017 when it happened to me in Australia. Someone stole a letter from my insurer in my mailbox and used my name and address to impersonate me and obtain my DOB and email from my insurer. They then used these details to hijack my phone number (SIM porting) and obtain my bank account details. They ended up hacking into my online banking (because my bank used and still uses SMS based OTP, not a device key - St George Bank, I’m looking at you) and tried withdrawing thousands of dollars in cash from an atm using cardless withdrawal. They didn’t succeed because I was overseas at the time and the bank fraud monitoring picked it up on the spot and froze all my cards. Very scary indeed and firm proof that you can do a lot of damage with very little information about someone, at least in Australia.
> used my name and address to impersonate me and obtain my DOB and email from my insurer
Sounds like the biggest fail was your insurer handing over those details based only on your name and address. How did that work? "Hi, I'm Dave Smith from 101 Easy Street South Sydney, can you tell me my DOB and email please?" Why would the insurer give a customer their own personal details? They are supposed to ask the caller to state those details in order to proceed with account access.
The reliance on using OTP by SMS has become worse in that time, if anything. Although these days they prefer to set up a fake Linkt website and phish the OTPs since Facebook leaked everyone’s mobile numbers.
Great.
My coworker got hit by massive targeted identity theft which started with their SIM, provided by Optus. The attackers were able to successfully port my coworker’s Optus number and then hacked their Optus email which had everything in it. It took them months to undo the damage, and more trouble was always around the corner usually while they were sleeping or the service being hit didn’t have support staff online. Do Optus even have any security checks at all for preventing fraud?
Lessons: if the service doesn’t support MFA, don’t use it; don’t put all your service eggs in one basket; don’t assume that your phone number is safe, and act accordingly.
Optus needs to pay for this and I don’t just mean dollars. Comfortable people with responsibilities they didn’t failed to keep need to see gaol time, or at the very least lose their jobs and not be allowed to walk back into the revolving door for a long time. This is outrageous.
This just twigged something for me - there is now enough information available to easily do number ports, giving someone else control of the number used for MFA. Anything that relies on your number to verify account actions, transactions, etc is now at risk.
Absolutely, and you can bet this is going to happen once this dataset is sold off.
Luckily (buried at the bottom of their announcement), at least for the moment sim swaps, ports, etc are in-person, in-store with physical ID only.
"Payment detail and account passwords have not been compromised."
No, just your identity is. If you're Australian, you or someone you know will be in this. What a total fuck up.
And why, oh why, are past customers in there. I'm a current one, but even 'not being with them' doesn't necessarily exclude you from this.
> Optus notifies customers of cyberattack compromising customer information
- the notification being finding a link to their quietly released press release on HN this afternoon? Thanks Optus!
- cyberattack is the word to use to encourage speculation that a nation-state was behind the breach, that there was no way to defend against this and to avoid saying "data breach"
- here "customer information" means current and former Optus customers' personal information
If the executive knew at all about the state of security or the potential risk of breach, then they are culpable and should be personally prosecuted.
The story HAS to be that if you, as an exec in power, know your company has deficient safety protocols regarding its care of toxic material, the breach of which is known to cause serious damage and harms, AND you do nothing: hello personal prosection, reaching right through the corporate veil.
Until we set this kind of legal precedent for the egregious disregard for the integrity of private and personal data, this is just going to keep happening.
I want to point out that Optus also offers a Digital Identity verification solution via Mastercards DI infrastructure. I am currently implementing Mastercards DI solution somewhere...
The way that is implemented SHOULD be mostly unhackable, with everything server side being encrypted and inaccessible without user action and communication with MCs backend.
Still, this is not a good look for trust. Should we now go to Australian customers and say "and now you authenticate via the Optus app, it's super secure" while they immediately think of this hack?
Because of this I finally decided to complain to my (Australian) bank about their max 6 character (alphanumeric) no symbol password policy... And lack of MFA for personal accounts... And continuing to only offer OTP via SMS to authorise transactions.
Well, I tried to complain... for you see after going through multiple pages/steps in the UI, when it came time to review and submit, after you press submit you are told that they can't receive complaints online at this time.
So I wrote in the web feedback form instead. At least that went through. As will, I hope, my screenshots of the process to the ombudsman.
In nearly all these microservice components, the UI has an outdated copyright year in the footer. 2016 in the feedback app, 2017 in a preference update component. The year sits right underneath a lock symbol and some text telling you how secure they are.
This tells me a number of things. Either no one has smoke-tested that component for 6 years, or picked up that the year was off, or it has been picked up and left in backlog because of other priorities leaving me to ask what else could be in the aged backlog, but really telling me they don't have the resources to do or to take software or UX seriously.
ING only requires a customer number, and a four digit PIN for online banking access. The customer number is printed on the back of the cards and at the top of letters. There is no MFA. I wish I was joking.
> max 6 character (alphanumeric) no symbol password policy
You forgot to add case isn't significant. Still, even such small passwords can be secure if managed right. It's been that way for many years, and I don't recall seeing anything about it being broken, so I guess it must be work ok. I doubt the ombudsman would care.
On the other hand, every 10 or 20 logins, after logging in it doesn't display the internet banking home page. Instead it displays the home pages CSS stylesheet. That behaviour has also been there for years. I don't know how you even do that.
The problem isn’t that the passwords are small, it’s that they aren’t being hashed. I wonder what level of data they are storing in plain text then?
Also if they aren’t able to accept other characters, I wonder what happens when you try?
I’ve worked “across” core payments(not banking) systems with the card schemes, westpac, St George etc. So I would say I’ve seen how bad things can get but your bank sounds like something next level.
> The problem isn’t that the passwords are small, it’s that they aren’t being hashed.
How do you don't know they aren't hashed? Any what does that mean? Does it mean that are using DIGEST to avoid sending plain text over the https transport, or they aren't using key expansion for storage?
And does it matter? If someone gets into their internal systems leaked plain text passwords will be the least of their problems. Total deposits are $500 billion.
> I wonder what happens when you try?
Most people try, because they don't believe the restrictions. The answer is nothing out of the ordinary, of course. As I said, as far as I know it's never been broken. Which is kinda surprising, because their web site has more bugs than most. But it appears they've got that part right.
By the way, 6 alpha-numeric characters makes for about 1 billion combinations. The odds of guessing in it a few random goes are virtually nil, and then you are locked out and have prove your identify by via a third channel. Providing they police the max tries well, it's pretty secure.
> your bank sounds like something next level.
All the large banks hopeless. They are an absolutely nightmare to deal with on every level. This bank has been prosecuted by the Federal Government for AML violations - but again most of them have been prosecuted for grievous unethical behaviour. That doesn't make them insecure.
The OP is wrong about SMS 2 factor - they do support other methods, and insist on it once certain circumstances. The banks do protect themselves. In Australia, the history has been if they are forced to make up their customers losses. It takes years of investigations, and a lot of suffering in the mean time on the victims part. But the precedent is well established - karma is a real thing here, and the banks behave accordingly.
Password length isn't necessarily cause for concern in this context. See: https://www.troyhunt.com/banks-arbitrary-password-restrictio...
As for MFA, the only Australian bank that seems to do it right is Macquarie (who let you remove SMS 2FA and replace it with a decent authenticator app). A handful will issue physical tokens on request (eg HSBC).
Bendigo also do physical tokens as well as app based 2FA.
Macquarie have unpersoned me before (cancelled all of my accounts with no explaination or notice, on a Friday afternoon). I've heard of it happening to others too. As such, I make it my mission whenever dealing with large scale finance in business to refuse to deal with them.
This is bad. Australia isn't know for it's strong privacy laws anyway, but with the kind of data that's now available out there, ID theft is going to be a huge risk for almost half the country. Even if Optus gets sued, how the hell are people supposed to protect themselves?
To protect themselves, I suspect services like "credit monitoring and alerting" services will see increased subscribers in coming months.
I'm in no way affiliated, but an example is https://www.equifax.com.au/lp/protect-your-identity
AUD$15 per month to tell you if your details are leaked or used to create an account in your name.
> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers
Okay so this was half the country.
I cant honestly understand how anyone thinks KYC laws make sense if anyone can make a bank account as anyone else, and it all looks like legitimate money or the human is getting framed while the criminal just rotates IDs.
You can't make an account with the number or a scan of an ID document (at least here in the EU, but i doubt it'd be much different down under). The real thing is required, or in the case of neobanks, multiple photos at specific angles + selfie from their app.
All it takes to register a new number here, are your details including name, DoB, physical address (all the complete ones leaked), the type of ID used (passport, drivers license) and the number on that ID. You can do it in about 5 minutes online, and the number is then active (but not before).
Not even a copy of the document is required, and it doesn't have to be sighted by anyone. From memory, you don't even have to supply the expiry date on the document (and driver's license numbers remain static).
One of the first things I see happening, is criminals using this to obtain burner numbers not traceable to them.
all it takes is a single institution that subverts that.
regarding angles and selfies, most of those just require you to go through the motions not for it to be accurate or withstand [human] scrutiny.
> driver's licence or passport numbers
They are required to verify that information.
They shouldn't have been storing that though.
Should only have existed for the period of the verification request on signup - a single form post.
For those not aware this is about 35% of the population of Australia which is around 26 million.
That sounds ambiguous. To clarify: It is 35% of 26 million.
How can we protect ourself. What steps can we take given the CEO says the following:
"Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers licence or passport number. No copies of photo IDs have been affected.
It is also important to know that Optus’ network and Optus services including mobile and home Wi-Fi aren’t affected, and no passwords were compromised, so our services remain safe to use and operate as per normal."
Effectively saying, dont change your password. Hackers dont need it.
Glad I dumped them 2 years ago. I hated their imposed "non direct debit fee" if you elected to pay manually instead of direct debit.
I hated their mandatory text messages that couldn't be blocked, such as upcoming bill reminders. Spam my email as much as you want, but stay out of my text messages!
Former customers are also included in the breach, just in case you thought you were safe not being a customer anymore.
I doubt from 2 years ago. They probably said that to cover those who recently left. I guess we'll see. Not sure if they are notifying people or there's any way to check?
Based on one newer article I've seen, leaked data dates back to 2017, so...
No idea how accurate this is just yet though.
They claim to have started notifying people today (Saturday), with customers with most amount of info leaked being prioritised. Supposedly if you've had ID information stolen, you'll know today. Fingers crossed.
Yep, my details were part of the breach unfortunately. I hate Optus now more than ever.
I left them 2 years ago but they keep my details in a database accessible to the internet? Why? Details leaked are name, email, phone, DOB, home address, drivers license number.
About 4 years ago I emailed them complaining that their marketing team were using my date of birth to send me "birthday deals" on my birthday. Something I never opted in for. I found it creepy because the only reason they knew my DOB was from a sign-up security verification process. So back then they were sharing security details from customer signups to their marketing team for use in promotional material. No respect or care for user's data.
I wonder if a class action can be brought against Optus.
Ah man, I'm sorry to hear that. No emails here yet, but not to say I'm not in the category one down yet (which is only slightly less bad).
I'm starting to worry about the general public's understanding of the ramifications of this. When it first broke, I was pretty upset, and my partner (well educated, and with me long enough to understand some things about breaches) thought my concerns and anger at optus was excessive. It's only after I explained to her in some detail a few scenarios of what could happen with the information, that she asked questions about what we should be doing.
I think we'll be seeing fallout from this for years to come.
I wouldn’t normally get angry about something like this but when the CEO talked about how upset she was that there were people out there who would do such harm I almost blew my stack. The level of wilful ignorance to your responsibilities required to feel that statement could be appropriate is astounding.
But most of all, if you’ve worked anywhere even remotely resembling a professional organisation in the last 10 years then it should be obvious just how bad things are inside Optus for this to have even happened. Something is deeply wrong there. This kind of breach should have thousands of things standing in the way of it being possible
> scenarios of what could happen
What could happen?
In my case the home address is old, not my current one, so I dodged a bullet there. That leaves name, DOB and drivers license number. How can those 3 things alone be used?
Email and phone were taken, but nobody can use those if verification is needed. And I can easily change those details in the various places they are used.
I'm quietly confident that because my home address is my old address, and therefore not associated with my drivers license, I'm in better shape than millions of others in this breach.
I'm still angry about it! The email from Optus was tone deaf. They worded it like they are the victims, downplayed the importance, and even ended with "warm regards".
My main concern is that, with ID, it becomes possible to do a Sim swap or number port, which would be the start of a heap of nightmares. Luckily, buried at the bottom of Optus' announcement, they mention that (for the moment) those can now only be done in person, in-store, with physical ID.
For the other stuff (address, name, DoB)...what are the things nearly everyone asks when you ring to make account changes, to verify you are you..
I'd be careful with the home address too (although you should be ok). I moved around a bit a few years ago, and lost track of where I'd updated my address. It was usually as simple as 'I think my most recent address with you is X, can you please update it to Y', and as long as the other stuff checked out, no questions were asked.
And yeah, I had to laugh about that press release :/
Still no email this side. No news is good news, right?
i wonder if passwords really haven’t been affected or if they’re just hashed so they think they can get away with saying that
Today is a one-off national public holiday in Australia to mourn the loss of the Queen. I'd be curious to know when this attack started and whether it coincided with the public holiday by chance or by choice.
I don't know when it actually occurred, but usually this sort of announcement comes long after the incident. The announcement occurring on a holiday afternoon seems a little convenient.
That said, Optus knows they don't get in any real trouble for this sort of thing so they can only benefit from appearing to respond rapidly and transparently. (Which is a better PR move than being proactive)
New laws make it mandatory to report this major type of breach in Australia to the Australian Cyber Security Centre within 24 hours. They had no choice, or risk having the full weight of the government come at them for trying to cover it up.
CEO Should absolutely be charged with criminal negligence. Throw the book at him.
her - Kelly Bayer Rosmarin
How could Dan Andrews let this happen? /s
Ironically #Gladys is currently trending on twitter due to a similar question from people.
Nah this is why:
https://www.optus.com.au/about/media-centre/media-releases/2...
> Optus appoints Gladys Berejiklian to its Executive Team in a new role as Managing Director, Enterprise, Business and Institutional
“Optus has set its vision to become Australia’s most loved everyday brand with lasting customer relationships by redefining what customers should expect from their communication provider through our relentless pursuit of best-in-class service, greater innovation, better value and connectivity for all Australians.”
Thsts... amusing.
for those not in australia: this is pretty funny
and for those in australia: yeah, nah. not that funny. :-)
It's long past time for countries to embrace the digital id the way Estonia (and a few others) have.
For comparison, visit https://www.telia.ee/en and you're prompted for your smart card or associated Smart ID (which is mobile app you can bootstrap from your smart card).
No more need to do a 100 point check (and then hold that information indefinitely), it's been done.
Even if you don't like the Estonian system it's high time to get serious about digital identity and stop pretending that knowing your DoB etc (or social security number in US) is a secure mechanism of proving identity.
Aside: Highly recommend Estonia's e-residency program. Great place to run a company. Future focused.
I'm an Australian living in Sweden who loves BankID but I don't trust the Aus Govt to provide a similar service.
I hear this often, and as an Aussie techie it's such a shame. Whether or not it's true, it almost certainly means we'll never try. How do we get past this?
Personally, it would take strong legislation preventing any variation of law enforcement having any access to any of the data, even that of convicted criminals, to make me comfortable to provide mine into the system. Perhaps even constitutional change prohibiting it. Currently, home affairs could feasibly access any data in just about anything the government does with barely a sign-off which I’m not comfortable with.
Our laws protecting us from the government are way too weak for systems like this to take off. Also we keep hiring contractors who do a fairly poor job building the things in the first place.
> Our laws protecting us from the government are way too weak for systems like this to take off.
Indeed. Remember when the police got into the contact tracing apps?
I mean the incompetence is only a tiny part of why I feel this way - with how much they improperly use the data they already have on us I'd rather not let them record every login I perform etc.
> Whether or not it's true,
Australia could not even design a proper national broadband network.
I know Optus would have had a copy of my drivers license on record.. quite possibly my passport as well ;(
Haven’t actually received any communication about the breach from them yet either.
Seems like a complete screw up. They couldn’t even notify their customers before everyone found out on the news.
I wouldn’t trust Vodafone to organise a piss up in a brewery… maybe Telstra are better (hah!)
Ah, good old Sloptus living up to its name.
A mobile company that wants so much of their users ID info. Is it really necessary for them to get all that user info?
Yes. You need to provide legal id to get a phone number in Australia. This is handled by the phone companies themselves. But this is probably a good reason to not let them do it themselves.
Yes it's legally required for them to properly verify your identity both for credit reasons (on a postpaid plan) and simply to identify who owns what phone number s
Probably not. As others have said, some of it is more or less legally required. What I don't understand is why they need to (or should be allowed to) retain that data in perpetuity.
> What I don't understand is why they need to (or should be allowed to) retain that data in perpetuity.
Probably because there is no law saying you need to delete the data in X days.
This doesn't even seem to include the traffic retention data that must be kept in Australia. That's an accident waiting to happen.
Good question. I think the idea is you can’t have a burner phone. Well you can…for example use a foreign sim card of a less fussy telco. But in general this makes it harder to have a burner. Once we get to a point where telcos are not needed to make calls (that amazon wifi mesh for example) maybe we can do away with this need for ID anyway because it is futile.
Calls yes, but making calls is not what’s regulated in Australia. The ACMA regulates the assignment of Numbers in Australia, so make calls to your hearts content but if you want to be addressable by a e164 or IP number, prepare your documents.
My point is in rural locations not at home you need a phone number to connect to 5G (or lesser G) for the data to make a non phone call.
They can verify the identity using a service - there is no need to keep actual documents after the fact.
and the meaning of the phrase cyberattack is further diminished
State-sponsored?
isnt that like half the population??
About 40% (Australia's pop. is ~25M). It is, however, close to 50% of Australia's adult population (~20M). What a mess.