It has been reported that millions of Australians have had their personal details compromised in a major cyberattack on Optus. The telco confirmed the data breach in a statement on Thursday afternoon, revealing up to 9 million Australians could be affected.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The cyberattack on Optus is going from bad to worse as more information is uncovered about the breach.
Following data being published online, thousands of customers are being forced to change their passports and driver’s licences.
This information can be used for identity theft, a very real threat today. Last week, CybSafe and the National Cybersecurity Alliance’s annual report, Oh, Behave! revealed 1 in 4 internet users have already been a victim of identity theft at least once.
Those that have already fallen victim must prioritise applying for replacements. The longer this information is still valid and on the web, the more time criminals have to use the data for further crimes.
Those impacted by the breach must also be on the lookout for phishing scams. Attackers will use the breach to send out malicious emails to victims in a bid to secure more information. Treat emails with caution. Don’t follow links, call numbers, or reply to details listed in emails. Look up the organisation online and use the contact details listed on their website.
If you think you’ve been affected by the Optus breach, update passwords on online accounts that share the same credentials as Optus, and implement MFA on the applications that offer the service.
The one thing always to keep in mind is that theft and profit are the desired outcomes that threat actors have in mind when carrying out cyber-attacks. Methods like ransomware are simply the vehicles to get there, the tactical approach to get to those outcomes. To wonder if ransomware has gone too far is to wonder if crime in general has gone too far. Threat actors aren’t working within ethical boundaries or for the good of society, so they will go as far as they need to in order to create value for themselves. When the tactic—in this case, ransom request—ceases to yield the outcomes, they will abandon it for other more successful tactics. For conscientious citizens, any intrusion or breach is too far, so being aware and proactive is the first best action. This incident, however, serves as yet another reminder for all businesses to apply the strongest level of data-centric security to their datasets. Unlike access-based and perimeter-style defenses, which can be surmounted by experienced threat actors, data-centric security protects the data itself instead of the borders around it with methods such as tokenization and format-preserving encryption. No matter where the data goes, it remains protected even if it falls into the wrong hands. In a situation like Optus’s, if the data happened to be tokenized then the operation would have much less leverage over the company.
This massive breach against Optus has attracted attention from all over the world, so it is not surprising that the attackers would be growing concerned about the consequences of their actions. But, nobody can be sure these claims are true. The criminals could simply be buying time, or trying to avert attention from the breach.
However, if they have deleted the stolen data, this will have huge implications for Optus and it once again highlights the responsibility large organisations have in their role as guardians and custodians of the public’s personal data.
As a result, resilience should always the priority. This means account monitoring should be in place to identify compromised accounts, while being able to recover from unexpected events quickly and easily must also be a focus. Furthermore, implement strong, unique passwords and MFA, use Privileged Access Management (PAM) to protect key accounts, deploy layered security to prevent lateral movement, and train employees regularly on phishing and cybercrime.
The news of the data breach will be of concern to Optus customers, with reports that personal data was stolen by criminals. Personally Identifiable Information (PII) such as names and dates of births, was featured in 41% of data disclosures between April 2020 and February 2022. Stolen PII is extremely valuable to threat actors – being sold on the dark web for a high price or used to commit other crimes, for example, fraud. Customers should stay vigilant and report any suspicious activity, since the criminals have captured contact data.
Personal data, such as names, addresses, and contact details, are highly coveted by threat actors, which is why companies that store a lot of it are highly susceptible to being targeted. In the cyberattack on Optus, hackers gained access by breaking through the company’s firewall – a measure many companies may feel is enough to protect them. The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough – the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld. Data-centric security, like tokenization, offers the ability to protect the data itself and allows organizations to ensure compliance and security no matter who has access to the data or where it is shared.Optus customers should do what they can to protect against any further compromise by locking down personal credit and other accounts and exercising hyper-vigilance in the days and weeks to come. For Optus, the situation brings up privacy concerns and questions about the level of due diligence they’ve enacted to prevent hacks and data breaches—the outcome, depending on the facts, could include fines, legal action, and of course reputational damage.