Investigations into the Optus data breach are centring on the question of whether the telco made a basic error by using customers’ data while testing a new computer system that went awry and left 9.8 million records exposed online.
A senior cybersecurity official said Optus using real names, addresses and identifying details – rather than placeholders – during an upgrade gone wrong was viewed as the most likely explanation for the telco data breach.
Some details of the breach are being slowly revealed as Optus meets government agencies and has been told to show cause that it met its obligations to protect customer data.
The use of customer data during risky computer testing was behind the 2016 hack of the Red Cross. How it could have been repeated by Optus would be the first question in any investigation.
“This should never happen at a telco,” the cybersecurity official said.
“There is no reason for connecting a [testing environment] to the public internet with a lot of people’s real names (and other details).
“You should be using synthetic data.”
Copies of 10,000 Australian users’ leaked data, have been circulating on the dark web and security researchers have not found signs they are computer-generated (or synthetic) records used so computer upgrades can be tested securely.
Instead real details seem to have appeared on Optus website with only minimal safeguards.
An official briefing on the cyberattack soon after it took place included information indicating that these records were only accessible on Optus’ website between certain times, a source familiar with its contents said.
That could suggest a network fault or bug may have exposed new data on Optus servers unexpectedly.
Optus boss Kelly Bayer Rosmarin said that the cyber attack was “sophisticated” and was “not similar to anything we’ve seen before”.
Concerns about consumer privacy are now turning to national security and what a state actor might have been able to seize from poorly guarded systems. A visit to Optus headquarters by intelligence officials at the Australian Cyber Security Centre is expected to have already taken place.
Troy Hunt, a Microsoft regional director and the creator of the world’s leading public database of information security breaches, said theft of real data through test interface is actually a well-known vulnerability.
He said allowing an unprotected test server to access real customer data is “extraordinarily lazy and irresponsible”.
“You would never use production data in a test environment. We’ve seen so many data breaches where that’s happened,” he told The New Daily.
Customer ‘guinea pigs’
Companies of Optus’s size often face difficulties when upgrading their computer system if they use dummy data, which processes much more quickly and lacks errors, characters such as umlauts and other hallmarks of actual customer details.
At the scale of a computer network that must support potentially tens of thousands of calls a minute, such minor details can be crucial – and “clean” fake data can fail to stress test a network.
“The saying is – if you want real results, you need real data,” a source said of a view still widely held by some in the industry.
However, how such data came to be exposed online is now another question being raised by government and whether it had been put there by Optus employees, with management’s knowledge or even by IT consultants.
Mr Hunt said that even in cases where developers use real data to test systems there should be security measures in place, such as authentication.
He said using real data amounted to turning users into “guinea pigs”.
But it is alleged Optus even failed to take these steps, with the purported hacker – who even Optus has confirmed released real stolen data online last week – claiming its access protocols were unauthenticated.
“That is bad access control,” the hacker wrote. “All open to internet for anyone to use.”
Optus a repeat offender
Beyond the most recent hack, investigators have access to a pattern of behaviour from Optus regarding lax cyber security practices.
The telco has previously been pulled up by regulators for security failures.
In fact, Optus was the subject of the first enforceable undertaking under new privacy laws in 2014 when the Office of the Australian Information Commissioner found it allowed the information of 122,000 customers to be published to White Pages without their permission.
Optus announced on Monday that it had hired Deloitte to conduct an external investigation into the hack and later in the afternoon revealed it had honed in on exactly how many customers had their data stolen.
Ms Rosmarin said that of the 9.8 million customers whose details were exposed only 2.1 million had identity documents – such as passport numbers, licence numbers and Medicare details – taken by hackers.
Of those, about 1.2 million have had “at least one number from a current and valid form of identification” taken, while 900,000 have had expired information compromised.
A further 7.7 million customers have had personal data stolen, including email addresses, birthdays, names and phone numbers.
Optus was contacted for comment.
jrobertson@thenewdaily.com.au