Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - AU
The Guardian - AU
Business
Donna Lu and Royce Kurmelovs

Optus data breach: cybersecurity reforms expected to enable companies to rapidly inform financial institutions

Signage that reads 'Optus Yes' is seen at an Optus store in Sydney
Optus reported a massive data breach on Thursday, which included the details of 11.2 million customers and more than 3.6m driver’s license numbers. Photograph: Bianca de Marchi/AAP

The minister for home affairs and cybersecurity, Clare O’Neil, is expected to announce reforms that would enable Optus to inform financial institutions about the data compromised in its recent cyber-attack.

O’Neil is expected to announce reforms in the coming week that would enable companies such as Optus to more rapidly provide data to banks following security breaches.

It comes amid a suggestion that the compromised Optus data may have been accessed via an avenue involving no password or security restrictions.

Optus revealed the massive data breach on Thursday. Details including names, dates of birth, phone numbers, email addresses, home addresses, and passport and driving licence numbers have been stolen.

On Saturday a post appeared on a data market by a user claiming to possess information obtained from the breach, including the details of 11.2 million Optus customers and more than 3.6m driving licence numbers. Two samples each of 100 user records were also posted, as well as a demand for $1m in cryptocurrency.

Jeremy Kirk, the executive editor of the Information Security Media Group (ISMG), who has been in contact with the user, was able to verify some of the information in the sample data and said it appeared to genuinely originate from Optus.

The user claimed to have extracted the data from an unauthenticated application programming interface (API) – software that allows two different systems to talk to each other – meaning that login details were not required to access it.

“If you were an Optus subscriber, and you logged in and you said, ‘Show me my account info’, that’s an API grabbing your account information and bringing it back to you,” Kirk said. “You’re authenticated because you’ve logged in … you don’t have any broader access to anything else.”

Kirk said that the data breach appeared to have occurred because “Optus exposed this quite powerful API that was connected to their entire customer database, apparently. And it was just on the internet.”

The user told Kirk in a message: “No authenticate needed. That is bad access control. All open to internet for any one to use.”

The user’s claims were independently corroborated by a second source, Kirk said.

A spokesperson for the Australian federal police said yesterday that the agency was aware of claims the data had been put up for sale.

Optus chief executive, Kelly Bayer Rosmarin said on Friday that the company was not sure exactly how many customers had their details compromised, but said 9.8 million was the “worst case scenario”.

The cyber-attack has potentially affected customers dating back to 2017, as Optus is required to keep identity verification records for six years. In the past, the telco has proposed changes to privacy laws that would enable customers to request their data be destroyed.

Optus call centre staff have told Guardian Australia that the telco has been swamped with complaints through its online complaints form. Staff say they have not been informed when or if a dedicated hotline will be set up, but have been directed to call each complainant to “resolve the issue”, explaining to customers what people can do to manage their risk individually.

Optus was contacted for comment.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.