Australian telecommunications giant Optus recently revealed a massive data breach, compromising the personal information of about 10 million customers. Roughly a fifth of those affected saw their passport, driving licence and medicare information exposed.
Someone claiming to be the attacker said they would release the stolen data unless Optus coughed up a $1m ransom. But the purported attacker released 10,000 customer records anyway before backtracking and deleting them. Optus maintains it did not pay the ransom.
Optus is now facing investigations from the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC), and potentially millions of dollars in fines.
Leaving the window open
It turns out the Aussie telco was using an application programming interface (API) - which didn’t require authorisation to access customer information - to transfer data between platforms, essentially “leaving the window open for the attack” according to Australia’s Cyber Security Minister Clare O’Neil. The API meant any hacker with a laptop, internet access and knowledge of that endpoint could have used a script to gather millions of entries very quickly. According to Optus, their cyber security is strong, and they’ve simply been subject to a sophisticated attack.
Just a few weeks later, Optus’s parent company Singapore Telecommunications Ltd announced it had also been the victim of a cyber attack back in 2020, exposing the personal data of 129,000 people and 23 businesses. And further yet, fellow Aussie telco Telstra has also recently experienced a data breach of over 30,000 employees’ information.
Whilst not limited to the telco sector, these breaches are more common in large enterprises with vast amounts of customer data, and firms would do well to take note of neighbouring industries. The 2016 Red Cross data hack should have served as a warning against the use of real personal data during risky data transfer and external storage, but the Australian telcos have made the same mistake just a few years later. Not only is the growing sophistication of the hackers evident but organisations need to take a proactive approach to data security before it’s too late.
The challenge these companies now face - aside from the investigations and potential fines - is to regain their customers’ trust, a challenge made harder by their follow-up comms blunder. Some Optus customers were informed of the data breach straightaway and could quickly take the necessary precautions, but it took a staggering two weeks to inform others. Now some are even receiving scam comms from a source purporting to be Optus, using the exposed data. None of this paints a pretty picture for the telco, whose customers are having to change passports, driving licences and medicare cards. Unsurprisingly, many are calling for much stricter data privacy laws.
Optus is unlikely to be alone in its slightly lax attitude to handling sensitive data. It is increasingly clear that the telco industry must take action to make sure no further companies fall victim to the same hack. What can be done?
Firstly, there needs to be greater vigilance against data vulnerabilities in corporate websites and software in general, and possibly also limits on the amount of personal data that companies are allowed to access. These measures would strengthen the first line of defence, but companies can do more at the early testing stage to secure their privacy.
Optus and its parent, Singtel, shared the same weakness with real customer data being attacked during transference. These days it is possible to generate synthetic versions of customer data: 100% artificial data which maintains the statistical characteristics of the real data but without any real customer details. If Optus and Singtel had been transferring synthetic data, it wouldn’t have been as harmful if the hackers had got in, as the data they found would have been artificial and their customers’ real records would have been kept safe.
Help from Hazy
Hazy helps companies all over the world keep their enterprise data safe by providing high-quality synthetic data for testing, analytics and innovation, while omitting all personal identifiable information to maintain privacy and compliance. Get in touch to learn more.