Australian Telco Optus Investigates Scope of Large Breach

Australian telecommunications firm Optus is continuing to investigate a data breach that may be one of the largest ever in the country.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

In a press conference and in interviews on Friday, Optus CEO Kelly Bayer Rosmarin apologized for the incident but did not reveal many details, saying it is under “criminal investigation.”

“I’d like to start off by making sure that it’s clear that we are apologising to all of our customers,” Rosemarin says. “We know that this attack creates great concern.”

The attackers accessed names, birth dates, phone numbers, and email addresses. For some customers, drivers licenses and passport numbers may have been exposed, according to a news release. The data goes back to 2017, Rosmarin says. No financial data or passwords were exposed.

”We don’t know who these attackers are and what they want to do with this information,” Rosmarin says.

Optus has so far not said how many customers are affected, but the operator has around 10.2 million subscribers. Rosmarin says Optus is going to notify those affected starting with those with the most data exposed.

ISMG contacted several threat intelligence companies that closely monitor the Dark Web where stolen data is traded and offered for sale. No data connected to the latest breach appears to be offered.

If a state-sponsored actor breached Optus, it’s unlikely the data would be sold. If the breach was caused by data broker cybercriminals, it may be sold in small private circles first rather than in big batches. The data is useful for a variety of cybercriminal uses, including phishing attacks, SIM swapping and identity theft.

Optus is Australia’s second-largest telecommunications company, providing landlines, mobile connectivity, internet and cable access, leased lines and more. It is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group.

Encryption in Play?

It’s unclear if Optus encrypted the data at some point in storage.

Rosmarin was asked four times by a Sky News Australia journalist whether customer data was encrypted, according to a video. She responded that because of the ongoing investigation, “we are not at liberty to disclose details about the data, where it resides, how the attack happened.”

“I’m sorry I just don’t understand why you can’t say whether any of it is encrypted or not,” the journalist asks.

Rosmarin says that encryption is one method that Optus uses to protect customer information along with other defensive measures. But it wasn’t clear if it was in place during this incident.

“Unfortunately, in addition to our customers who listen to all the information we are getting out there via the media, there are bad actors who also read the media and so we are restricted in what we can say,” Rosmarin says.

”But if it’s encrypted, that just makes you harder to hack, doesn’t it?” the journalist asks.

Encryption would certainly stop an attacker from reading or using the data without a decryption key. But if the attackers had access to an account with permissions to read the data, then even if it is encrypted at some point, it could still be access and thus vulnerable to a breach.

No Ransom Demand

Rosmarin says Optus had not received a demand for ransom, and she did not indicate that data had been encrypted by the attackers. That likely eliminates the possibility of a ransomware attack.

Since Optus has also not received a ransom demand, that could mean whomever took the data isn’t trying to extort the company.

On Thursday, the Sydney Morning Herald reported that the source of the breach may have been a vulnerable API, or application programming interface. Rosmarin acknowledged that people are “hungry for details” but when asked about that report reiterated it’s under investigation.

”We will not be divulging details about that,” she says.

Rosmarin did say that investigators noticed IP addresses originating from Europe accessing Optus’s systems. The servers are likely not where the attackers originate, however. Cybercriminals typically use other hacked servers or other systems to shield their true location.

”The IP address kept moving,” Rosmarin says. “It’s a sophisticated attack.”