Fraud Management & Cybercrime
Also: Optus Attacker Says Unauthenticated API Endpoint Led to Breach
Australia’s second-largest telecommunications company is facing a US$1 million extortion demand to prevent the sale of what an attacker says are up to 11.2 million sensitive customer records.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge
The data breach, which ranks as one of the country’s largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 14.
Early Saturday, a person going by the nickname “Optusdata” published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the monero cryptocurrency.
Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver’s license number, birth date, whether a person owns their home or not and more. The data covers current and former Optus customers.
An Optus spokesperson said on Saturday “we are investigating the legitimacy of this” data.
Leaked Data Appears Legitimate
ISMG found strong signs that the data likely originated with Optus.
One way to figure out if a breach came from an organization it claimed to have come from is to enter the email addresses into Have I Been Pwned. HIPB is a data breach notification service. People can sign up and be alerted if their email address appears in a new breach. An email addresses can also be entered into HIBP to see if it has been in a past breach.
ISMG tested 23 email addresses. Most had appeared in previous breaches, but six had not. That is an indication that the Optus sample data is real.
Also, some personal records do not have a recognizable email address from major providers. Instead, there are email addresses that appear to have been assigned by Optus. For example “firstname.lastname@example.org.” Those addresses also do not appear in HIBP, suggesting that this is the first time those have been breached.
In looking at one of the sample data sets, this reporter recognized a local street address. This reporter went to a residence on Saturday morning and found the woman whose data was exposed. She was working in her yard.
When handed a print out of the data, she confirmed it belonged to her. She was an Optus customer until around 2018. Optus has said it believes the leaked data may date back to 2017.
Breach Source: Unauthenticated API
The Australian broadcaster ABC reported on Friday a possible cause for the breach.
The ABC quoted a “senior figure” inside Optus who said that an API for an Optus customer identity database was opened to a test network that “happened to have internet access.”
APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet. Optus declined to comment on the explanation and disputed that “human error” may have played a role.
ISMG reached out to Optusdata on the forum where the data samples were released and asked how the data was stolen. The person confirmed the data was exfiltrated from an unauthenticated API. To put it another way, the API did not require anyone to login in order to access its functionality.
Optusdata wrote in a message: “No authenticate needed. That is bad access control. All open to internet for any one to use.”
The API endpoint was api[dot]http://optus.com.au. It’s an odd URL, but Optusdata says it worked to exfiltrate the data because otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. The API was used in part to let Optus customers access their own data.
The same API endpoint was passed to ISMG on Saturday by a separate anonymous source. That person says it was hosted in Google Cloud/Apigee. When Optusdata started frequently accessing that API, it triggered a security alert. A suspiciously high volume of data was coming from that API, which was a signal to Optus of malicious behavior.
Optusdata says they enumerated the customer records via the “contactid,” which is a field that appears in the leaked data samples. It’s unclear how Optus used the “contactid.” By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
Contacted on Saturday night with this information, an Optus spokeswoman said the company did not have an immediate comment.
Optus is in the process of notifying those affected. Not all of those affected had the same amount of data exposed. Optus said on Friday it will offer “expert third-party monitoring services” for those at heightened risk. It has also warned customers to be wary of potentially fraudulent emails and text messages.
Optus will face a range regulatory inquiries about its data handling practices, including from the Office of the Australian Information Commissioner, which is the country’s data protection agency.
The Guardian reported that Australia’s Attorney General’s office is seeking an “urgent” meeting with Optus to hear of the company’s plan to mitigate the effects of the breach for those affected.
In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country’s Privacy Act.
Optus opposed giving consumers a right to erase their personal information, citing “significant technical hurdles,” it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.