The Optus data breach: A cautionary tale on security

From flooding to society becoming more expensive... Australians have been doing it tough, especially businesses. A data breach at one of the largest telecommunications organisations in the country was the last thing anyone needed – or expected – to witness, but unfortunately, it was breaking news that forced everyone to take action.

Now, the dust has settled, and Optus remains standing, serving as a cautionary tale for businesses regarding the unpredictable nature of cyber security threats. Moving forward, companies will need to exercise more extreme caution around their information and networks.?

A summary of the Optus data breach

On the 22nd of September, 2022, Australians were alerted to one of the largest data breaches in Australian history, targeted toward Optus. According to reports, a malicious entity managed to gain access to 9.8 million customers' personal information stored within the company's network.?

It is believed the perpetrator(s) took advantage of an Application Programming Interface (API) – a software solution that gives programs the ability to communicate with each other – to penetrate Optus' systems and steal data, such as passport numbers, names, etc. After Optus did its best to mitigate any damages in the cyber threat's aftermath, the alleged culprit(s) backpedalled on their A$1.5 million ransom demand and issued a public apology.?

A rude awakening for a multi-billion-dollar company?

The data breach has come and gone, but society and its businesses continue to operate to the best of their ability. Technology has become a driving force in our world. It determines how we conduct our work, how we can travel, and how we interact.

All this to say, Optus has very little ground to stand on if it was to justify its actions. Not that it has though. The company's public relations team quickly took effect, deploying a crisis management strategy that consisted of media releases, apologies plastered across newspapers nationwide, and a video where CEO Kelly Bayer Rosmarin offered another formal update. Every criticism customers and Australian government officials levelled toward them was handled with care; to be fair, they did try.

But with an "operating revenue … [of] $7.8 billion" , and as an institution that has been working in the technology industry since the 1990s, the breach left many of us scratching our heads wondering, "Doesn't Optus have layers upon layers of cyber security solutions?"?

Maybe this isn't a fair question to ask. After all, technology professionals agree that cybercrime can impact any business, regardless of its size, its reputation, or its earnings. However, it does lead us to speculate on the measures surrounding Optus' critical infrastructures, and how just one spark can cause a chain reaction impacting businesses and people across Australia.????

The cyber security domino effect

Cyber security threats can have ripple effects across the business landscape, encouraging the persistence of cybercriminals. Post the Optus breach, we have already witnessed several companies caught up in the ripples, with the likes of Telstra, Medibank, and Woolworths all experiencing their own security breaches (whether they be aimed directly at them or a third-party business).??

Listing the aforementioned companies side by side (and considering their industries) shows how intrinsic cyber security has become to the operations of modern businesses. In this case, cybercriminal see, cybercriminal do – the more security breaches successfully expose organisations' weaknesses and exploit information, the more cyber threats will appear, taking advantage of increasingly sophisticated technology to harm businesses.

Optus' parent company is not exempt from the domino effect

Singapore Telecommunications (Singtel) is Optus' parent company. Based in Singapore, Singtel's international presence is a testament to its operating scale. With "over 770 million mobile customers in 21 countries" , no one can deny that Singtel is a force in the telecommunications world. So, why is it not a stranger to cyber attacks?

Singtel – the Big Fish – gets hooked

In cybercrime, the past often comes back to haunt the involved parties. In late 2020, Singtel had been using a file-transferring platform called Accellion FTA until malicious actors found a zero-day vulnerability in it, and breached the system.?

Though the incident was reported in 2021, this year saw the stolen "information of 129,000 customers and 23 businesses" being posted onto the same forum where the alleged culprit of the Optus data breach said they would leak their newly acquired data. While Singtel hasn't disclosed much information about its response to the resurfaced information, the financial ramifications of the negative press it's been receiving in the past month have caused its "share price [to] slump to a three-month low of S$2.49" (approx. $2.72 AUD).

The cyber incidents experienced by Singtel and Optus were unrelated. But as the companies are connected, the attacks have served as an alert to prospective cyber threats: these organisations are not as impenetrable as they appear.?

Cyber security solutions are essential to protecting confidential information in the age of Internet of Things (IoT) devices. Any cyber professionals who partner with a company or join them as an employee should remain vigilant and exercise best practices to ensure digital safety.????

How the Optus data breach could have been avoided

Technology has become a driving force in our world, giving us the means to manifest our talents and thoughts, creating businesses that unlock the next stage of society. This is where the frustration surrounding Optus stems from.

As a telecommunications provider, the company should already have up-to-date cyber security solutions installed in its operations. According to an anonymous senior insider, the breach appeared "to come down to human error" . Unsurprisingly, Optus disputed this.?

But with "95% of cybersecurity issues … traced to human error" , it can be difficult not to search for validity in the insider's words.?????

This is to say, the breach could have been avoided by:?

1.??Cyber security awareness and training

Optus' situation may not have resulted from an employee opening a phishing link. But information security no longer applies to a specific audience. It needs to be upheld 24/7/365 by every individual within an organisation. Without this knowledge, cyber security threats will become commonplace.??

For business leaders and everyday people, sophisticated cyber threats take many forms. We need to educate ourselves on their variations, ensuring that criminals cannot catch us unawares and play with our sense of urgency to fuel their plans.

Sophisticated threats can include:

·??????Distributed denial-of-service (DDoS) attacks – when a malicious entity bombards an organisation's server with compromised traffic.

·??????Man in the middle (MITM) attacks – when a cybercriminal eavesdrops on communications by positioning themselves in the centre of data flows.

·??????Malware – malicious codes, such as spyware and worms, that penetrate and damage networks.

·??????Ransomware – a form of malware that encrypts information, allowing the perpetrator to hold it for ransom.

·??????Phishing – phishing attackers take on the guise of a trusted party and trick victims into providing personal information by responding to email links and messages.

·??????Human error – mistakes made due to a lack of understanding regarding cyber security practices.?

2.??Routine attention and healthy attitudes regarding cyber security solutions

It can be easy to forget that any decisions and attitudes portrayed at a company's head trickle down and impact its culture. A dynamic digital security culture is a work environment that encourages employees to be proactive about security, and to think critically about how their actions and tools affect the company's technical safety.

In the case of the Optus data breach, the instigator was able to take advantage of an API that had no security measures surrounding it, including access control policies. To cyber security threats, this effectively serves as an obstacle-free entryway into a company's systems. Optus should have routinely assessed its systems, catalogued every component, studied them for defects, and fixed them immediately.

3.??Data encryption

An interesting theory that's been floating around says that the customers' data was not encrypted when it was found. If it was encrypted, there is a chance that the decryption key was somehow located and used to unlock the information, or the perpetrator downloaded the data using an "https" connection channel that was encrypted at the time. Of course, Optus objects to all theories, insisting they use multi-layered security.?

But when one considers how easily the breach occurred, and the amount of legitimate data that was stolen and exposed to the Dark Web, it's easy to see value in the theory that the data was not encrypted. Regardless of whether or not the information appeared scrambled as it left the network, high-class data encryption should always be a priority for organisations and can keep sensitive information secure outside the system.

What does the future hold for Optus?

Moving forward, businesses can expect to see Optus fork out millions of dollars to repair damages, fix their reputation, and (if they don't want to continue frustrating customers ) market themselves to remind Australians that they are present and ready to help us with our telecommunications needs.

They have already made some changes, most notably in the form of initiatives, such as offering affected customers a free 12-month subscription to the identity theft and credit monitoring service Equifax Protect, Operation Guardian (a joint effort that sees law enforcement agencies, financial institutions, etc., provide "multi-jurisdictional and multi-layered protection" for Optus customers impacted by the breach), and an independent security review conducted by a third-party company.?

Post the breach, it is understandable that Australians (particularly Optus customers) may be feeling apprehensive about their role in Optus' future. Reportedly, Optus has lost 10% of its customer base, with 56% considering leaving the provider.

With the media attention surrounding account cancellation difficulties and the rising number of scams targeting victims, it is clear as day that the data breach will leave a sour taste in peoples' mouths and will shake the foundations that Optus stood proudly upon for some time to come. ??

Class is dismissed, and Optus will help us pass the test

For businesses, the Optus data breach was a case study of how cyber security threats are opportunists. At the first signs of weakness, the malicious actors will descend and plunder their victim's data, whether that be customer credit card details or the credentials of staff. As business owners and leaders, Optus reminded us that we need to update our cyber security solutions and strategies.

How is your business protecting its data?