Australian cybersecurity minister lambasts Optus for ‘unprecedented' hack
Australia’s cybersecurity minister criticized the country’s second largest telecommunications company for its response to what she called an “unprecedented theft of consumer information.”
Clare O'Neil, minister for Home Affairs and Cybersecurity, appeared on ABC730 on Monday to discuss the breach of Optus, which announced on Thursday that it was “investigating the possible unauthorized access of current and former customers’ information” following a cyberattack.
The hack involved the theft of basic personal information related to 9.8 million Australians. More alarmingly, it also included extensive personal data like license numbers and passport numbers from 2.8 million people. Australia’s population is about 25 million.
The data taken, she said, “effectively amounts to 100 points of ID check,” making the “scope for identity theft and fraud quite significant in particular for those 2.8 million Australians.”
Minister for Cyber Security @ClareONeilMP says Australia is "probably a decade behind" in privacy protections, and the government "has to be involved when the stakes are this high" following Optus' cyber security breach. Watch her full interview with Laura Tingle below. #abc730 pic.twitter.com/Mk791iOehl— abc730 (@abc730) September 26, 2022
She went on to dispute Optus’ characterization of the attack as advanced, calling the incident “quite a basic hack.”
Journalist Jeremy Kirk spoke with the hacker behind the incident, who claimed they gained access through an unauthenticated Application Programming Interface (API) endpoint. The hacker said it was “bad access control,” noting that it was connected to the internet “for anyone to use.”
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol pic.twitter.com/l89O8w1oCO— Jeremy Kirk (@email@example.com) (@Jeremy_Kirk) September 24, 2022
“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” O'Neil said.
The interviewer pressed O'Neil about the discrepancy between her description of the attack and Optus’, asking whether she “bought the line from Optus that this was a sophisticated attack.”
“Well it wasn't, so no,” O'Neil responded.
She was frank about the root causes of such a wide-ranging breach, explaining that telecommunications giants like Optus were left out of recent critical infrastructure cyber incident reporting laws.
While the telecommunications industry got its own regulations in July, O'Neil said she was hamstrung by regulatory gaps and a privacy landscape in Australia that was behind the rest of the world.
“When it comes to cyber protections, the previous government put in place a very significant piece of legislation that I think was a very good start, but it didn't bring telecommunications companies into that legislation and so what it's meant is that I am more limited with telecommunications companies in terms of the powers that I have,” she said.
According to O'Neil, industry leaders convinced the government to leave them out of the law, claiming they were “really good at cybersecurity and could do it without being regulated.”
That position, she said, was undercut by the current situation with Optus. While in the past, cybersecurity in Australia was viewed as a matter between a private company and customers, she said the industry has now reached a point where it is holding data sensitive enough to warrant government intervention.
“We've got half of all Australian adults who have had some data breach here and it's clearly not just between Optus and the customer. The government has to be involved when the stakes are this high,” she said.
“I think we need to be looking at a variety of issues including the powers that I have as cybersecurity security minister to mandate minimum cybersecurity standards which could have prevented this from occurring.”
An "inappropriate" fine
The cybersecurity regulator's hands are also tied by limits to fines, which under Australian law can be a maximum of $2 million, which she called "totally inappropriate." Before rethinking regulations, she said, support needed to be given to the victims.
The Australian Cybersecurity Center, Australian Federal Police and Australian Signals Directorate are all assisting Optus with the technical aspects of the recovery and response.
The ACSC helps all Australians by providing simple advice to secure your identity and protect yourself online.— Australian Cyber Security Centre (@CyberGovAU) September 25, 2022
Check out our ‘Have You Been Hacked?’ tool to help you recognise the risks and learn how to respond if you have been hacked. Visit https://t.co/7AvddGd1DK
Today I gave an update on the Optus security breach.— Clare O'Neil MP (@ClareONeilMP) September 26, 2022
Responsibility for this security breach rests with Optus. This is a breach we shouldn't expect to see in a large telecommunications provider.
In the coming days, I'll have more to say on what steps need to be taken.#QT pic.twitter.com/hpoMtx4iSl
Optus is providing the 2.8 million customers most seriously affected with a free 12-month subscription to credit monitoring and identity protection service Equifax Protect.
Several Australian media outlets reported the presence online of a $1 million ransom demand directed towards the company, but Reuters could not confirm its authenticity.
The company did not respond to requests for comment about O'Neil’s statements but on Monday announced that it has sent emails or text messages to all customers who had ID document information, such as license or passport numbers, compromised.
They are still in the process of contacting other victims whose information was leaked.
“Optus needs to communicate clearly to their customers about exactly what information was being taken from specific individuals and then needs to assist and support customers to manage the impacts of what is an unprecedented theft of consumer information in Australian history,” she said.
On Monday, the alleged hacker behind the incident threatened to publish 40,000 records over the next four days if they are not paid $1 million.
The #Optus hacker has released 10k records, and claims that another 10k will be released each day for the next 4 days. 1/2 pic.twitter.com/Nm07oQhMZl— Brett Callow (@BrettCallow) September 26, 2022
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.