Australian cybersecurity minister lambasts Optus for ‘unprecedented’ hack
Jonathan Greig September 26, 2022

Australian cybersecurity minister lambasts Optus for ‘unprecedented’ hack

Australian cybersecurity minister lambasts Optus for ‘unprecedented’ hack

Australia’s cybersecurity minister criticized the country’s second largest telecommunications company for its response to what she called an “unprecedented theft of consumer information.”

Clare O’Neil, minister for Home Affairs and Cybersecurity, appeared on ABC730 on Monday to discuss the breach of Optus, which announced on Thursday that it was “investigating the possible unauthorized access of current and former customers’ information” following a cyberattack.

The hack involved the theft of basic personal information related to 9.8 million Australians. More alarmingly, it also included extensive personal data like license numbers and passport numbers from 2.8 million people. Australia’s population is about 25 million. 

The data taken, she said, “effectively amounts to 100 points of ID check,” making the “scope for identity theft and fraud quite significant in particular for those 2.8 million Australians.”

She went on to dispute Optus’ characterization of the attack as advanced, calling the incident “quite a basic hack.”

Journalist Jeremy Kirk spoke with the hacker behind the incident, who claimed they gained access through an unauthenticated Application Programming Interface (API) endpoint. The hacker said it was “bad access control,” noting that it was connected to the internet “for anyone to use.”

“We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,” O’Neil said. 

The interviewer pressed O’Neil about the discrepancy between her description of the attack and Optus’, asking whether she “bought the line from Optus that this was a sophisticated attack.”

“Well it wasn’t, so no,” O’Neil responded. 

She was frank about the root causes of such a wide-ranging breach, explaining that telecommunications giants like Optus were left out of recent critical infrastructure cyber incident reporting laws

While the telecommunications industry got its own regulations in July, O’Neil said she was hamstrung by regulatory gaps and a privacy landscape in Australia that was behind the rest of the world. 

“When it comes to cyber protections, the previous government put in place a very significant piece of legislation that I think was a very good start, but it didn’t bring telecommunications companies into that legislation and so what it’s meant is that I am more limited with telecommunications companies in terms of the powers that I have,” she said.

According to O’Neil, industry leaders convinced the government to leave them out of the law, claiming they were “really good at cybersecurity and could do it without being regulated.” 

That position, she said, was undercut by the current situation with Optus. While in the past, cybersecurity in Australia was viewed as a matter between a private company and customers, she said the industry has now reached a point where it is holding data sensitive enough to warrant government intervention. 

“We’ve got half of all Australian adults who have had some data breach here and it’s clearly not just between Optus and the customer. The government has to be involved when the stakes are this high,” she said.

“I think we need to be looking at a variety of issues including the powers that I have as cybersecurity security minister to mandate minimum cybersecurity standards which could have prevented this from occurring.”

An “inappropriate” fine

The cybersecurity regulator’s hands are also tied by limits to fines, which under Australian law can be a maximum of $2 million, which she called “totally inappropriate.” Before rethinking regulations, she said, support needed to be given to the victims.

The Australian Cybersecurity Center, Australian Federal Police and Australian Signals Directorate are all assisting Optus with the technical aspects of the recovery and response. 

Optus is providing the 2.8 million customers most seriously affected with a free 12-month subscription to credit monitoring and identity protection service Equifax Protect. 

Several Australian media outlets reported the presence online of a $1 million ransom demand directed towards the company, but Reuters could not confirm its authenticity.

The company did not respond to requests for comment about O’Neil’s statements but on Monday announced that it has sent emails or text messages to all customers who had ID document information, such as license or passport numbers, compromised. 

They are still in the process of contacting other victims whose information was leaked.

“Optus needs to communicate clearly to their customers about exactly what information was being taken from specific individuals and then needs to assist and support customers to manage the impacts of what is an unprecedented theft of consumer information in Australian history,” she said. 

On Monday, the alleged hacker behind the incident threatened to publish 40,000 records over the next four days if they are not paid $1 million.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.