Australian telecommunications firm Optus is continuing to investigate a data breach that may be one of the largest ever in the country.
In a press conference and in interviews on Friday, Optus CEO Kelly Bayer Rosmarin apologized for the incident but did not reveal many details, saying it is under “criminal investigation.”
“I’d like to start off by making sure that it’s clear that we are apologising to all of our customers,” Rosemarin says. “We know that this attack creates great concern.”
The attackers accessed names, birth dates, phone numbers, and email addresses. For some customers, drivers licenses and passport numbers may have been exposed, according to a news release. The data goes back to 2017, Rosmarin says. No financial data or passwords were exposed.
”We don’t know who these attackers are and what they want to do with this information,” Rosmarin says.
Optus has so far not said how many customers are affected, but the operator has around 10.2 million subscribers. Rosmarin says Optus is going to notify those affected starting with those with the most data exposed.
ISMG contacted several threat intelligence companies that closely monitor the Dark Web where stolen data is traded and offered for sale. No data connected to the latest breach appears to be offered.
If a state-sponsored actor breached Optus, it’s unlikely the data would be sold. If the breach was caused by data broker cybercriminals, it may be sold in small private circles first rather than in big batches. The data is useful for a variety of cybercriminal uses, including phishing attacks, SIM swapping and identity theft.
Optus is Australia’s second-largest telecommunications company, providing landlines, mobile connectivity, internet and cable access, leased lines and more. It is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group.
Encryption in Play?
Optus said later on Friday that the personal data was encrypted and that there were “additional security solutions enabled,” according to a spokesman.
“Unfortunately, due to the sophistication of the attack, the hackers were still able to gain access,” a spokesman says.
The Australian Federal Police, which is investigating the breach, has requested that Optus not “discuss certain details as it might compromise their ability to find the bad actor,” the spokesman says.
Rosmarin was pressed earlier in the day on the security controls around the data. She was asked four times by a Sky News Australia journalist whether the customer data was encrypted, according to a video. She responded that because of the ongoing investigation, “we are not at liberty to disclose details about the data, where it resides, how the attack happened.”
“I’m sorry I just don’t understand why you can’t say whether any of it is encrypted or not,” the journalist asked.
Rosmarin said that encryption is one method that Optus uses to protect customer information along with other defensive measures.
“Unfortunately, in addition to our customers who listen to all the information we are getting out there via the media, there are bad actors who also read the media and so we are restricted in what we can say,” Rosmarin says.
”But if it’s encrypted, that just makes you harder to hack, doesn’t it?” the journalist asks.
Encryption would certainly stop an attacker from reading or using the data without a decryption key. But if the attackers had access to an account with permissions to read the data – which appears to be the case here – use of encryption at certain points would be irrelevant.
No Ransom Demand
Rosmarin says Optus had not received a demand for ransom, and she did not indicate that data had been encrypted by the attackers. That likely eliminates the possibility of a ransomware attack.
Since Optus has also not received a ransom demand, that could mean whomever took the data isn’t trying to extort the company.
On Thursday, the Sydney Morning Herald reported that the source of the breach may have been a vulnerable API, or application programming interface. Rosmarin acknowledged that people are “hungry for details” but when asked about that report reiterated it’s under investigation.
”We will not be divulging details about that,” she says.
The ABC then reported on Friday afternoon that the breach may have been caused by human error. An API for an Optus customer identity database was opened to a test network that “happened to have internet access.” APIs are software interfaces that allow systems to exchange data, but could poses risks of data breaches if exposed directly to the internet.
The ABC quoted a “senior figure” inside Optus. The company, however, said the report was inaccurate.
Rosmarin did say during the press conference that investigators noticed IP addresses originating from Europe accessing Optus’s systems. The servers are likely not where the attackers originate, however. Cybercriminals typically use other hacked servers or other systems to shield their true location.
”The IP address kept moving,” Rosmarin says. “It’s a sophisticated attack.”