September 26, 2022
Cybersecurity Minister Clare O’Neil plans to reveal reforms this week forcing businesses to alert banks quickly about breaches of customer data to limit the likelihood of money being fraudulently taken from their accounts.
The policy reforms, which have not been finalised, are a reaction to the breach of systems at telecoms giant Optus, which has notified millions of customers their personal details were stolen and may be for sale online.
Ms O’Neil believes if banks are alerted to customers’ exposure to data breaches they will be able to apply greater scrutiny to activity on theiraccounts, which could help customers dispute transactions in the event of theft.
Optus chief executive Kelly Bayer Rosmarin, meanwhile, is likely to meet with the telco’s owner, Singaporean tech giant Singtel. Its chief executive, Kuan Moon Yuen, and chief corporate officer, Cheng Cheng Lim, flew into Sydney on Friday for an annual two day board meeting and are expected to discuss the breach this morning.
While it is believed internally that no one person is to blame for the breach, customer frustration grew at the weekend as an anonymous user claimed ona hacking forum to have the data of 11.2 million people.
Optus said last weekthat 9.8 million would be affected in a‘‘worst-case scenario’’.
‘‘Optus if you are reading! Price for us to not sale data is 1,000,000$US we giveyou 1 week to decide,’’ the post, which demanded the payment be made in the monero cryptocurrency, said.
The Australian Financial Review has seen a sample of the apparent breach data and contacted the user. While multiple cybersecurity experts say the data might be legitimate, there is no certainty.
Hacking forums often post fake claims to trick companies into paying a ransom for data a poster does not have. The purported hacker reportedly got into Optus systems via an unprotected application programming interface – a tool that facilitates communication between apps and services. The user told the Bank Info Security website the API was accessible by any web user and did not require authentication. If the report is true, that would mean Optus had effectively left a door to its virtual data warehouse unlocked.
Others, such as cyber threat intelligence firm Kela and partner Colab82,have theorised that hackers may have recruited Optus employees to facilitate the breach as an inside job.
‘‘[Threat actors] were looking in June and July 2022 for ‘insiders’ of Optus and other companies, to get sensitive information about the company,’’ its aid in an analysis note obtained by the Financial Review. Kela identified three posters on notable hacking forums that were looking for insiders earlier this year.
It also ‘‘found more than 55,000leaked credentials pertaining to the Optus domain that may be used by threat actors for social engineering campaigns’’ and ‘‘3000 bots containing Optus-related resources – some of which seem to be sensitive portals designated for company personnel’’ on illicit markets. Optus said it had had no contact with the hacker, and the hacker had not contacted the telco before the post about the data on the breach forum. Optus declined to comment on the authenticity of the data sample.
‘‘Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings,’’ the company said.
The Financial Review has cross referenced some of the alleged data with breaches listed on HaveIBeenPwned.com, a site that helps users check if their data has been part of a breach that has been made public.
Of the handful of email addresses from the sample tested by the Financial Review, most appeared to have been part of a previous, unrelated data breach collated on the website. However, some had not, indicating that the data could be legitimate because they were newly exposed addresses. The Financial Review cannot verify whether the data posted is real.
‘‘The data for sale online is of real people. But we need Optus to verify it’s from them,’’ Internet 2.0 co-chief executive Robert Potter said. The Australian Federal Police said it was aware of reports the stolen data was being sold ‘‘through a number of forums, including the dark web’’.
Opposition home affairs spokeswoman Karen Andrews and cybersecurity spokesman James Paterson want Labor to sign on to a private members’ bill which would create new offences for cyber extortion and ransomware activities with a penalty of up to 10 years in prison. The legislation would create a new aggravated offence for cybercriminals seeking to target critical infrastructure and essential services, with maximum penalties of 25 years’ imprisonment.
