In the week since Optus announced it had been the subject of a massive data breach with as many as 10 million customer accounts exposed, solid information about what actually happened has been scarce.
Here’s what we know so far.
Who is the attacker?
Optus has said it was the target of a “sophisticated attack”.
The only person to come forward since then, claiming to have the data is a user called “Optusdata” on a data breach forum. The alleged attacker threatened to sell the data unless Optus paid US$1m in cryptocurrency.
The user later posted what they alleged was 10,000 customer records, before deleting the posts and apologising.
Nothing is known about this person beyond what was on the forum.
Who has the data?
It is not clear whether “Optusdata” is the person responsible for the attack, or whether they are the only person who has access to the data.
In their apology, “Optusdata” claimed they had deleted the only copy they had of the data.
There is no way to verify this. Other attackers could have accessed the data via the same vulnerability, and the data may not have actually been deleted.
“That’s a valid concern as all we have to go on at present is the word of a criminal who had no hesitation to dump more than 10,000 records publicly,” cyber security expert and founder of the website HaveIBeenPwned, Troy Hunt, said.
“Plus, the vulnerability as it’s been described is so trivial it’s entirely possible it was exploited by other parties as well.”
Why did the attacker back down?
That also remains unclear. Optus has said it did not pay the ransom.
Hunt lists data breaches on his website to allow people to check whether their personal information has been compromised. He said ransom demands were not unusual for large data breaches such as that suffered by Optus, but the alleged attacker’s change of heart was unexpected.
“Seeing the hacker back down, apologise and promise to delete the data is very rare. I suspect the amount of exposure the incident received plus the AFP involvement and commentary from high-level politicians spooked them,” he said.
How was the data accessed?
Reports suggest Optus had an application programming interface (API) available online that did not require authorisation or authentication to access customer data.
“In the instance, where a public API endpoint did not require authentication, anyone on the internet with knowledge of that endpoint [URL] could use it,” said senior manager of cyber security consulting for Moss Adams, Corey J Ball.
“If that endpoint was used to access customer data, then anyone on the internet could have used that endpoint to gather customer data.
“Without technical controls for authentication and authorisation in place, any user could have requested any other user’s information. The attacker likely scripted the process to repeat requests from the endpoint until they had collected millions of instances of personally identifiable information.
Optus still hasn’t confirmed how the data was accessed. It maintains the attack was sophisticated, but the home affairs minister, Claire O’Neil, has said the vulnerability was akin to Optus leaving a window open.
What data was taken?
Optus says the stolen data includes names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers.
The dump of records released by the forum user contained all this information.
How common is this method of attack?
“Unfortunately, it can be pretty common,” Josh Lemon, a digital forensics and cyber incident expert at SANS Institute, said.
But he said attackers tended to not target a single organisation. They usually scan across the internet looking for known vulnerabilities and exploiting those vulnerabilities all at once, he said.
“So for a threat actor to specifically just go after [one company] is a little bit unique in that sense.”
What happens next?
Optus customers have been urged to stay vigilant for signs their data has been compromised. State and federal governments are making it easier for those affected to replace identity documents that may have been accessed.
While the alleged attacker has dropped the ransom threat, the criminal investigation is ongoing. The Australian federal police are working with law enforcement authorities overseas, including the Federal Bureau of Investigation in the US, to locate whoever obtained the data, and who tried to sell it.
The federal government is looking at urgent reform in this area, including making it easier to alert banks to which of their customers may have been compromised. It is also considering large fines for companies that allow such a breach to occur.