Australian government promises tighter cyber security after Optus hack

The Australian government will be rolling out new cyber security reforms off the back of the Optus cyberattack, Minister for Cybersecurity Clare O’Neil has announced.

The changes are said to be unveiled some time this week, and are expected to focus on infrastructure that will allow financial institutions to be more swiftly informed when a data breach occurs so they can stop personal data being used to access those particular accounts.

“Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future,” Minister for Home Affairs and Cyber Security, Clare O’Neil, said on Twitter.

Australian companies must do all they can to protect their customers’ data. I will have much more to say in coming days about the Optus cyber attack and what steps need to be taken in the future.

— Clare O'Neil MP (@ClareONeilMP) September 24, 2022

Shadow Minister for Cyber Security James Paterson and Shadow Home Affairs Minister Karen Andrews are also pushing for sign off on a private members bill. 

First proposed by the former government back in February, it would enforce harsher punishments for hackers that target essential services and infrastructure.

If passed, it would become an aggravated offense to buy and sell stolen data that could result in up to 25 years imprisonment.

“It’s critically important that Australian businesses take this issue seriously because it can have profound implications not just for their business and not just for their shareholders, but for their customers and our wider economy and society,” Paterson said in a press conference on Monday.

Both Paterson and Andrews were critical of the Labor government and Optus in the press conference, referring to the yet-to-be-announced reforms as “reactive”.

“This looks like a case of the government trying to close the gate after the horse has bolted. This will do nothing to help any of the 10 million Optus users who have been affected. It will only seek to mitigate the consequences of it happening,” Paterson said.

“The government should be much more focused on prevention and the government should use the existing powers that they have in the law to prevent it.”

At the present time, nothing has been said about whether any of the proposed reforms will include tighter mandates on how user data is stored and accessed by companies and telcos.

However, Optus has pushed back against changes to privacy laws in the past. In a review of the Privacy Act in 2020, the telco opposed customers being given the right to erase their data as well as take legal action over data breaches.

According to The Guardian, Optus said that such changes would incur “significant technical hurdles” as well as compliance costs. 

The attorney general’s department also proposed a direct right of action for customers to seek damages in response to data breaches in October 2021. Optus responded to this earlier this year, saying the current processes were more “flexible”. 

SmartCompany has reached out to Labor and Liberal ministers for comment on the proposed legislative changes.

What’s happened in the Optus cyber security hack so far

News of the Optus cyber attack was first announced by the telco on September 22, a national public holiday.

This was followed by a press conference on September 23, where Optus CEO Kelly Bayer Rosmarin offered further details about the attack.

Bayer Rosmarin confirmed that as many as 9.8 million Optus customers from as far back as 2017 may have been affected, but that it expected the actual number to be far lower.

And as we reported last week, it was also confirmed that the attack did not impact enterprise customers. This includes Mobile Virtual Network Operators (MVNOs) that utilise the Optus network, such as amaysim, Circles.Life and Coles.

However, Bayer Rosmarin did say that small business customers could be impacted, particularly if their personal and business accounts are the same.

A ransom for the data was also posted to an online forum on Saturday. The post claimed to have the data of 11.2 million customers (an even higher number than Optus quoted) and demanded $1 million in Monero cryptocurrency from Optus.

The post provided two data sets containing the information of 200 alleged Optus customers. SmartCompany has inspected these data sets, which included information such as names, addresses, license numbers, phone numbers and email addresses.

Cyber security researcher Jeremy Kirk is said to have been able to confirm some of this personal information with Optus customers, which has suggested that the data sets may be real.

I found the person in the data set. She was working in her front yard. She wants to stay unnamed but confirmed she is a former Optus customer and that her data is accurate. We still need a confirm from Optus on the data but this is all lining up. #OptusHack #auspol #infosec

— Jeremy Kirk (@jkirk@infosec.exchange) (@Jeremy_Kirk) September 23, 2022

Kirk also made contact with the poster, who explained how they allegedly hacked Optus’ system. Kirk added that a second source has confirmed the alleged hacker’s explanation is “approximately correct”. 

“The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn’t have to login. The person says: ‘No authenticate needed. That is bad access control. All open to internet for any one to use,'” Kirk said on Twitter.

“The API endpoint was api[dot]https://optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data.”

You can read the full thread here.

Optus and the Australian Federal Police are both aware of these claims, but the former is yet to comment on the validity or whether the telco is considering paying the ransom.

Customers still left stranded

Optus confirmed with media on Friday that it would be contacting customers who were most likely impacted by the cyberattack. 

Generic emails began going out to customers over the weekend but they provided little detail as to exactly what information was stolen or what customers could actually do about it.

Instead, the telco provided general information on looking out for suspicious activity on customer accounts. 

Source: Optus

Source: Optus

Optus confirmed on Monday morning that it had finished the first round of messaging.

“Optus has now sent email or SMS messages to all customers whose ID document numbers, such as licence or passport number, were compromised because of the cyberattack,” Optus said in a press release.

“We continue to reach out to customers who have had other details, such as their email address, illegally accessed. We understand and apologise for the concern that this has caused for our customers.”

Optus also provided several updates to media organisations over the weekend regarding the attack.

In one email, the telco specifically clarified that it would not be sending out  “…links in SMS or emails. If customers receive an email or SMS with a link claiming to be from Optus, they are advised that this is not a communication from Optus. Please do not click on any links.”

The telco also confirmed on Sunday that it is working with “a number of organisations” that help protect customers, such as the Australian Cyber Security Centre. The Australian Federal Police is also investigating the attack.

At the time of writing there has been no mention from Optus about financial compensation or aid for customers off the back of the attack. 

However, Optus did announce its intention to offer free credit monitoring through Equifax. 

“We are now taking a further step to help reduce the risk of identity theft. Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft,” Optus said in an email.

“The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost.”

SmartCompany has reached out to Optus for comment on the cyber attack and its plans to help impacted customers.