Australia’s second largest mobile operator has notified customers of a cyberattack that compromised personal data. The customer information that has been breached includes:
- dates of birth
- phone numbers
- email addresses
- driver’s license numbers
- passport numbers
This kind of information would greatly facilitate the stealing of somebody’s identity. However, the company says account passwords and payment details were not breached.
A corporate statement quotes Optus CEO Kelly Bayer Rosmarin (pictured) as saying:
As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone maybe (sic) affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.
Australia’s Scamwatch website recommended that Optus customers take action.
Optus customers should take immediate steps to secure all of their accounts, particularly their bank and financial accounts. You should also monitor for unusual activity on your accounts and watch out for contact by scammers.
The Sydney Morning Herald reported that the leak of data may affect up to 9 million customers, making this one of the largest privacy breaches in Australian history. Optus has 10.2mn mobile subscribers and 1.3mn home broadband customers. The company said it was still working to determine how many customer records had been compromised.
It was also reported that the hackers were probably based overseas but not in China. They used a vulnerable API to exfiltrate the data. The API has now been taken offline.
Optus made the same promises that have been heard from so many other telcos over the years: they notified financial institutions, they will cooperate with the authorities, they are very sorry, yada yada. The truth is that it is considered normal to spend too little on security because every other business spends too little on security. So when something goes wrong, executives say how apologetic they are, and that they reacted quickly, and that they will investigate thoroughly. They expect no real repercussions because everybody else’s expectations are so low. But what use is all this empty talk about caring to an ordinary person whose life is turned upside down as a consequence of bad actors misusing their data?
Too many businesspeople pay lip service to the need for security before immediately switching back to reiterating the importance of using APIs, or some new way to generate revenues, or some money-saving system, or some other technology that has not been securely implemented. Penny-pinching telcos are now amongst the worst offenders; they should appreciate how much data they have, and that ordinary people have no alternative but to acquire a phone service from one telco or another. Even security professionals are becoming part of the problem; a short while ago a former Chief Security Officer at US operator AT&T publicly argued it was wrong for a CISO to blow the whistle on an executive team that consciously misleads customers and investors about the quality of security in their business. The never-ending litany of corporate failures just proves that businesses have normalized a doublethink where the level of security attained in practice is nothing like the level of security we say we aspire to.