Английская Википедия:2022 Optus data breach

Материал из Онлайн справочника
Перейти к навигацииПерейти к поиску

Шаблон:Short description Шаблон:Good article Шаблон:Use Australian English In September 2022, Optus, Australia's third-largest telecommunications company,[1] suffered a data breach, affecting up to 9.7 million current and former customers, over a third of Australia's population.[2] Information illegally obtained included names, birthdates, home addresses, phone numbers, email contacts, and passport and driving licence numbers.[2] Conflicting claims have been made about how the breach happened; Optus presented it as a complicated attack on their systems, while an Optus insider and the Australian government have claimed that a human error causing a vulnerability in the company's API occurred. A ransom notice was made, asking for A$1,500,000 to stop the data being sold online. After a few hours, they deleted the ransom notice and apologised for their actions.

Optus has received criticism from government figures, including Home Affairs and Cyber Security Minister Clare O'Neil and Minister for Government Services Bill Shorten, for their role in the attack and for being uncooperative with government agencies and the general public. The government has announced legislation, including allowing information to be shared with financial services and Government agencies, and reforms to Australia's security of critical infrastructure laws, to help the government act for future breaches.[3]

In response to the breach, Optus has agreed to pay for the replacements of passports that have been compromised, commissioned an external review, and given highly affected customers a subscription to a credit monitoring service. Optus has also apologised for the breach. Optus has faced criticism from customers for not being responsive and providing inadequate responses to customers affected. Multiple investigations into the breach and a class-action lawsuit from affected customers are ongoing as of June 2023.

Breach

On 20 September, Optus's technical team noticed and investigated suspicious activity on its network. The next day, it was identified that Optus's systems had sustained a data breach, and regulators were informed. On 22 September, the company went public with the data breach, informing news agencies.[2][4] Optus recommended that people increase attention to potential fraudulent activity, but stated that they did not know if the breach had caused any harm to customers. At this point, Optus was unable to state how many customers were affected, nor if the data taken had caused harm.[5]

Файл:2022 Optus data breach ransom note.png
Ransom note left by the person believed to be behind the breach

On 23 September, Optus denied claims made by an insider that a mistake had occurred where Optus's API had accidentally been left exposed to a test network that had internet access. They instead claimed a complicated breach had occurred, and that the company had a strong cybersecurity system.[6] Optus stated that they believe the hacker had scraped the company's consumer database, with only a third of the total data in the database copied and extracted.[6]

On 24 September, Optus and the Australian Federal Police (AFP), now having opened a criminal investigation, received reports that data from the leak was being sold online, and were monitoring the dark web for any attempt of selling data online.[7] The same day, a user on BreachForums posted a ransom note believed to be legitimate by some cybersecurity experts, demanding that Optus pay $1,500,000 in Monero, a cryptocurrency focusing on privacy. They said that they would release the personal information of 10,000 customers every day that Optus did not pay the ransom until a week elapsed, with a sample of the information of 200 customers. After the week elapsed, they were to sell the data for A$400,000 to anyone who wants it.[8] After a few hours, the user deleted their original post and appeared to apologise for their actions, stating that it was a "mistake to scrape publish [sic] data in first place"[8] and that there were too many people paying attention to the breach. The user noted that they would have reported the exploit that they used if they had the ability to contact Optus, noting the lack of a secure mail/messaging contact or bug bounties.[8]

Government response

Home Affairs and Cyber Security Minister Clare O'Neil alleged that Optus was at fault for the attack, refuting Optus's argument that the attack was complicated. O'Neil also stated that the attack should not have happened, stating: "Responsibility for the security breach rests with Optus[,] and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country".[9]

The federal government announced emergency regulation on 6 October so that drivers licences, Medicare information and passport numbers can be temporarily shared with financial services, the Commonwealth, and state or territory agencies to assist with monitoring the accounts of customers affected by the breach for potential scams or fraud. Financial institutions will have to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators have also been asked to identify and report on changes for financial instructions to identify customers who are at risk of scams and fraud. The changes will be in place for 12 months. Treasurer Jim Chalmers stated that the measures will help protect customers from scams, and to detect fraud.[10]

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, stating that the laws had no use for the government when needed, as Australia's security of critical infrastructure laws only allowed the government to legally intervene while a data breach was occurring. The government could not assist with the clean-up following the breach, or compel Optus to give government services information.[11]

Several new security measures have been announced following the breach to protect victims from fraud, including banks being informed of data breaches faster to prevent the use of data to fraudulently access bank accounts.[12] The federal government has also flagged an overhaul of the $1.7 billion cybersecurity plan introduced by the previous government, including a new cyber office and additional powers for the government to intervene regarding cybersecurity. The government is also considering a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure" allowing the government to intervene in major data breaches.[13]

On 27 February 2023, Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability.[13][14]

The state governments of Queensland, Victoria, South Australia and Western Australia have agreed to pay for the replacement of driver's licenses for people that had their driver's license number compromised by the breach.[15][16] In Victoria, plans to add a second number to driver's licenses was fast-tracked, with all victims of the breach receiving the second number as part of their replacements.[17]

Optus response

Файл:Optus Macquarie Park - panorama.jpg
Optus's headquarters at Macquarie Park, where the "war room" was located

On the day that the breach was announced, Optus set up a "war room" to deal with the breach at its headquarters in Macquarie Park. This involved around 150 employees and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew Sheridan.[18]

Optus commissioned Deloitte to do an "independent external review" regarding the breach.[19] Optus also signed up its "most affected" customers to get a 12-month subscription to credit monitoring service Equifax Protect after O'Neil requested the company buy credit monitoring for its customers in Question Time.[20] Optus CEO Kelly Bayer Rosmarin deeply apologised for the attack on behalf of the company.[21] Optus has put aside $140 million for costs relating to the breach, including to replace hacked identification documents, the Equifax Protect subscriptions and the Deloitte review.[21] Optus has promised to pay for the replacement of Australian and foreign passports that have been compromised in the breach.[22]

Optus reported that 2.1 million of its customers had had identity documents stolen as part of the hack. Of these, 1.2 million customers, according to Optus, had at least one current, valid number from a form of personal identification stolen. The remaining 900,000 customers had expired identity numbers stolen.[23]

Allegations of a lack of communication from Optus have been made by Services Australia. On 27 September, Services Australia wrote to Optus “asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards”.[11] Minister for Government Services Bill Shorten stated that, a week later, Services Australia had not received any data from Optus. Optus claimed that they were "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take".[11] There was also confusion regarding the number of Medicare ID numbers stolen, with Shorten telling a press conference that around 36,900 ID numbers had been stolen, and Optus identifying that 14,900 ID numbers had been stolen.[11]

Customers have also reported issues regarding communicating with the company. Customers stated that Optus could not confirm if their personal information was part of the data breach after contacting them several times, the company's chatbot failing to understand questions from customers about the breach, poor responses from sales representatives, not receiving a response from Optus at all, and delays in warning customers regarding compromises of personal information. A customer stated that, "Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating".[20]

On 8 March 2023, Bayer Rosmarin restated Optus's claim that the attack was sophisticated, stating at a business summit that “The skilled criminal had knowledge of Optus’ systems and cycled through many tens of thousands of internet protocol addresses in an attempt to evade our automated cyber monitoring”.[24] She also stated that Optus never paid a ransom to the hacker, and that the primary reason for the breach was for other scam purposes.[24]

Legal action

On 6 October, a 19-year-old Sydney man, Dennis Su, was arrested by the AFP in his home at Rockdale for blackmailing 93 Optus customers affected by the breach. He claimed that he would commit financial crimes using their personal data unless they paid A$2000 to him, which none did. He was charged with a count of using a telecommunication network with intent to commit a serious offence and a count of dealing with identification information with intent to commit an offence. AFP Assistant Commissioner Justine Gough stated that he was not suspected of being responsible for the breach, and warned people to not click on links claiming to be from Optus.[25] Su pleaded guilty in November 2022. He did not go to jail due to a guilty pleading, his age and showing remorse for his actions, instead receiving an 18-month community corrections order.[26]

The Office of the Australian Information Commissioner (OAIC) has launched an investigation into the breach, concerning Optus's handling of the personal data of customers, focusing on whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether the information collected was necessary for Optus to keep. Australian Communications and Media Authority is also investigating the breach, focusing on whether Optus breached its obligations regarding the protection and disposal of personal data.[27] OAIC was given $5.5 million to investigate the breach over two years by the federal government in its October 2022 budget.[19]

A class action has been launched by law firm Slater & Gordon, alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data". The ongoing class action has been joined by 100,000 current and former customers, wanting compensation for losses, including the time to replace identification documents, and the stress caused. Optus has stated it will defend its actions.[28][29] In court, Slater & Gordon lawyers requested that the Deloitte report be released to the public, arguing that it could reveal the possible causes for the data breach. Optus declined to do so, despite Bayer Rosmarin stating in March 2023 that Optus would release "share key recommendations and learnings"[30] from the report.[30][31]

See also

References

Шаблон:Reflist