The Optus data breach that occured in September 2022, was the second-largest data breach in Australia. 9.8 million current and former Optus customers were impacted by the event, with 2.1 million suffering compromises of highly-sensitive government identification information, like driver’s license numbers and passport numbers. In other words, this single cybersecurity incident has placed almost half of the Australian population at risk of identity theft scams and financial fraud.
It will take some time for Optus to recover from its reputational damage following this event. Morgan Stanley estimates that up to 30% of victims (or 2.9 million) will forsake Optus for a rival telco provider.
This incident should serve as a sobering wake-up call to all Australian businesses, urging them to evaluate the resilience of their current cybersecurity programs to prevent suffering a similar fate to Optus.
In this post, we outline a cybersecurity strategy based on the vulnerabilities that led to Optus’ data breach and best cybersecurity practices to help your business defend against cyberattacks similar to the Optus event.
What Caused the Optus Data Breach?
The Optus data breach is believed to have been made possible by an unsecured Application Programming Interface (API). This particular API was allegedly used for testing purposes and was not protected by a username or password. Access to this API was open to anyone who located it on the internet.
An Application Programming Interface (API) is an interface that allows a solution to communicate with other digital services and products.
But an unsecured API wasn’t the only vulnerability that facilitated this breach. Optus stored customer records without unique identifiers. This made it possible to automate and rapidly the data theft process, resulting in the theft of almost 10 million records in a relatively short amount of time.
This was not a sophisticated attack, as Optus originally claimed. This event was possible because fundamental security protocols were completely overlooked. An oversight equivalent to the basic security negligence that led to the breach is leaving your car door unlocked and the keys in the ignition while parked on the street overnight.
"What happened at Optus wasn't a sophisticated attack. We should not have a telecommunications provider in this country that effectively left the window open for data of this nature to be stolen... They are to blame. The cyber hack undertaken here was not particularly technologically challenging."
- Claire O’Neil, Australia's Minister for Home Affairs
Four Cybersecurity Strategies for Preventing an Incident like the Optus Breach
Every Australian business owner that witnessed the Optus fallout likely shared the same thought:
“Wow, I’m glad it wasn’t us!”
It wasn’t the number of compromised records that contributed to the weight of the impact, but the almost irrevocable reputational damage the teleco would surely suffer.
The event sparked a mass exodus of Optus customers, and potential customers have resolutely turned toward competitor options. It will take years for Optus to rebuild its reputation, and it may never completely recover.
Reputational damage is one of the primary metrics contributing to data breach damage costs, and the Optus event vividly illustrates this fact. However, the silver lining of this disaster is that many Australian businesses have started waking up to the criticality of implementing a resilient data breach prevention strategy.
The following four security strategies present a foundational framework for preventing data breaches analogous to the Optus hack and their subsequent reputational damage.
Is your organization at risk of a data breach? Click here to find out >
1. Regularly Reference the OWASP API Security Project
The OWASP API security project is a regularly updated public database of known API security risks. Your internal cybersecurity team should routinely canvas this database to check for API vulnerabilities impacting your business.
Cybersecurity is a continuously evolving field. Security teams must remain at the forefront of emerging attack vectors with helpful cybersecurity databases like the OWASP API security project and the CVE database.
Because these software vulnerability databases are open to the public, hackers commonly reference them when completing reconnaissance for a planned cyberattack. So when you're not learning about the latest software vulnerabilities, the cybercriminals potentially targeting your business are
2. Ensure all APIs are Secured with an Authentication Protocol.
According to the OWASP API Security Project, unauthenticated APIs is the second most common API vulnerability. An unauthenticated API doesn't require a username/password or any other authentication method to facilitate a connection. This type of vulnerability facilitated the Optus breach.
Sometimes, APIs are intentionally left unauthenticated to maintain communication with legacy software or for testing purposes - which is likely the reason why Optus left its API unauthenticated.
Regardless of any testing or legacy software networking requirements, no matter how critical they may be, all internal and public-facing APIs should NEVER be deployed unauthenticated.
To prevent API exploitation, all of your API connection requests should be secured with Multi-Factor Authentication. MFA is one of the best and simplest methods for deterring unauthorised connection requests to user accounts and APIs.
To learn more about authentication security, refer to this cheat sheet by OWASP.
An API security policy is only meaningful if you’re aware of the APIs requiring hardening. But what if your organization is unknowingly exposed by a public-facing API as Optus had?
These overlooked exposures are difficult to detect with scanning tools. The best way to discover them is through penetration testing.
A pen tester can uncover a host of API vulnerabilities putting your organization at a high risk of a data breach, including:
- Weak authentication mechanisms, such as those accepting plain text, non-encrypted, or poorly hashed passwords.
- The ability for hackers to deploy credential stuffing or brute force attacks.
- The ability to manipulate an API to display sensitive authentication detail in the URL.
3. Implement a Vendor Risk Management Solution
Because Optus is a third-party vendor for many businesses, this data breach has placed many of its business customers at a high risk of business email compromise - a type of social engineering attack where hackers assume the identity of a compromised employee and use their email to request sensitive internal information from the victim’s colleagues.
Business email compromise is just one example of the dangers of doing business with an insecure third-party vendor. Other threats include:
- Third-party vendor software misconfigurations - like the security threat posed by misconfigured S3 buckets.
- Third-party data leaks - like the overlooked Microsoft PowerApps data leak exposing 38 million records online.
- Third-party security vulnerabilities - like the oversights at the center of most popular data breach news stories.
All of these vulnerabilities are attack vectors that could result in a third-party falling victim to a data breach, and because third-party relationships often include internal integrations, a breached third party becomes a potential bridge leading to your sensitive resources. This style of attack is known as a supply chain attack, made famous by the ubiquitous SolarWinds breach.
4. Comply with the Notifiable Data Breaches Scheme
This isn’t a security control for preventing a cyber incident like the Optus, but it could help you avoid the same degree of reputational damage if you fall victim to a similar cyber event.
The bulk of Optus’ reputational damage wasn’t so much a result of the data breach itself but the disastrous PR efforts that followed.
When the security incident was confirmed, Optus didn’t send a breach notification directly to impacted customers. Instead, the security incident was announced in a single post tucked away on the company’s media web page. Most victims of the breach only found out about the event when they happened to notice a news story about it.
As an entity covered by the Privacy Act 1998, Optus is expected to instantly notify OAIC and impacted victims of any data breaches likely to result in identity theft and financial loss. While Optus did notify OAIC of this data breach, the public backlash from breach victims suggests that Optus didn’t follow the OAIC’s victim notification guidelines which expect immediate and direct notification either via email, text message, or phone call. Instead, Optus primarily relied on the media to communicate details of the security event to its customers.
Australia’s Notifiable Data Breaches scheme is not a perfect breach notification policy. It has a significant loophole. Breached organisations are not obligated to provide a breach notification if necessary remedial action to prevent harm has taken place. This places the final decision of whether public disclosure is necessary in the hands of the breached organisation, who’s likely to have a very biased evaluation of its response efforts.
See how your organization's security posture compares to Optus'.
The Optus cyber attack has highlighted the serious deficiencies of Australia’s breach notification law and privacy laws, placing them under review. A reformation of the breach notification scheme will likely result in some kind of standardised public announcement policy where disclosure is expected whenever a data breach of a clearly defined significance occurs.
To prepare for this likely outcome and avoid the negative press arising from frustrated customers kept in the dark, all data breach events likely to negatively impact victims, no matter how small, should be promptly communicated to both the OAIC and all breach victims.
The only risk to this strategy is the risk of unnecessary disclosure. But in light of how Optus handled its victim notification process - an event that will exemplify poor breach navigation practice for many years to come - customers are more likely to be appreciative of a rapid notification effort than to be disappointed by it.