9M Australians affected by Optus data breach (opens in new tab)

I’ve seen Optus “computer security” in action. I use quotes for a reason.

There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.

You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.

They had operating system versions in production that were in my university text books… in the late 1990s.

Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.

And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.

They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.

Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.

In Australia, due to counter terror laws, you can't get a phone sim without providing verifiable government ID. So the consequence of that is that they phone companies have a really large amount of sensitive information. This information loss should be treated like a workplace death. Or a toxic spill. things will only change when a CEO goes to jail for this sort of obvious negligence. It may be harsh, but until there's real consequences, nothing will change.

> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised.

Geez, ID document numbers is such a big thing. Now hackers can basically call most institution and impersonate victims. this is quite huge

OP here.

Some more information here (not my preferred source, but oh well): https://www.news.com.au/technology/online/hacking/up-to-9-mi...

It seems around 2.8m have had 'all' data stolen (including ID, address, etc), and around 7m 'just' names, DoB and numbers/e-mail addresses.

Apparently Optus is working on sending personalised details to customers.

What a monumental stuff up.

FYI optics is Australia's second largest telecommunications provider. This would be the worst known databreach in Australian history.

It is interesting that compared to identity theft announcements from many US corporations they are direct, apologize and state the authorities they are working with. I imagine there's less fear of the legal consequences of not having a tight response as the culture isn't as litigious.

DOB, name and address are typically enough details to commit severe identity theft, at least back in 2017 when it happened to me in Australia. Someone stole a letter from my insurer in my mailbox and used my name and address to impersonate me and obtain my DOB and email from my insurer. They then used these details to hijack my phone number (SIM porting) and obtain my bank account details. They ended up hacking into my online banking (because my bank used and still uses SMS based OTP, not a device key - St George Bank, I’m looking at you) and tried withdrawing thousands of dollars in cash from an atm using cardless withdrawal. They didn’t succeed because I was overseas at the time and the bank fraud monitoring picked it up on the spot and froze all my cards. Very scary indeed and firm proof that you can do a lot of damage with very little information about someone, at least in Australia.

Great.

My coworker got hit by massive targeted identity theft which started with their SIM, provided by Optus. The attackers were able to successfully port my coworker’s Optus number and then hacked their Optus email which had everything in it. It took them months to undo the damage, and more trouble was always around the corner usually while they were sleeping or the service being hit didn’t have support staff online. Do Optus even have any security checks at all for preventing fraud?

Lessons: if the service doesn’t support MFA, don’t use it; don’t put all your service eggs in one basket; don’t assume that your phone number is safe, and act accordingly.

Optus needs to pay for this and I don’t just mean dollars. Comfortable people with responsibilities they didn’t failed to keep need to see gaol time, or at the very least lose their jobs and not be allowed to walk back into the revolving door for a long time. This is outrageous.

"Payment detail and account passwords have not been compromised."

No, just your identity is. If you're Australian, you or someone you know will be in this. What a total fuck up.

> Optus notifies customers of cyberattack compromising customer information

- the notification being finding a link to their quietly released press release on HN this afternoon? Thanks Optus!

- cyberattack is the word to use to encourage speculation that a nation-state was behind the breach, that there was no way to defend against this and to avoid saying "data breach"

- here "customer information" means current and former Optus customers' personal information

If the executive knew at all about the state of security or the potential risk of breach, then they are culpable and should be personally prosecuted.

The story HAS to be that if you, as an exec in power, know your company has deficient safety protocols regarding its care of toxic material, the breach of which is known to cause serious damage and harms, AND you do nothing: hello personal prosection, reaching right through the corporate veil.

Until we set this kind of legal precedent for the egregious disregard for the integrity of private and personal data, this is just going to keep happening.

I want to point out that Optus also offers a Digital Identity verification solution via Mastercards DI infrastructure. I am currently implementing Mastercards DI solution somewhere...

The way that is implemented SHOULD be mostly unhackable, with everything server side being encrypted and inaccessible without user action and communication with MCs backend.

Still, this is not a good look for trust. Should we now go to Australian customers and say "and now you authenticate via the Optus app, it's super secure" while they immediately think of this hack?

https://www.optus.com.au/customer-extras/mastercard-id

Because of this I finally decided to complain to my (Australian) bank about their max 6 character (alphanumeric) no symbol password policy... And lack of MFA for personal accounts... And continuing to only offer OTP via SMS to authorise transactions.

Well, I tried to complain... for you see after going through multiple pages/steps in the UI, when it came time to review and submit, after you press submit you are told that they can't receive complaints online at this time.

So I wrote in the web feedback form instead. At least that went through. As will, I hope, my screenshots of the process to the ombudsman.

In nearly all these microservice components, the UI has an outdated copyright year in the footer. 2016 in the feedback app, 2017 in a preference update component. The year sits right underneath a lock symbol and some text telling you how secure they are.

This tells me a number of things. Either no one has smoke-tested that component for 6 years, or picked up that the year was off, or it has been picked up and left in backlog because of other priorities leaving me to ask what else could be in the aged backlog, but really telling me they don't have the resources to do or to take software or UX seriously.

This is bad. Australia isn't know for it's strong privacy laws anyway, but with the kind of data that's now available out there, ID theft is going to be a huge risk for almost half the country. Even if Optus gets sued, how the hell are people supposed to protect themselves?

> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers

Okay so this was half the country.

I cant honestly understand how anyone thinks KYC laws make sense if anyone can make a bank account as anyone else, and it all looks like legitimate money or the human is getting framed while the criminal just rotates IDs.

For those not aware this is about 35% of the population of Australia which is around 26 million.

How can we protect ourself. What steps can we take given the CEO says the following:

"Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers licence or passport number. No copies of photo IDs have been affected.

It is also important to know that Optus’ network and Optus services including mobile and home Wi-Fi aren’t affected, and no passwords were compromised, so our services remain safe to use and operate as per normal."

Effectively saying, dont change your password. Hackers dont need it.

Glad I dumped them 2 years ago. I hated their imposed "non direct debit fee" if you elected to pay manually instead of direct debit.

I hated their mandatory text messages that couldn't be blocked, such as upcoming bill reminders. Spam my email as much as you want, but stay out of my text messages!

i wonder if passwords really haven’t been affected or if they’re just hashed so they think they can get away with saying that

Today is a one-off national public holiday in Australia to mourn the loss of the Queen. I'd be curious to know when this attack started and whether it coincided with the public holiday by chance or by choice.

CEO Should absolutely be charged with criminal negligence. Throw the book at him.

How could Dan Andrews let this happen? /s

It's long past time for countries to embrace the digital id the way Estonia (and a few others) have.

For comparison, visit https://www.telia.ee/en and you're prompted for your smart card or associated Smart ID (which is mobile app you can bootstrap from your smart card).

No more need to do a 100 point check (and then hold that information indefinitely), it's been done.

Even if you don't like the Estonian system it's high time to get serious about digital identity and stop pretending that knowing your DoB etc (or social security number in US) is a secure mechanism of proving identity.

Aside: Highly recommend Estonia's e-residency program. Great place to run a company. Future focused.

I know Optus would have had a copy of my drivers license on record.. quite possibly my passport as well ;(

Haven’t actually received any communication about the breach from them yet either.

Seems like a complete screw up. They couldn’t even notify their customers before everyone found out on the news.

I wouldn’t trust Vodafone to organise a piss up in a brewery… maybe Telstra are better (hah!)

Ah, good old Sloptus living up to its name.

A mobile company that wants so much of their users ID info. Is it really necessary for them to get all that user info?

and the meaning of the phrase cyberattack is further diminished

State-sponsored?

isnt that like half the population??