Optus telco data breach – what we know so far
Optus, an Australian telecommunications provider, has become the latest high-profile victim of a data breach – with the alleged attacker demanding payment to buy back millions of customer records, having already made 10,000 public online. In the most recent developments, the attacker has now canceled the threats and removed them from a data breach website. However, this does not change the fact that someone was able to access these customer records, including names, dates of birth, driver’s license numbers, addresses, telephone numbers, health insurance numbers and phone numbers. passport in the first place, leaving many Optus customers feeling vulnerable.
but how did it happen?
It looks like an unauthenticated Application Programming Interface (API) is to blame.
Curtis Simpson, CISO at Armis, explained: “APIs are the entry point into the modern application and the data it processes. Exposures associated with APIs range from configuration-based to logic-based vulnerabilities that can be exploited to compromise platforms, networks, users, and data. Traditional edge and application security testing capabilities do not identify or facilitate remediation or protection against the exploitation of such large-scale exposures in our cloud environments which continue to transform alongside our business operations. Real-time logic-based protections, API exposure analysis, prioritization, and remediation through development stacks are examples of features that must be adopted in order to protect modern web services.
He continued, “Digital business is done through APIs. Our security programs and technologies must continue to evolve around where our businesses live and operate.
Adam Fisher, Solutions Architect at Salt Security, further explained the incident in his blog:
“Human error almost always plays a role in infractions, but it’s not just about being more careful. APIs affect all areas of an organization, not just development. Typically, multiple teams share ownership of APIs. Often miscommunication (or incomplete communication) can lead to problems. For example, infrastructure teams may assume that the development team has already handled authentication requirements. They may believe that the API has already undergone a security review when in fact it has not.
“Unfortunately, communication problems are quite common. Additionally, in the case of Optus, it appears that the network team unwittingly made a test network available on the internet, which could then be easily exploited.
Professor John Goodacre, Director of UKRI’s Digital Security by Design Challenge and Professor of Computer Architectures at the University of Manchester, added:
“Cyber attackers work in a promiscuous world in which a single misconfiguration or vulnerability in a digital system can be used to potentially steal data or disrupt its operation. Connecting to the Internet means it can come from no anywhere, with no one safe Accepting that to err is human means that everyone, everywhere can be attacked Barriers must be placed in systems by design that work to block the exploitation of The ISP and telco who provide the internet can see traffic patterns where attacks are coming from, but if a hacker’s request finds an open door in a remote system, the technology can’t do much -something to differentiate it in isolation.
While Salt Security’s Fisher posited that there is value in organizations considering API security as their own discipline, especially with the rise of digitization and APIs driving this movement. He advised ISPs and telecom operators to:
- Know the risks – starting with the threats identified in the OWASP API Security Top 10
- Ensuring a transversal approach – API security should be communicated and supported cross-functionally across the organization
- Continuously monitor APIs – In addition to having a comprehensive API inventory, telcos and ISPs should continuously monitor APIs in their environment for deviations in behavior.
“To identify potential API threats, organizations need to understand how APIs normally operate in their environments. Having this information will allow telcos to quickly identify and expedite the response to threats before a malicious actor gains access to their critical user data…or worse,” Fisher concluded.