Australian telecommunication giant Optus is reportedly receiving help from the FBI in investigating what appears to have been an easily preventable breach that ended up exposing sensitive data on nearly 10 million customers.
Meanwhile, the apparent hacker or hackers behind the breach on Tuesday withdrew their demand for a $1 million ransom along with a threat to release batches of the stolen data till the ransom was paid. The threat actor also claimed he or she deleted all the data stolen from Optus. The apparent change of heart, however, came after the attacker already earlier had released a sample of some 10,200 customer records, seemingly as proof of intent.
The attacker's reason for withdrawing the ransom demand and the data leak threat remain unclear. But in a statement posted on a Dark Web forum — and reposted on databreaches.net — the alleged attacker alluded to "too many eyes" seeing the data as being one reason. "We will not sale data to anyone," the note read. "We can't if we even want to: personally deleted data from drive (Only copy)."
The attacker also apologized to Optus and to the 10,200 customers whose data was leaked: "Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you."
The apology and the attacker's claims of deleting the stolen data are unlikely to assuage concerns surrounding the attack, which has been described as Australia's largest-ever breach.
Optus first disclosed the breach on Sept. 21, and in a series of updates since then has described it as affecting current and previous customers of the company's broadband, mobile, and business customers from 2017 onward. According to the company, the breach may have potentially exposed customer names, dates of birth, phone numbers, email addresses, and — for a subset of customers — their full addresses, driver's license information, or passport numbers.
Optus Security Practices Under the Microscope
The breach has stoked concerns of widespread identity fraud and pushed Optus into — among other measures — working with different Australian state governments to discuss the potential for changing driver's license details of affected individuals at the company's cost. "When we get in touch, we'll place a credit on your account to cover any relevant replacement cost. We’ll do this automatically, so you don’t need to contact us," Optus informed customers. "If you don’t hear from us, it means that your driver’s license doesn’t need to be changed."
The data compromise has put Optus security practices squarely under the spotlight especially because it appears to have resulted from a fundamental error. The Australian Broadcasting Corporation (ABC) on Sept. 22 quoted an unidentified "senior figure" inside Optus as saying the attacker was basically able to access the database via an unauthenticated application programming interface (API).
The insider allegedly told ABC that the live customer identity database the attacker accessed was connected via an unprotected API to the Internet. The assumption was that only authorized Optus systems would use the API. But it somehow ended up getting exposed to a test network, which happened to be directly connected to the Internet, ABC quoted the insider as saying.
ABC and other media outlets described Optus CEO Kelly Bayer Rosmarin as insisting the company was the victim of a sophisticated attack and that the data the attacker claimed to have accessed was encrypted.
If the report about the exposed API is true, Optus was the victim of a security mistake that many others make. "Broken user authentication is one of the most common API vulnerabilities," says Adam Fisher, solutions architect at Salt Security. "Attackers look for them first because unauthenticated APIs take no effort to breach."
Open or unauthenticated APIs often are the result of the infrastructure team, or the team that manages authentication, misconfiguring something, he says. "Because it takes more than one team to run an application, miscommunication frequently occurs," Fisher says. He notes that unauthenticated APIs occupy the second spot in OWASP's list of the top 10 API security vulnerabilities.
An Imperva-commissioned report earlier this year identified US businesses as incurring between $12 billion and $23 billion in losses from API-linked compromises just in 2022. Another survey-based study that Cloudentity conducted last year found 44% of respondents saying their organization had experienced data leakage and other issues stemming from API security lapses.
The FBI did not respond immediately to a Dark Reading request for comment via its national press office email address, but the Guardian and others reported the US law enforcement agency as being called in to assist with the investigation. The Australian Federal Police, which is investigating the Optus breach, said it was working with overseas law enforcement to track down the individual or group responsible for it.
Casey Ellis, founder and CTO of bug bounty firm Bugcrowd, says the intense scrutiny the breach has received from the Australian government, public, and law enforcement may have spooked the attacker. "It's fairly rare for this type of interaction to be as spectacular as this one has been," he says. "Compromising nearly half the population of a country is going to garner a lot of very intense and very powerful attention, and the attackers involved here clearly underestimated this."
Their response suggests the threat actors are very young and likely very new to criminal conduct, at least of this scale, he notes.
"Clearly, the Australian government has taken this breach very seriously and is going after the attacker voraciously," Fisher adds. "This strong response might have caught the attacker off guard," and likely prompted second thoughts. "However, unfortunately, the data is already out in the open. Once a company finds itself in the news like this, every hacker pays attention."