Illustration by Beatrice Sala
Following one of the biggest data breaches in Australian history, the government of Australia is planning to get stricter on requirements for disclosure of cyber attacks.
On Monday, Prime Minister Anthony Albanese told Australian radio station 4BC that the government intended to overhaul privacy legislation so that any company suffering a data breach was required to share details with banks about customers who had potentially been affected in an effort to minimize fraud. Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.
The policy announcement was made in the wake of a huge data breach last week, which affected Australia’s second-largest telecom company, Optus. Hackers managed to access a vast amount of potentially sensitive information on up to 9.8 million Optus customers — close to 40 percent of the Australian population. Leaked data included name, date of birth, address, contact information, and in some cases, driver’s license or passport ID numbers.
Reporting from ABC News Australia suggested the breach may have resulted from an improperly secured API that Optus developed to comply with regulations around providing users multifactor authentication options.
A person claiming to be the Optus hacker seems to have corroborated this account of the data breach in conversations with security journalist Jeremy Kirk. Per details given to Kirk by the presumed hacker, the data was downloaded by querying the API sequentially for each value of a unique identifier field labeled “contactid” and recording each user’s information one by one until the dataset of millions of records was assembled.
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn’t have to login. The person says: “No authenticate needed. That is bad access control. All open to internet for any one to use.” #infosec #auspol pic.twitter.com/l89O8w1oCO
— Jeremy Kirk (@Jeremy_Kirk) September 24, 2022
A post from the same person in a popular hacking forum claimed to offer the user data for sale for $150,000 and listed an extortion price of $1 million to keep the data private, to be paid in the Monero cryptocurrency. The hacker also released a number of free “sample files,” which they said contained the full address information of 10,000 Optus users.
As the situation unfolds, many Optus customers have taken to social media to express their frustration with how the hack was being handled, particularly in regard to notifying affected users that their data was at risk.
“Amazing that Optus can email me when I am a day late in paying my bill, but not when they lose all my personal info in a massive cyber hack,” tweeted Patrick Keneally, a news editor for Guardian Australia, after the data breach came to light.