On 22 September, Optus, Australia’s second-largest telecommunications company with a user base of more than 10 million people – close to 40% of Australia’s population – was subject to a cyberattack that saw customers’ personal information, including names, dates of birth, phone numbers, email addresses, street addresses, driving licence details and passport numbers nabbed by hackers.
Three weeks later, Medibank, one of Australia’s largest health insurers, hastily took some of its data and policy systems offline, later telling the Australian stock exchange that the company had been contacted by hackers aiming to “negotiate” over the theft of around 200 gigabytes of customer data – data including names, addresses, dates of birth, Medicare numbers, phone numbers, and information relating to personal medical problems, diagnoses, and procedures.
Two days later, on 15 October, Woolworths Group admitted that 2.2 million customers of its MyDeal subsidiary had had their personal details stolen, and just two days after that, wine dealer Vinomofo revealed that up to 500,000 of its customers had been exposed in a “cybersecurity incident”.
On 27 October, Australian Clinical Labs, possibly hoping to slip under the hacking outrage radar, disclosed a February 2022 hack that exposed the medical records of 223,000 clients of its Medlab Pathology business, data that included 128,608 full names and Medicare numbers, 28,286 credit card numbers – 12% of which included the CVV code! – and 17,539 individual medical health records associated with pathology tests. By June, Quantum, the group that claimed responsibility for the apparently failed ransomware attack, had all 86GB of data up on its website. The data leak page had been accessed more than 130,000 times.
Just another day on the internet
What does all this mean? Is Australia under attack? No, not really. In many ways it’s just another day on the internet.
Open the log of any website and you’ll see a constant stream of probes from all around the world looking for the burglar’s equivalent of an open window. What software is it running? What version? Is it unpatched with a known vulnerability? What’s it connected to? Can I get any network details…? There’s nothing personal in this probing. The vast majority of it is automated, only alerting would-be hackers to real, exploitable weaknesses, and most of those are on sites equivalent to the personal blog of Pete in Poughkepsie, (or this one!) But occasionally the hackers hit paydirt.
According to Australia’s ABC News, the Optus hack was most likely the result of human error. An anonymous insider told them:
[Optus] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog…
This involved opening Optus’s customer identity database to other systems via an Application Programming Interface, with the assumption that the API would only be used by authorised company systems.
Eventually one of the networks it was exposed to was a test network which happened to have internet access.
And this allowed access from outside the company.
Optus strenuously denied the claim, preferring to mythologise the cunningness and dedication of the miscreants, but Occam’s Razor* applies in this as it does in many other situations.
* “Entities should not be multiplied beyond necessity,” or more prosaically, “The simplest explanation is usually the right one.”
There are three points to consider in all this…
1: Storing data is cheap. So cheap in fact that Facebook don’t actually know what data they have on you or where it’s stored, (but that’s another blog!). All of your personal data and medical history would fit on a zip file that costs fractions of cent to maintain each month in “the cloud”, but that data is also extremely valuable – and I’m not just talking about hackers and ransomware. Marketers within the companies themselves want to own it, use it and mine it – which is presumably why Optus lost data from accounts that were closed in 2017. In their defence they claimed they had to retain it under Australian law, but that law only applies to billing data and a period of two years. Tellingly, however, there is no requirement to not keep data after that period.
2: IT systems never get less complex, and this applies to business systems in particular. New features are required, new “flavour of the month” products must be integrated (see point 3), buzzword methodologies embraced (point 3, again), but there’s never enough money or resources to train new people in the old stuff. Add in that most IT staff move on after three or four years and you end up with legacy systems that few people fully comprehend. Leaving a window open or a back door unlocked is pathetically easy when you don’t even know they’re there in the first place.
3: Most managers don’t understand IT – hailing as they do from MBA / marketing / accounting backgrounds – and the higher up the pyramid, the dimmer the bulb glows. (I once had the sales manager of a moderately large company regard me with awe when I showed him how he didn’t need to do a Google search whenever he wanted to visit his own company’s website.) Corporate managers are particularly susceptible to off-the-shelf solutions that “just require a little configuration”, (replace “little” with “vast amount”, and don’t even think about interfacing it with what you’ve got now), and flavour-of-the-month methodologies. (“We halved our IT expenditure using Fragile!” But only because half their staff left in disgust.)
If corporate managers don’t really understand IT, politicians understand it even less. When the government looked at updating the 1988 Australian Privacy Act 1988 it was subjected to “intense lobbying from financial, payment, telco, media and marketing interests” that retarded reforms towards “a trusted, secure, reliable and efficient regulatory regime to manage the burgeoning digital economy and the data that fuels it.”
In its submission to Privacy Act review telco [Optus] said giving people right to erase personal data would involve ‘significant’ hurdles and costs
Optus has repeatedly opposed a proposed change to privacy laws that would give customers the right to request their data be destroyed, with the telco arguing there were “significant hurdles” to implementing such a system and it would come at “significant cost”.https://www.theguardian.com/australia-news/2022/sep/24/optus-cyber-attack-company-opposed-changes-to-privacy-laws-to-give-customers-more-rights-over-their-data
A 2019 report by the Department of Home Affairs noted “significant deficiencies in response standards, formal reporting channels of Government, and meaningful protection measures for consumers. Overall the response system is either non-existent or performing poorly from a citizen’s perspective.”
All of which mean the penalties for not looking after your data are risible. Optus face a maximum fine of A$2.2 million dollars – or less than 25 cents per compromised customer – under the regulations in force at the time. (The Aussie government has since bumped up that maximum fine to A$50 million, but even that is still chicken feed when you consider that the cost of getting your compromised passport reissued is A$308.)
On September 29, Bloomberg reported that the Optus breach could cost its owner, the Singapore Telecommunications Ltd., up to A$420 million. A sizeable sum, but still only a quarter of the conglomerate’s projected profit for 2022. So they might only make A$1.2 billion this year. Bummer.
Image source: No. 457 Squadron RAAF, Public domain, via Wikimedia Commons