Optus fallout continues
The FBI has joined Australia’s efforts to tackle the Optus data breach.
In the days since an Optus security breach exposed the data of millions of Australians, the minister for cyber security says more information has emerged about how it was undertaken.
Cyber Security Minister Clare O'Neil says a police investigation is now “on foot”, dubbed Operation Hurricane.
The investigation has brought in the world’s best-known police outfit, the FBI.
“Australian police [are] working with the FBI and state police forces around the country to not only find the person who is responsible for this vast breach of Australians' data, but to try to stop this data being used to commit financial crimes against Australians,” Ms O'Neil said.
The Australian government is reportedly supporting Optus to ensure the issue does not continue.
Ms O'Neil said she knows people are feeling angry and nervous about what happened, and that the security breach should not have occurred in the first place.
“We should not have a situation where the data … of 10 million Australians has effectively been beached and gone into the public realm,” she said.
The attack involved a programming interface used for testing which was unknowingly exposed to the Internet. It also lacked any authentication checks, meaning anyone on the internet could make data requests without providing any credentials or token to prove their identity.
This was made worse by a lack of unique identifiers, which reportedly allowed the attacker to easily request millions of records by simply changing an ID number (reported to be the ‘contactid’), by 1.
Optus has attempted to describe the incident as a sophisticated cyber attack, but the minister says it was actually very basic.
“Global cyber security experts do share my view about the nature of the attack,” Ms O’Neil said.
“I think [from] a telecommunications provider in this country we should expect to have better cybersecurity protections in place,” she said.
“It's a big wake-up call for corporate Australia, for everyone that holds data of Australians, and there's a big reform project here.”
She said the government needs to do more too.
“The truth is, the Australian government should have better powers to enforce cyber security provisions on private companies and that's something that I'll be looking to do in the wake of the attack,” Ms O'Neil said.
She said the data breach is also “a wake-up call” for the Australian government, and a possible sign that privacy laws “are not up to scratch”.
“We are probably five years behind where we need to be with cyber security in this country and (the) government is not immune from that,” the minister said.
“We're a decade behind on privacy measures.”
Ms O'Neil noted that in other countries, Optus would be subject to “hundreds of millions of dollars worth of fines” for the actions leading to the breach.