Optus has strongly denied that “human error” was a contributing factor in a data breach that inadvertently allowed cybercriminals to steal the personal data of millions of potential customers.
Key Points:
- An Optus source says a massive cyber attack likely exploited a flaw in the company’s IT system
- Optus rejected claims that “human error” helped hackers breach the company’s defenses using a test network.
- Optus believes fewer customers have been affected than the 9.8 million in the “worst case scenario”.
A senior Optus figure has spoken to the ABC on condition of anonymity to offer confidential information about the first findings uncovered by the telco’s IT specialists.
“[It’s] it’s still being investigated, however, this breach, like most, appears to be down to human error,” the Optus source told the ABC.
“[They] wanted to facilitate the integration of systems, to meet the two-factor authentication regulations of the industry watchdog, the Australian Communications and Media Authority (ACMA).
The process allegedly involved opening up Optus’ customer identity database to other systems through what is known as an application programming interface, with the assumption that the API would only be used by authorized systems in the company
“Finally, one of the networks it was exposed to was a test network that had access to the Internet.”
It is claimed this allowed access to the Optus network from outside the company.
Application programming interfaces allow different applications to talk to each other. (ABC News: Emma Machan)
Optus told the ABC that suggestions the attack resulted from any form of human error were completely inaccurate, but insisted the “sophisticated” incident was still under investigation.
Today, the ABC asked Optus chief executive Kelly Bayer Rosmarin specific questions about whether human error involving the company’s API was behind the breach.
“I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and therefore we will not release details about it,” Bayer Rosmarin said at a media briefing on line.
“Optus has very strong cyber defences, cyber security has a lot of focus and investment here and so this should serve as a wake-up call to all organisations: there are sophisticated criminals out there and we need all organizations be alert.” .
The ABC has been told Optus believes those responsible for the hack scraped the consumer database and about a third was successfully copied.
Ms Bayer Rosmarin has refused to specify how many customers have had their data breached, but the Optus CEO believes it is far below the “worst case scenario” of 9.8 million.
“We expect the figure to be considerably lower than that once we’ve worked through the information.”
Former AFP cyber expert says human error likely led to hack
Former Australian Federal Police officer and cyber security expert Nigel Phair said human error was a very likely contributing factor to the massive data breach.
“Organisations like Optus and many others like that have very good controls around firewalls and intrusion detection and that sort of thing,” Phair said.
“There has been a weakness somewhere, and invariably that weakness, as far as we’ve seen, is usually of a human.”
Phair, who now runs the Cyber Center at the University of New South Wales, said large companies like Optus have many different networks and applications that communicate with each other on those networks.
“So we build APIs so they can talk to each other, and that includes things like having a testnet where you can test a patch for an update or a security bug,” he explained.
“Because it’s a testnet, there’s invariably not the same amount of controls and security around it because it often just contains dummy data.
“Often, they’re facing the Internet because you need to get the patch or the update or whatever from a vendor or supplier over the Internet.
“So that could be a way that criminals have been able to get around and bypass otherwise very good security mechanisms.”