The recent data breach at Optus has once again highlighted the importance of cybersecurity for companies of all sizes. The leak of personal information belonging to thousands of customers is a stark reminder of the constant threat of cyberattacks, and the need for companies to remain vigilant in protecting their data.
In light of our previous article that talked about the LastPass' data breach, we will now examine the details of the Optus data breach, an Australian telecommunications company that suffered a leak of client information due to a breach in the company’s API system. and discuss the lessons that other companies can learn from this unfortunate incident
The Optus Breach
Optus is an Australian telecommunications company with over 10 million subscribers: it’s the second-largest wireless carrier in the country.
Details on this breach are vague, but it is believed that the Optus breach was due to Optus using an unsecured Application Programming Interface (API) that was used for testing purposes and had no username or password to control access. It was open to anyone on the Internet who managed to locate it. From there, the attacker was able to access customer records the company stored.
This breach was massive, with 9.8 million current and former Optus customers impacted (or over a third of Australia’s total population) and 2.1 million suffering compromises of highly sensitive information, including license and passport numbers.
Optus now faces millions of dollars in fines as the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) investigate.
What steps could Optus have taken to prevent the breach?
The most obvious first step that Optus could’ve taken to prevent the breach is to make sure all of its critical API’s were not public facing. If an API facilitates sensitive data access, it should be private. Not all API’s need to be private, for example (i.e), some of Google API’s like (such as) Google Maps API. These are isolated from Google’s core and don’t facilitate access to sensitive data.
But the fact that this test API aided access to sensitive data is a flaw. This coupled with no access controls such as username or password to login, meant the attacker had no problem accessing the underlying data. An API with multi-factor authentication may have stopped this attack. It is important that access controls are implemented even if the API is only used for testing purposes.
Finally, Optus used incrementing customer identifiers for each record in the database. Good practice is to use completely unique and unrelated identifiers for each record. However, within the Optus system, all customer identification numbers differed by an increment of 1. This is great for a hacker; stealing the millions of records was as simple as writing a script that pulled up every customer record in the database by incrementing each contactID index by one.
These ongoing data breaches have repeatedly demonstrated the importance of developing an internal data protection strategy. As an industry leader, Advantio continues to invest in advanced technology, implement robust security policies, and educate its clients about disaster recovery.
Find out how you can strengthen your company’s cybersecurity measures and data protection.
Talk to our experts today.
Read our articles from the ongoing series: Data Breaches from 2022