How Australia responded rapidly to Optus breach
When a late-night Optus message pinged the Australian Signals Directorate, it triggered a massive behind-the-scenes response.
It was late on Wednesday, September 21, when a message pinged into the Australian Signals Directorate.
The shadowy organisation, first formed to crack Japanese radio messages in World War II but now the Australian government’s frontline cyber security agency, runs a 24/7 “watch operations centre’’ in Canberra scanning for cyber attacks.
The message to the watch centre that night was from telecommunications company Optus, reporting it had been the victim of a cyber attack.
A cyber intruder, apparently calling themselves Optusdata, had got into the telco’s database and stolen the personal information of almost 10 million current and former customers, about 40 per cent of the Australian population.
The message from Optus to the ASD kicked off a massive behind-the-scenes response from the government, as it became obvious the personal data of millions of Australians, some of it amounting to the 100-point identification threshold that would allow criminals to steal identities, was potentially about to hit the dark web.
“Think what you can do with it, you can catfish (steal identities on social media), get credit cards, get loans, potentially open bank accounts,’’ one source tells The Weekend Australian.
It was also possible the data could be purchased by a state actor – government-sanctioned spies – with data-hungry countries such as China always trying to access massive databases to feed its enormous monitoring and espionage programs.
The breach, announced publicly on Thursday, September 22, prompted multiple arms of the Australian government to shift into high gear, led by the ASD and Australian Cyber Security Centre. The departments of Home Affairs, Attorney-General, Prime Minister and Cabinet, Social Services and Foreign Affairs and Trade, along with the Australian Federal Police, the Australian Communications and Media Authority and the little-known Cyber Infrastructure and Security Centre were all involved. Twice-daily meetings were convened.
Apart from the immediate need to protect people’s identities, try to stop the data circulating on the dark web, and catch the cyber-criminals, the saga raised questions about why Optus was hoarding the data in the first place.
It has also highlighted failures in Australia’s privacy laws, exposed the tangle of regulations the nation’s critical infrastructure assets are subjected to, and raised questions about why the laws hadn’t stopped Optus from leaving a gap in its systems for cyber-burglars to enter.
“It’s definitely tested the regulatory environment and showed us where the holes are,’’ said Rob Potter, a cyber security expert and co-founder of Internet 2.0.
As well as its customers, Optus has obligations to the Australian Stock Exchange and the Australian Prudential Regulation Authority, and is governed by numerous pieces of legislation relating to telecommunications, privacy, and the latest laws designed to stop cyber-breaches such as this, critical infrastructure laws.
The saga is being closely watched by the business community.
“I think every CEO in Australia has asked their IT team ‘could this happen to us?’,’’ Potter says.
“Every board member too. They’re ringing cyber-vendors, saying ‘my IT team is telling me everything is great’ but Optus’s IT team was probably telling them the same thing.’’
Optus is not the first organisation to suffer a cyber attack and it won’t be the last. Chinese state spies are thought to have had eyes inside the federal parliamentary email system for six months in 2018-19. Transport giant Toll was hit twice and had to suspend parts of its business in 2020, and its flat-footed response was what led the former government to introduce the critical infrastructure laws that require companies to call in the ASD – or risk arrest and the ASD seizing control of their systems.
The Australian has been told Optus called the ASD “reasonably quickly, within 24 hours’’ to ask for assistance late on the September 21; the company quickly patched the open application programming interface and, by September 23, the Australian Federal Police and US Federal Bureau of Investigation had launched a full-scale investigation, sending their cyber spies looking for the hacker and any potential buyers of the data in all the nooks and crannies across the dark web.
Optusdata posted the details of 10,000 customers online and threatened to release 10,000 more every day unless Optus coughed up $1.5m.
On Monday, September 26, at 4.10pm, the AFP issued a statement warning cyber hackers “you can’t see us but … we can see them’’.
Three days later, the apparent hacker deleted the 10,000 identities they’d posted, and apologised, saying: “Too many eyes. We will not sale (sic) data to anyone. We can’t if we even want to: personally deleted data from drive (only copy).’’
The apparent hacker apologised and dropped the ransom demand.
But the data had already been secretly copied by others, and remains floating around on the dark web, a difficult-to-access part of the internet that most people never find, but which is used to sell stolen identities, credit-card numbers, drugs and child abuse material.
The information stolen from Optus customers includes names, dates of birth, home addresses and emails, and, in the case of 2.8 million customers, driver’s licence and/or passport numbers. Some have had their Medicare numbers stolen.
The hack did not affect the company’s network, shut down phones or internet services, nor stop people communicating. It did not gain access to customers’ payments or banking details.
Home Affairs Minister Clare O’Neil was told about the breach on the night of September 21, and given further information the next day as she flew early to Canberra for the memorial service for the Queen.
O’Neil was apparently furious when she heard how easy it had been for the cyber intruder to access the data, and has publicly disputed Optus’s claims it was a sophisticated attack, saying it was “basic’’, and akin to “effectively leaving a window open’’ for a burglar to climb into.
Others in government were infuriated when Optus, which had been open with its customers on day one, began to retreat, and claimed it could not comment on some aspects of the hack due to the police investigation.
“They were trying to use us and the criminal inquiry as a human shield,’’ The Australian was told.
Optus has declined to answer a number of questions that cyber experts say need clarifying.
The company will not say when it notified ASD, whether every affected customer has now been informed, and will not explain why the data published by the apparent hacker was unencrypted, despite Optus saying its data was encrypted.
It also will not say when it discovered the attack, or when it believed the hackers first gained access.
Optus data was being flogged on the dark web on September 17, raising the possibility the hacker had been in the telco’s systems for days or weeks, or that there had been other attacks.
“The average dwell time for a really good bad guy is over 180 days,’’ Potter says, referring to the amount of time sophisticated hackers usually spent in infiltrated systems.
“That’s the time until they reach the threshold of detection.’’
He thinks it likely the hacker spent time undetected, probing Optus’s system before beginning the massive download of 9.8 million customer records, which probably triggered Optus’s IT cyber alert systems.
Optus has offered credit monitoring to affected customers, and agreed, after several days of negotiations, to pay for the replacement of ID documents.
Some have compared Optus’s response unfavourably to how NAB handled a data breach in 2019, when 13,000 customers’ details were breached by an employee uploading data to an external spreadsheet website.
The bank immediately advised customers through a call centre, text messages, internet banking and email, paid a small amount of compensation totalling $686,878 to its customers, paid for new passports and driver’s licences for a smaller number of customers who had lost more data, and provided funding to cover credit monitoring.
It admitted it was at fault, saying “insufficient technical control’’ was in place, sacked the staffer who uploaded the data, and called in the Australian Cyber Security Centre and the Office of the Australian Information Commissioner along with three cyber-intelligence experts.
Optus’s breach is much larger and the potential cost of responding as NAB did would be eye-watering. Still, what price to pay for restoring its reputation?
“No one remembers the hack. They just remember how you responded to it,’’ one veteran Canberra operative said.
“Don’t call it a hack,’’ another government official said. “It’s a breach.”
More Coverage
Home buyers ready for interest rate cuts
After several months of modest price falls, property experts are not expecting a housing market resurgence off the back of an interest rate cut.
Rise of local terror demands better from our leaders
The scourge of anti-Semitism in Australia has become a runaway train that now demands a radically escalated counter-terror mindset from federal and state governments, police and spy agencies.