Preliminary investigations by Optus suggest an error by an IT programmer may have inadvertently allowed cyber criminals to steal personal details of potentially millions of customers.
- An Optus source says a massive cyber attack likely exploited a flaw in the company’s IT system
- An early investigation suggests hackers were able to breach Optus through a test network
- Optus believes fewer customers than the 9.8 million “worst case scenario” have been affected
A senior figure inside Optus has spoken to the ABC on the condition of anonymity to offer confidential insights into the early findings uncovered by the telecommunication company’s IT specialists.
“[It’s] still under investigation, however, this breach, like most, appears to come down to human error,” the Optus insider told the ABC.
“[They] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog, the Australian Communications and Media Authority (ACMA).”
The process allegedly involved opening up the Optus customer identity database to other systems via what’s known as an Application Programming Interface, with the assumption that the API would only be used by authorised company systems.
“Eventually one of the networks it was exposed to was a test network which happened to have internet access.”
This allowed access to the Optus network from outside the company.
Optus told the ABC suggestions the attack stemmed from human error were inaccurate, but conceded the incident was still under investigation.
Earlier today, the ABC put specific questions to Optus CEO Kelly Bayer Rosmarin about whether human error involving the company’s API was behind the breach.
“I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so we will not be divulging details about that,” Ms Bayer Rosmarin told an online media briefing.
“Optus has very strong cyber defences, cyber security has a lot of focus and investment here and so this should serve as a warning call to all organisations: there are sophisticated criminals out there and we really need all organisations out there to be on alert”.
The ABC has been told Optus believes those behind the intrusion scraped the consumer database and about one third was successfully copied.
Ms Bayer Rosmarin has declined to specify how many customers have had their data breached, but the Optus CEO believes it’s much lower than the “worst case scenario” of 9.8 million.
“We expect the number to be considerably less than that once we’ve worked through the information”.
Former AFP cyber expert says human error likely led to hack
Former Australian Federal Police officer and cyber security expert Nigel Phair said human error was a very likely contributing factor in the massive data breach.
“Organisations like Optus and many others of that ilk have really good controls around firewalls and identification of intrusions and that type of thing,” Mr Phair said.
“There’s been a weakness somewhere and invariably that weakness, from what we’ve seen normally, is from a human.”
Mr Phair, who now runs the Cyber Centre at the University of New South Wales, said big companies such as Optus have many networks and different applications that talk to each other in those networks.
“So, we build APIs so that they can talk to each other and includes things like having a test network where you might test a patch for an upgrade or a security flaw,” he explained.
“Because it’s a test network, invariably there’s not the same amount of controls and security around it because often it only has dummy data in it.
“Often, they’re internet facing because you need to get the patch or the upgrade or whatever it might be off a vendor or supplier via the internet.
“So that could be a way where the criminals have been able to work their way through and bypass what is otherwise very good security mechanisms”.