PaCSON and Optus data breach
1 October, 2022, 5:29 pm
This week the Pacific Cyber Security Operations Network (PaCSON) organisation held their AGM at the Grand Pacific Hotel (GPH) in Suva.
PaCSON membership is mostly made up of Pacific regional governments with some partners.
I was invited to a meeting with the Australian Department of Foreign Affairs and Trade (DFAT) officials attending, to discuss cybersecurity matters of mutual concern and mainly for dissemination of information.
It went well but I’m still taken aback by the lack of co-ordination between all these governments and regional/international agencies in cyber capacity building in the Pacific.
They even had representatives from the Global Forum on Cyber Expertise (GFCE) who have recently set up their Pacific Hub to also address cyber capacity building in the Pacific.
Without proper direction they may also be duplicating efforts by development partners in the Pacific.
Don’t get me wrong, I’m all for cyber capacity building but what do we really need in the Pacific island countries?
Where do we prioritise and how does it fall into nation building, economic development and climate change – considered the biggest national security threat for PICs?
While this may be a matter of government policies and lies way outside my purview at present, I must mention this to put a perspective to national, regional and global policy priorities.
Anyway, in my meeting earlier this week with Australian DFAT reps, we did briefly touch on the recent Australian Optus (telecommunications service provider) cyberattack and data breach and while details were scarce, I mentioned that privacy (and laws) had been breached with the data breach and more details are now coming to light in recent days.
According to various news reports including the Daily Mail, ABC and others, Optus customers past (from 2017) and present have potentially had their personal addresses, dates of birth, Medicare details, passport details, drivers licences, phone numbers and email addresses stolen in possibly Australia’s largest data breach to date.
Optus CEO Kelly Bayer Rosmarin described the cyberhack as a ‘sophisticated attack’ that compromised the records of 9.8 million people in the ‘absolute worst case scenario’.
However, tech expert and editor of EFTM.com Trevor Long said he wouldn’t call the data breach a ‘hack’ as the telco company’s security was ‘just not good enough’.
Apparently the hacker contacted Optus, indirectly and advised that their cybersecurity was lax and how he was able to bypass security measures through fairly basic cybersecurity probes.
Mr Long explained the hacker was able to find the address of the telco’s central computer containing the database of customer records and information.
The hacker, known as ‘Optushack’, allegedly requested the records and was given access to the information without having to provide authentication or a password.
He also claims to have accessed over 11 million personal records which does not quite tally with the Optus official figure.
If true, Mr Long has labelled the lack of security as a ‘fundamental flaw’ in Optus’ cybersecurity defences but this borders on pure negligence in my opinion and although I might sound like a broken record, organisations especially those with peoples’ personal private data need to be more responsible for securing them with harsher penalties for breaches.
Although the Australian Minister responsible is taking Optus to the task with demands for payment of replacement passports and other documentation etc., the reality is one cannot replace that feeling of violation that the victims are feeling through no fault of their own.
I mean I sign up for my Fiji mobile phone/bank/tax online with the understanding that my data and privacy is safeguarded under the most stringent processes and procedures backed by appropriate legislation, regulations
and obviously security compliant computer hardware/ software network infrastructure.
Anything less is not acceptable and should be punishable under law.
Mr Long said Optus needs to have a ‘look at themselves’ as he believes the data was not encrypted despite the telco company claiming it was.
This is hearsay but unless the regulations say otherwise, well good luck on that one.
“It’s like someone with a really large home going on holiday. They lock every door and every window but unfortunately those locks were either picked or left slightly ajar,” Mr Long said.
Let me clarify, no one is doubting Optus has security but unfortunately the security wasn’t good enough this time.
Most importantly, Optus says the data was encrypted but I don’t believe it was.
For a hacker to get access to the information and decrypt it is in and of itself an even bigger deal.
The hacker also claimed they would’ve told the telco about their vulnerability but there was no way of getting in touch with them.
In fact the hacker was mentioning a bug bounty indicative of a non-malicious hacker (white/grey hat) and even the eventual ransomware demand of $US1 million ($F2.3m) indicates this.
With the hacker mentioning Optus’ annual revenue of $9 billion.
The extraordinary backflip comes hours after the cybercriminal threatened to release another 10,000 records every day for the next four days if a $A1.5m ($F2.24m) ransom was not paid.
The customer records the hacker has released so far included passport, drivers licence and Medicare numbers, as well as dates of birth and home addresses.
The hacker wrote they couldn’t delete more data even if they wanted to because they had ‘personally deleted data from drive’ which they claim is the only copy.
Mr Long said the event was a reminder that strong personal security is needed and urged.
The data breach, which ranks as one of the Australia’s largest ever, is under investigation by the Australian Federal Police and the US FBI (with invitation).
Australian Home Affairs and Cyber Security Minister Clare O’Neil said the government was looking to work with financial regulators and the banking sector to see what steps could be taken to protect affected customers.
“One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,” Ms O’Neil said.
“In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”
Australian Prime Minister Anthony Albanese said the data breach was a ‘huge wake-up call’.
As the government prepares to introduce new cybersecurity measures, Mr Albanese said the new protections would mean banks and other institutions would be informed much faster when a breach happened so personal data could not be used.
Let us hope that we in Fiji do not suffer such a major breach in cybersecurity of our personal data records.
I’m still sceptical of the data breach (possible ransomware attack) of government ITC services in April 2021, with possible data breaches on government records including the BDM (Birth/Death/Marriage) database but without evidence or more details I won’t speculate further.
As some IT geek rightly observed: ‘If you’re a good hacker everyone will know you, but if you’re a great hacker no one will know you’.
God bless and stay safe in both digital and physical worlds this weekend.
• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@ cyberbati.com