Dive Brief:
- The personal data of up to 10 million people was compromised by a cyberattack against Optus, Australia’s second-largest wireless network operator. The major breach effectively puts all of Optus’ mobile customers at risk.
- The company said it discovered the breach on Wednesday and moved quickly to contain the damage, but not before customer names, dates of birth, phone numbers, email addresses, IDs and passport numbers were compromised.
- Optus services were not affected and Australian authorities are assisting with an ongoing criminal investigation into the attack, the company said.
Dive Insight:
Critical infrastructure systems, including telecom networks, frequently grapple with cyberthreats, as evidenced by a recent spate of attacks.
The Los Angeles school district earlier this month was hit by a potentially disastrous ransomware attack, the implications of which are still playing out. T-Mobile continues to deal with the consequences of a 2021 cyberattack that exposed personal data of at least 76 million people.
The Cybersecurity and Infrastructure Security Agency has placed special emphasis on critical infrastructure and is progressing on the development of cyber incident reporting mandates as part of that effort.
Optus said it’s confident the attack was carried out by a sophisticated threat actor, but a senior executive anonymously told the Australian Broadcasting Company early results from an internal investigation indicate human error is to blame.
System integrations required to satisfy two-factor authentication regulations exposed Optus’ customer database via APIs, and those efforts unwittingly exposed data on a test network compromised by the threat actor, the source told the ABC.
Optus said it’s beginning to inform customers that might be impacted by the attack, but asserts no financial information or passwords were compromised.
CEO Kelly Bayer Rosmarin, in a televised interview with Sky News Australia, said the company is being careful not to divulge too much information publicly. “We don’t want to create the possibility of phishing incidents or bad actors getting in front of what we’re doing,” she said.
Customers are being warned not to click on any suspicious links in emails or text messages.
Bayer Rosmarin declined repeated requests to confirm whether personal customer data was encrypted and said the ongoing investigation precludes the company from sharing more details.
“We have strong cybersecurity controls in place. We thwart thousands of attacks every year, every day, and we’re devastated that this could occur,” she said. “It’s a good warning to all organizations that even if you have strong cyber capabilities, dedicated focus and investment in this area, there are sophisticated actors out there.”
Optus has yet to publicly name the cybercriminals behind the attack and Bayer Rosmarin said it’s too early to rule out any scenarios with respect to how the attack occurred.