Optus must hire checkbox champion after epic router, voicemail borking

No fine as hundreds of thousands of customers affected

3 Reg comments Got Tips?

Optus has escaped a financial penalty imposed Australia's privacy boss and instead must review its internal security measures after it shipped hundreds of thousands of routers with open internet ports and default credentials, opened voice mails, and marked public scores of private phone numbers.

The order billed as an 'enforceable undertaking' calls for the Australia's second-biggest telco to review its processes after a series of dangerous yet unsettlingly common breaches since 2013.

It is the first undertaking since the Privacy Act reforms hit in March 2014, when they were upgraded to offer a maximum financial penalty of AU$1.7 million through for the worst offenders.

Privacy Commissioner Timothy Pilgrim says in a statement the undertaking is appropriate given Optus voluntarily reported the breaches.

‘I appreciate the positive way in which Optus worked with our office to address these incidents," Pilgrim says.

"I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act."

Optus was sent to the naughty corner for a 2013 website coding error that placed 122,000 private numbers in the White Pages phone book; for from 2008 shipping 300,000 borked Cisco and Netgear modems that exposed management ports and contained default access credentials, and a failure to slap passwords on voicemail which allowed spoofers to listen to messages for about 100,000 customers.

The security balls-ups were disclosed last year.

A third party auditor armed hopefully with more than a suitable clipboard and checkbox will examine Optus' penetration testing and vulnerability discovery processes, as it relates to personal information, and the risk that its change management could introduce bugs.

The investigation would this reporter hopes be a redundant request for something Optus should have commenced immediately after the breaches.

Optus will supply the terms of audit to Pilgrim before it kicks off and will need to implement any recommendations within 18 months.

More than 100 organisations had voluntarily reported breaches to the office since the reforms took effect, Pilgrim revealed earlier this month. He said he was pleased with the overall response and added breached organisations would save money if they acted on initiative rather than wait for the office to kick in doors.

It is unclear what level of misery Optus would need to inflict on its customers to warrant the pursuit of financial penalties, or if the inclusion of the Netgear and Cisco borking should put telcos on notice given the current state of router SOHO security. ®


Keep Reading

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Updated Bloody poms are full of great ideas

Microsoft 365 and Azure outage struck Australia and New Zealand just as business rocked up for a new week

Updated Microsoft mentioned 'potential token issue that may be preventing users from authenticating' and went away after around three hours

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

Cloggies less than chilled out over Windows telemetry

Fancy some post-weekend reading? How's this for a potboiler: The source code for UK, Australia's coronavirus contact-tracing apps

Problems aside, no one is sure how useful phone-based tracking will be

Microsoft brings Mixed Reality toys and other improvements to 'citizen developers' using low-code Power Apps platform

Mobile compatibility issue fixed and working with data in grids made easier

Former Labour deputy leader Harriet Harman calls on UK govt to legally protect data from contact-tracing apps

'We don't want the system to rely on the individual integrity of any minister, ministerial team, or government'

UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system

No evidence of data being used unlawfully, says health department

Biting the hand that feeds IT © 1998–2020