Optus must hire checkbox champion after epic router, voicemail borking

No fine as hundreds of thousands of customers affected


Optus has escaped a financial penalty imposed Australia's privacy boss and instead must review its internal security measures after it shipped hundreds of thousands of routers with open internet ports and default credentials, opened voice mails, and marked public scores of private phone numbers.

The order billed as an 'enforceable undertaking' calls for the Australia's second-biggest telco to review its processes after a series of dangerous yet unsettlingly common breaches since 2013.

It is the first undertaking since the Privacy Act reforms hit in March 2014, when they were upgraded to offer a maximum financial penalty of AU$1.7 million through for the worst offenders.

Privacy Commissioner Timothy Pilgrim says in a statement the undertaking is appropriate given Optus voluntarily reported the breaches.

‘I appreciate the positive way in which Optus worked with our office to address these incidents," Pilgrim says.

"I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act."

Optus was sent to the naughty corner for a 2013 website coding error that placed 122,000 private numbers in the White Pages phone book; for from 2008 shipping 300,000 borked Cisco and Netgear modems that exposed management ports and contained default access credentials, and a failure to slap passwords on voicemail which allowed spoofers to listen to messages for about 100,000 customers.

The security balls-ups were disclosed last year.

A third party auditor armed hopefully with more than a suitable clipboard and checkbox will examine Optus' penetration testing and vulnerability discovery processes, as it relates to personal information, and the risk that its change management could introduce bugs.

The investigation would this reporter hopes be a redundant request for something Optus should have commenced immediately after the breaches.

Optus will supply the terms of audit to Pilgrim before it kicks off and will need to implement any recommendations within 18 months.

More than 100 organisations had voluntarily reported breaches to the office since the reforms took effect, Pilgrim revealed earlier this month. He said he was pleased with the overall response and added breached organisations would save money if they acted on initiative rather than wait for the office to kick in doors.

It is unclear what level of misery Optus would need to inflict on its customers to warrant the pursuit of financial penalties, or if the inclusion of the Netgear and Cisco borking should put telcos on notice given the current state of router SOHO security. ®

Similar topics


Other stories you might like

  • City-killing asteroid won't hit Earth in 2052 after all
    ESA ruins our day with some bad news

    An asteroid predicted to hit Earth in 2052 has, for now, been removed from the European Space Agency's list of rocks to be worried about.

    Asteroid 2021 QM1 was described by ESA as "the riskiest asteroid known to humankind," at least among asteroids discovered in the past year. QM1 was spotted in August 2021 by Arizona-based Mount Lemmon observatory, and additional observations only made its path appear more threatening.

    "We could see its future paths around the Sun, and in 2052 it could come dangerously close to Earth. The more the asteroid was observed, the greater that risk became," said ESA Head of Planetary Defense Richard Moissl. 

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • How can we make the VC world less pale and male, Congress wonders
    'Combating tech bro culture' on the agenda this week for US House committee

    A US congressional hearing on "combating tech bro culture" in the venture capital world is will take place this week, with some of the biggest names in startup funding under the spotlight.

    The House Financial Services Committee's Task Force on Financial Technology is scheduled to meet on Thursday. FSC majority staff said in a memo [PDF] the hearing will focus on how VCs have failed to invest in, say, fintech companies founded by women and people of color. 

    We're told Sallie Krawcheck, CEO and cofounder of Ellevest; Marceau Michel, founder of Black Founders Matter; Abbey Wemimo, cofounder and co-CEO of Esusu; and Maryam Haque, executive director of Venture Forward have at least been invited to speak at the meeting.

    Continue reading
  • DataStax launches streaming data platform with backward support for JMS
    Or move to Apache Pulsar for efficiency gains, says NoSQL vendor

    DataStax, the database company built around open-source wide-column Apache Cassandra, has launched a streaming platform as a service with backwards compatibility for messaging standards JMS, MQ, and Kafka.

    The fully managed messaging and event streaming service, based on open-source Apache Pulsar, is a streaming technology built for the requirements of high-scale, real-time applications.

    But DataStax wanted to help customers get data from their existing messaging platforms, as well as those who migrate to Pulsar, said Chris Latimer, vice president of product management.

    Continue reading
  • Infor to stop developing on-prem software for IBM iSeries
    ERP vendor had promised containerized options, but looks set to focus on the cloud

    ERP vendor Infor is to end development of on-premises and containerized versions of its core product for customers running on IBM iSeries mid-range systems.

    Born from a cross-breeding of ERP stalwarts Baan and Lawson, Infor was developing an on-premises containerized version of M3, dubbed CM3, to help ease migration for IBM hardware customers and offer them options other than lifting and shifting to the cloud.

    Infor said it would continue to run the database component on IBM i (Power and I operating system, formerly known as iSeries) while supporting the application component of the product in a Linux or Windows container on Kubernetes.

    Continue reading
  • Intel demos multi-wavelength laser array integrated on silicon wafer
    Next stop – on-chip optical interconnects? Plus it's built with 300mm tech, meaning potential volume production

    Intel is claiming a significant advancement in its photonics research with an eight-wavelength laser array that is integrated on a silicon wafer, marking another step on the road to on-chip optical interconnects.

    This development from Intel Labs will enable the production of an optical source with the required performance for future high-volume applications, the chip giant claimed. These include co-packaged optics, where the optical components are combined in the same chip package as other components such as network switch silicon, and optical interconnects between processors.

    According to Intel Labs, its demonstration laser array was built on the company's well-established 300mm wafer manufacturing technology which is already used to make optical transceivers, paving the way for high-volume manufacturing in future. The eight-wavelength array uses distributed feedback (DFB) laser diodes, which apparently refers to the use of a periodically structured element or diffraction grating inside the laser to generate a single frequency output.

    Continue reading

Biting the hand that feeds IT © 1998–2022