Australia asks FBI to help find attacker who stole data from millions of users
Apparent perp claims to have deleted swiped info as carrier Optus struggles to get its story straight
+Comment Australian authorities have asked the United States Federal Bureau of Investigation (FBI) to assist with investigations into the data breach at local telco Optus.
Attorney general Mark Dreyfus yesterday revealed the FBI was asked to help identify the entities involved in the attack, which saw Optus leak data describing over ten million account holders. Data suspected to have been accessed included drivers licence details, passport numbers, email addresses and phone numbers.
Optus, owned by Singaporean mega-telco Singtel, disclosed the breach last Thursday.
In the days since, unpicking just what happened has become harder.
Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.
Optus CEO Kelly Bayer Rosmarin said the attack was "sophisticated."
Australia's Home Affairs minister Claire O'Neil said in Parliament that Optus "left the window open" – a likely reference to an apparent insider account of the attack that attributed it to an API allowing access to Optus's trove of customer identity information used to verify customers' identities with third parties or conduct credit checks. That data was allegedly mistakenly exposed to the internet, making queries to access customer info trivial.
But Optus CEO Rosmarin said O'Neil's remarks were made before Optus had briefed the minister and in interviews said she felt the need to correct misinformation – an unapologetic riposte that has been typical of the telco's response.
While the politics of the breach played out, attention turned to identifying the actors behind the breach and their intentions.
An entity claiming to have perpetrated the hack posted a demand for a $1 million ransom to the notorious BreachForums. Australian infosec reporter Jeremy Kirk contacted the poster, who provided some data that Kirk verified as containing records of Optus customers. Kirk later revealed that the entity had released 10,000 records and promised to release more.
Kirk also revealed that the data he had seen included references to Medicare, Australia's national public health insurance scheme. Ministers quickly noted that Optus had not previously disclosed the leak of Medicare data.
- Woman forced to sell 4-bed house after crypto exchange wrongly refunded $7.2m
- Australian wasps threaten another passenger plane, with help from COVID-19
- Australian court overturns 'Google is a publisher' decision
The omission matters for two reasons, one of which is that it cast further doubt on Optus's honesty.
The other is that Australia requires provision of multiple documents to establish identity when doing things like applying for loans or opening bank accounts. Allegations that Medicare membership numbers may have been present in the stolen data therefore increased the risk of identity fraud flowing from the data breach.
The potential for ID fraud had already seen state governments scramble to allow issuance of replacement drivers licenses, and citizen anger as that process proved difficult to arrange. Australia's opposition parties have since called for free replacement passports to be issued to victims of the breach and government response to the incident has become another issue up for debate.
While the news cycle lurched in that direction, the BreachForums user announced that they had deleted the Optus data and withdrawn it from sale.
"Too many eyes. We will not sale data (sic) to anyone. We cant if we even want to: personally deleted data from drive (Only copy)" the entity wrote, adding "Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message."
"Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place."
BreachForums posts sometimes mix accurate and highly speculative information, so Australian authorities have not accepted the post as the end of the matter and are continuing investigations.
But no alternative culprit has been mentioned, which is where collaboration with the FBI comes in.
Optus remains largely silent. The company has published a statement and FAQ but has not advised of compensation or whether it will fund new passports or drivers licences. Parent company Singtel has said almost nothing.
Comment: The data breach Australia had to have
Australia's population is 26 million so the 10.2 million records lifted from Optus may describe as much as 38 percent of the population. That's vastly more than any previous data breach in Australia, and Optus is comfortably the most prominent brand to have suffered such an incident.
The incident has therefore dominated a news cycle and given unprecedented prominence to information security concerns.
Australia's government, too, has given unusual focus to consumer protection in the digital age after years of focus on the intersection of infosec and national security. In coming days it's expected laws will impose consumer protection requirements on companies that hold personal data, plus sterner fines for entities that leak data.
Debate on appropriate next steps for personal protection, and legislative responses, are suddenly mainstream.
They've never been there before because Australia has never endured such a high-profile attack.
Grim as the situation is, this may therefore be the breach Australia needed to have. And I say that as someone yet to be notified by Optus about whether my entanglements with the company put me at risk ... and therefore hopes very much that the company soon explains itself in a way that displays sincere regret and an intention to restore trust. ®