Updated on 2022-12-22: T-Mobile hacker sentenced
Argishti Khudaverdyan, the owner of a T-Mobile retail who hacked into T-Mobile’s main network as part of a larger phone-unlocking scheme, was sentenced last week to 10 years in prison. Read more: Former Mobile Phone Store Owner Sentenced to 10 Years in Federal Prison for Multimillion-Dollar Scheme to Illegally Unlock Cellphones
Updated on 2022-12-07: Dutch SIM swapper gets four years
A 20-year-old from the Dutch town of Eelderwolde was sentenced to four years in prison for breaking into the IT systems of Dutch mobile operator T-Mobile. Officials said the man worked with a 17-year-old and executed spear-phishing and SIM-swapping attacks to break into bank accounts and steal more than €100,000 from dozens of victims. Read more: Vier jaar cel voor jonge cybercrimineel uit Eelderwolde
Updated on 2022-12-01
A new bill approved by the Australian parliament will now charge AUD50 million ($34 million) for companies suffering from large-scale data breaches. Read more: Australia will now fine firms up to AU$50 million for data breaches
Updated on 2022-11-09: Sydney teen pleads guilty to extorting Optus customers
Dennis Su, 19, from Sydney, pleaded guilty this week to extorting Australians who had their data leaked in the Optus breach. Su—who was not involved in the breach itself—admitted to taking some of the leaked Optus data, contacting some users via SMS, and demanding an AUS$2,000 payment or he’d use their personal details to commit “financial crimes.” Su was detained in early October, a week after sending out the SMS messages. Read more: Sydney teenager Dennis Su pleads guilty to using Optus data breach information to blackmail customers
Yep. The guy has already been caught and now plead guilty. 🤦. My favourite bit from the court case: 'No one ever transferred money but one person responded with an emoji'. https://t.co/ikSiRlm3N0 https://t.co/W0x0rJv6pQ
— Joe Tidy (@joetidy) November 8, 2022
Victims of Optus data hack are now receiving text messages from hackers demanding $2000AUD be paid into a CBA bank account, with threats their data will be sold for “fraudulent activity within 2 days.” @9NewsAUS pic.twitter.com/J57inlyyut
— Chris O'Keefe (@cokeefe9) September 27, 2022
Updated on 2022-10-27: Australian government gets serious about privacy fines
This week’s Federal budget contains AUD$5.5m for the Office of the Australian Information Commissioner to investigate the recent Optus breach. And the government also introduced legislation that will vastly increase the financial penalties for serious data breaches. Maximum fines will increase from AUD$2.2m to the greater of AUD$50m or 30% of company turnover. We are not a fan of indiscriminate fines, but the proposed penalties will definitely focus attention on cyber security issues. The legislation also gives government bodies greater enforcement and information sharing powers. Read more:
- OAIC welcomes additional Budget funding
- Tougher penalties for serious data breaches
- Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
Updated on 2022-10-09: Optus confirms at least 2.1M ID numbers exposed in breach
Australian telco giant Optus said this week that at least 2.1 million ID numbers were stolen in its massive breach, first reported a few weeks ago. That includes 150,000 passport numbers and 50,000 Medicare numbers (remember, this is Australia). Optus already said it would cover the costs of passport replacements, per the government’s request, though many of the documents were already expired, according to Optus. Read more: Optus reveals at least 2.1 million ID numbers exposed in massive data breach
Updated on 2022-10-06: Australian Police Arrest Individual for Allegedly Exploiting Optus Breach for Financial Gain
Police in Australia have arrested a person who allegedly attempted to extort funds from victims of the Optus data breach. It appears that this individual was not behind the attack, but used some of the leaked data to send threatening messages to victims.
- Reporting fraud attempts to the proper authorities can make a difference. Use this as an example to support your reporting requirements. Both externally and internally. Determine the ability to take such a report, as well as how, prior to an incident.
Read more in
- Man arrested for alleged data breach SMS scam
- Australian Federal Police arrest man suspected of exploiting Optus cyberattack
Updated on 2022-10-06: Australia Proposes Temporary Changes to Data Privacy Rules in Response to Optus Breach
In the wake of the Optus breach, Australia’s government has proposed changes to the country’s Telecommunications Regulations 2021. “The amendments will enable telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach.”
- Data sharing agreements are critical on many levels. Prefer to do this on a case by case basis but sometimes this is hindered by local regulations. Australia is stepping in to remove the regulatory restrictions- even so all parties must use due diligence to ensure the data is properly protected and disposed of properly, both in alignment with the agreement and regulatory requirements. When in doubt seek expert guidance.
Read more in
- Changes to protect consumers following Optus data breach
- Australia moots changes to privacy laws after Optus data breach
Updated on 2022-10-05
Optus confirmed that the cyberattack last month affected 2.1 million customers who had their government identification numbers—both valid and expired—compromised. Read more: Optus confirms 2.1 million ID numbers exposed in data breach
Updated on 2022-10-05: Australia minister slaps Optus ‘sophisticated’ hack: “It wasn’t”
Australia’s cyber security minister Clare O’Neill finally said what everyone’s been thinking — by calling BS on Optus, which claimed a “sophisticated” cyberattack exposed millions of Australians’ personal information. When asked on breakfast telly if O’Neill believes Optus’ claim that it was sophisticated, her response was: “Well, it wasn’t. So no.” O’Neill isn’t wrong — it looks like an unauthenticated internet-facing API was to blame, no login needed — the cyber equivalent of having unrestricted guest access to Fort Knox’s gold vault.
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol pic.twitter.com/l89O8w1oCO
The Australian government pushed Optus to pay for replacing affected citizens’ passports (since identity documents were caught up in the breach).
Breaking: Optus to pay for replacement passports for Australians caught up in their data breach mess, Anthony Albanese says
— Tom McIlroy (@TomMcIlroy) September 30, 2022
Optus was also criticized for its handling of breach notifications, and is now prominently displaying its breach on ad displays in malls across the country.
Australia has some data protection laws, whereas stateside T-Mobile had its seventh security breach this year and America barely flinched…
What happened at Optus wasn't a sophisticated attack.
— Clare O'Neil MP (@ClareONeilMP) September 26, 2022
- ‘It wasn’t’: Cyber Security Minister Clare O’Neil slaps down Optus’s claim that it suffered ‘sophisticated’ attack
- Optus: How a massive data breach has exposed Australia
- Optus breach victims will get “supercharged” fraud protection
Updated on 2022-10-03: Optus Data Breach Compromised at Least 2.1 Million Valid Identification Numbers
Australian telecommunications company Optus says that a recent breach of its network compromised accounts belonging to 9.8 million customers. Of those, at least 1.2 million records contain at least one valid identification number. Optus has engaged Deloitte to investigate the breach and to determine what could have been done to prevent the incident. Optus has not yet revealed how the attackers infiltrated the network, nor have they provided details about which systems were affected.
- While Optus has not publicly stated the vulnerability, the articles say local reports point to “did not require authentication or authorisation for customer data to be accessed.” “Broken Access Controls” is the number 1 vulnerability on the OWASP Top 10 and “Insecure Design” is number 4 – any thorough software review of internal code or use of a modern software test tool on any open source code should have detected this long ago.
- In addition to the 1.2 million current customer records exposed, another 900,000 expired documents were exposed – which means attackers have customers’ old data that could be leveraged to obtain the current information. While the company says they are taking steps to prevent recurrence and affected users have been notified, it’s still not a bad idea to make sure you’ve got credit/ID monitoring now rather than waiting for this to all shake out.
Read more in
- Optus reveals extent of data breach, but stays mum on how it happened
- Optus Says ID Numbers of 2.1 Million Compromised in Data Breach
Updated on 2022-09-30: More News About Optus Breach
Australian authorities have asked the US Federal Bureau of Investigation (FBI) for help identifying the culprits responsible for the Optus breach. The incident has reportedly compromised driver’s license information, passport numbers, and email addresses of more than 10 million customers. Optus has taken a hit to its credibility after it became apparent that Medicare information was compromised as well, although Optus had not disclosed that. Initially, the attackers had demanded AU$1.5 million in ransom. Now the apparent culprits have apologized for the attack and have withdrawn the monetary demand as well as threats to post stolen data. However, more than 10,000 customer records had already been released.
- Kudos to Optus for calling in additional support to work the breach. It’s not a bad idea to have an escalation plan in your hip pocket. At this point, if you’re using Optus, assume your data is compromised. Take active steps to monitor your identity, don’t wait for the investigation to complete.
Read more in
- Australia asks FBI to help find attacker who stole data from millions of users
- FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports
- Optus hacker apologizes and allegedly deletes all stolen data
- Australia government wants Optus to pay for data breach
- Optus Attacker Halts AU$1.5 Million Extortion Attempt
Updated on 2022-09-30: Australia is set to overhaul its privacy laws after a major data breach at the country’s second-largest telco.
Optus was hacked and is said to have leaked personal information including names, dates of birth, addresses, contact details, and even passport numbers affecting 40% of the Australian population. New laws will require any company suffering a data breach to inform related banks to reduce potential fraud. Read more: Australia flags privacy overhaul after huge cyber attack on Optus
Updated on 2022-09-29
Optus informed former Virgin Mobile and Gomo customers that the recent data breach also impacted their personal information. Read more: Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Updated on 2022-09-28: Optus hacker backtracks
The hacker who breached, stole, and tried to sell data from Australian telco Optus has changed their mind, removed a forum entry advertising the company’s data, and posted a new entry apologizing to Optus for the intrusion. It is unclear what caused this sudden change of heart, but infosec reporter Jeremy Kirk says that Optus has not paid a ransom to the attacker, so this looks like a decision taken on the hacker’s side.
deleting your extortion threat on a hacking forum after the AFP announces an international operation is self care 😊
— cameron wilson (@cameronwilson) September 27, 2022
In the meantime, the Australian government said that since driver’s license numbers were stolen in the breach, anyone whose data was leaked in the Optus incident can apply for a free replacement. Read more: Optus data breach: What to do about replacing your driver’s licence and passport
Updated on 2022-09-27
The hacker behind the Optus breach released a sample of 10,200 stolen records and asked for $1 million as part of its extortion efforts. The dataset has, however, been taken down. Read more: Hacker Behind Optus Breach Releases 10,200 Customer Records in Extortion Scheme
Updated on 2022-09-26: Optus data up for sale
After Australian telco Optus disclosed a security breach last week, the company’s data has now popped up for sale on Breached, a famous cybercrime forum. According to the seller, the data contains data on 11.2 million Optus users.
Updated on 2022-09-25: Australia’s second-largest telco Optus was hacked
Aussie telco giant Optus was recently hacked (date unknown but discovered September 14) with an attacker claiming to have stolen 11.2 million sensitive customer records. The hack is messy, not least thanks to Optus’ crappy communications. But a dump of sample data posted online looks legit, according to @jeremy_kirk, who’s covered this story from the very beginning.
Here's a tidy news story that wraps up all my Optus data breach tweets. I've tried to make this understandable for everyone. It's important we understand how our personal data is at risk if not protected. https://t.co/FIQlA5x8rL#OptusHack #auspol #infosec
So Optus created an unauthenticated API to the customer database and then exposed it to a test system. But they so no human error was involved and blamed it on a sophisticated attack. A breakdown…
— Adam Garner (@agarner) September 23, 2022
According to the hacker, an unauthenticated API allowed access to the customer databases, which the hacker then took by accessing records sequentially — eventually enough to trigger alerts. Kirk validated some data, including speaking to a local resident who lives nearby. Stellar reporting here, even as the story develops. This could be one of the country’s biggest breaches to date.
Read more in
- Optus Under $1 Million Extortion Threat in Data Breach
- Optus rejects insider claims of ‘human error’ as possible factor in hack affecting millions of Australians
- Australia’s Optus says up to 10 million customers caught in cyber attack
Updated on 2022-09-23
Optus, the second largest telecommunications provider in Australia, said it was dealing with a cyberattack. In a message posted on its website, the company said it is still investigating the incident, but it believes that a threat actor might have viewed the personal data of its customers. Optus didn’t say how many users were impacted by this incident but said it’s already working with authorities on the case.
Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers. Payment detail and account passwords have not been compromised.
Read more in
- Optus notifies customers of cyberattack compromising customer information
- Optus data breach: who is affected, what has been taken and what should you do?
Updated on 2022-09-21: Optus Discloses Data Breach
Australian telecommunications company Optus has acknowledged that a data breach compromised personal information of current and former customers. The affected data include dates of birth, email addresses, and passport numbers. Optus says that their “systems and services, including mobile and home internet, are not affected, and messages and voice calls have not been compromised.”
- At this point Optus has already contacted affected users. Optus both left administrative interfaces to systems available to the Internet to facilitate remote maintenance and failed to change default passwords. Make sure that remote maintenance uses VPN or other secure access mechanism, requires MFA, and that all default passwords are changed. Never assume an adversary cannot determine the default password, no matter how tightly you feel that information is held.
Read more in
Optus, Australia’s second-largest telecom carrier, underwent a data breach that potentially impacted the personal information, names, contact details, and dates of birth, of millions of customers.