1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Consolidated Major Australian Data Breaches Thread

Discussion in 'Networking, Telephony & Internet' started by ipv6ready, Sep 23, 2022.

  1. ipv6ready

    ipv6ready Member

    Joined:
    Feb 10, 2014
    Messages:
    3,253
    Location:
    North Sydney
    Optus customers face a heightened risk of identity theft and online scams after the personal information of almost 10 million of the telco’s users was compromised in one of the nation’s biggest-ever data breaches.

    The nation’s top cyber spies at the Australian Signals Directorate are working with Optus to trace the perpetrators of the devastating cyber attack, which exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers.

    A further seven million Optus users had their dates of birth, email addresses and phone numbers stolen.

    If you are an Optus customer be vigilant, and if your worried sign up to free credit report sites or even better for few months sign up to online hacking insurance services.

    2.8 Million whose passport, driver’s licence and phone numbers, email and home addresses and dates of birth should be hopping mad.
     
    Last edited: Sep 23, 2022
  2. spookware

    spookware Member

    Joined:
    Sep 17, 2008
    Messages:
    1,026

    Looking forward to the government fine for a data breach should be a big one. Thinking in the region of about 20k.

    fucking joke.
     
    MrSnuffy, l_ QuadX_l and macktheknife like this.
  3. mesaoz

    mesaoz Member

    Joined:
    Jan 15, 2015
    Messages:
    10,638
    Location:
    Brisbane
    Let me guess... an optus shop franchise had one of their shop computers breached through a dodgy download and that computer had access to the ERP?

    Haven't been an optus customer for a while but I bet my info is still in their systems.
     
    ipv6ready likes this.
  4. OP
    OP
    ipv6ready

    ipv6ready Member

    Joined:
    Feb 10, 2014
    Messages:
    3,253
    Location:
    North Sydney

    Very likely as Optus does not have 10million customers
     
  5. JSmithDTV

    JSmithDTV Member

    Joined:
    Jun 13, 2018
    Messages:
    11,320
    Location:
    Algol, Perseus
  6. Phalanx

    Phalanx Member

    Joined:
    Dec 23, 2001
    Messages:
    7,475
    Location:
    3075
    If a single person decided to hook up a test system to the live customer database then they bloody well should be in the shit, that's almost criminal levels of negligence. However I doubt it was one person, because they would have involved that person having obscene levels of access to setup both ends of that, which is a much bigger problem in itself. I'm betting someone decided hooking the test system to the live database was just simpler to do testing, despite being an idiotic idea.

    I worked for a while on payroll systems and one of the hardest things was end to end testing, because you're not allowed to hook up live systems to test systems, it's just common sense to not do that. Therefore you need to either have test systems hooked up to test systems (which is a headache) or come up with ways to make sure it'll work without actually doing end to end (like rather than do an API call, just use a data extract from the live system and send that to the test system, then rely on the fact your API already works between the production systems to assume that'll work when you go live with whatever your change is.

    I've never worked anywhere (and I've worked at a few very large places) where test systems were included in SSO and they had API connections to things like customer info databases. There is something very screwy with Optus's security practices if this was actually the case.
     
    Last edited: Sep 23, 2022
    ipv6ready likes this.
  7. JSmithDTV

    JSmithDTV Member

    Joined:
    Jun 13, 2018
    Messages:
    11,320
    Location:
    Algol, Perseus
    Agree... dev and prod should always be isolated from each other, running a dev customer database to link to the test system.
    Maybe... the whole report seems like a bit of a copout to me (from Optus).



    JSmith
     
  8. fnp

    fnp Member

    Joined:
    Apr 20, 2004
    Messages:
    4,596
    Location:
    Wait Awhile
    In situations like this I do so love to imagine the oh shit moment where someone, somewhere realised there's been a colossal fuck up.
     
  9. OP
    OP
    ipv6ready

    ipv6ready Member

    Joined:
    Feb 10, 2014
    Messages:
    3,253
    Location:
    North Sydney

    I worked for all 4 of the largest carriers and currently work for one...... Don't know much about the Dev teams, but if a request came to networks to allow access to Production from staging network... polite answer would be FO and NO before I see written comfirmation from both CIO and COO.
     
    Last edited: Sep 23, 2022
    l_ QuadX_l, Phalanx and JSmithDTV like this.
  10. JSmithDTV

    JSmithDTV Member

    Joined:
    Jun 13, 2018
    Messages:
    11,320
    Location:
    Algol, Perseus
    Exactly... which is why I think their story is a bit shit tbh. I mean this would have required a change request from their network teams, to be even able to do this.



    JSmith
     
    Sipheren and ipv6ready like this.
  11. dave_dave_dave

    dave_dave_dave Member

    Joined:
    Mar 17, 2004
    Messages:
    2,988
    Location:
    Gold Coast
    Ha. This isn't even their biggest data breach or major incident, just the biggest one that's been publicly reported.

    Word on the street is access was gained at a pretty high security level to one of their overseas outsourced locations back into the main network. Of course this won't be the cause publicly, it'll be blamed one some fall guy.
     
  12. Unbanable

    Unbanable Member

    Joined:
    Sep 18, 2012
    Messages:
    266
    Did they get the passwords for our accounts as well???
     
  13. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    165,110
    Location:
    Omicron Persei 8
    Apparently affecting customers dating back to 2017.

    Nope.

     
  14. Yehat

    Yehat Member

    Joined:
    Aug 4, 2002
    Messages:
    807
    Location:
    Melbourne
    According to Optus no passwords (bold formatting is added by me below, not source material), but a lot of customer identifying info:
    Source: https://www.optus.com.au/about/medi...22/09/optus-notifies-customers-of-cyberattack
     
    Unbanable likes this.
  15. fnp

    fnp Member

    Joined:
    Apr 20, 2004
    Messages:
    4,596
    Location:
    Wait Awhile
  16. macktheknife

    macktheknife Member

    Joined:
    Jul 26, 2005
    Messages:
    3,694
    Passwords aren't the biggest problem. The problem is that enough data got leaked that people are going to get their phones slammed to devices owned by scammers that compromise 2FA. Usually all you need to port a number for most companies is a company sim, a phone and either an account number or date of birth. Plus all that data (how often have you ever been asked more than customer name/account number/date of birth?) you can just call companies on the phone and change it to an existing number.
     
  17. MUTMAN

    MUTMAN Member

    Joined:
    Jun 27, 2001
    Messages:
    15,614
    Location:
    4558
    hope the twit in charge is the first one hammered by the scam and ID theft
     
  18. drunkntigr

    drunkntigr Member

    Joined:
    Nov 18, 2004
    Messages:
    2,618
    Location:
    Cape Town
    Honestly OCAU is home to some of the higher tiered IT professionals. This ain't whirlpool

    We all know it.

    Average people are dumb af, hack of optus or no hack of personal information, the people who are going to get scammed as a result of this would have gotten scammed anyway.
    It is probably a group of 3 hackers, let's say even 30, or even 300.

    How long will it take those 300 scammers to manually try to scam the so 9 million customers. It would take life times if any attempt or anything useful can be gained from it at all in any real volume.

    And we all know security is any organisation rather than hard firewalls is simply unreliable. There are simply too many variables in code, the 'cyber security' experts are just low tier helpdesk joes most of the time. Unless you get some elite dev who has also mastered network engineering then yeah very few people to really adequately defend against such attacks.
     
    sammy_b0i likes this.
  19. macktheknife

    macktheknife Member

    Joined:
    Jul 26, 2005
    Messages:
    3,694
    The data is probably already been bought and sold across the planet. The hackers aren't doing the scamming, they're selling the data to scammers.
     
    l_ QuadX_l, ipv6ready, -AL- and 2 others like this.
  20. wwwww

    wwwww Member

    Joined:
    Aug 22, 2005
    Messages:
    6,737
    Location:
    Bangkok
    Not exactly. Being smart won't protect you from a port scam.

    It basically goes like this:
    Optus gives your phone number and personal details to a scammer.
    The scammer calls Optus and asks to port your mobile number to a different provider. The scammer verifies that he's you by using your personal details. As these details came from Optus they're a perfect match and Optus ports your number.
    The phone number is used to access your Gmail account thanks to its state of the art 1FA security (Google somehow manages to be painfully difficult for users to access, but painfully easy for hackers).

    They access your emails to see what bank/services you use, then proceed to access other accounts the same way looking for ways to get money from you like through Paypal or similar.

    No input from the victim necessary other than signing up with Optus.

    The details are sold and then it becomes 206.1 million people trying to scam 9 million customers.
     
    karsa, ipv6ready and MUTMAN like this.

Share This Page

Advertisement: