Optus hack shows Australia is an easy target for cyber-criminals

By William On Oct 9, 2022

The theft of personal data from 11 million Optus customers last week has exposed the soft underbelly of Australia’s online security.

Cybersecurity Secretary Claire O’Neal called the breach on the country’s second-largest telco “a simple hack,” though Optus denied it, claiming the data was “encrypted” and had “multiple firewalls.”

Some experts were not convinced, but that’s just the beginning of vulnerabilities in Australia’s online security, with one tech analyst saying major industries “have no idea” they’re handing millions of Australians over to hackers.

Technology futurist Shara Evans has identified some of the weaknesses in Australian practice that make the country highly vulnerable to cybercriminals

Technology futurist and keynote speaker Shara Evans says Australia is an easy target for international hackers.

One particularly glaring weakness is the widespread practice of sending sensitive data in unencrypted email.

Ms Evans said Australian companies seem to have no idea of the risk this poses.

“I can’t tell you how often health care providers will send you information unencrypted,” she said.

“If your doctor says they’ll email a prescription to your pharmacy, they’ll do it in plain text, including your date of birth and Medicare number.”

The Optus hacker was able to steal personal addresses, dates of birth, phone numbers, driver’s licenses and passport details

Ms. Evans, who has worked as an executive for US telecom giants Alcatel, Sprint, Telenet and GTE, identified another risk area where sensitive data is sent.

“Each insurance renewal has an address, policy number and date of birth that are sent by email,” she said.

“Unless it’s encrypted, you trust that the client has initiated some security protocols – SSL or TLS – that people have never heard of.

“You rely on people to configure all their devices to receive email to a certain specification, and the center needs to have their email to that specification as well.

“If someone forged your email or got access to your email, it’s all about you.”

About 11 million Optus customers had personal data stolen by a hacker in the data breach

SSL stands for Secure Sockets Layer Encryption and TLS (Transport Layer Security) is its more modern and more secure replacement.

Email spoofing is when a hacker sends an email that looks like it came from a trusted source.

The fake email may ask a respondent to return personal information, including financial information, or open malware or spyware on your device.

UNSW Institute for Cyber-Security Director Nigel Phair agrees that Australia is vulnerable online — and the threat is only growing.

“We need to do much better in Australia when it comes to cybercrime,” he told Daily Mail Australia.

Internal sources say Australian companies are not following best practices when protecting their data from hackers

“The Australian Cyber-Security Center said it had about 63,000 reports last year, I think that’s about a fifth of the actual number.

“The ACCC had about $2 billion in reported losses from scams.

“I don’t think that’s the right amount.

“We still have a long way to go before we collectively do online hygiene in this country.”

Mr Phair agreed with the cybersecurity minister that the Optus hack was “a breach we would not expect from a major telecommunications provider.”

“No, it definitely shouldn’t have happened,” Mr. Phair said.

“I hope if we can take one ray of sunshine out of this, it’s that other companies in the ASX top 200 and below take a really good look at their risk practices based on this.

Home Secretary Clare O’Neil criticized Optus, saying the security breach was ‘basic’, but the telco has rejected those claims

“They have to ask themselves, ‘Why are we collecting data?’ “Who gets to judge it?” “Why was it saved?” And how it is, hopefully, eventually removed.

‘Why should companies be allowed to collect so much data if consumers don’t really make an informed choice?’

Ms O’Neal said she had heard from internal sources about security vulnerabilities at major Australian companies.

These include unsecured servers in basements and no siloing information

Siloing means keeping the bits of information about a person separate; so if a hacker breaks into one digital ‘silo’, he won’t have access to an entire dataset that could be used to build a profile for identity theft.

Ms. Evans said that personal information should be “separately stored with audit trails, multiple firewalls and encryption” by each company.

Optus claims the stolen data was encrypted and had multiple firewalls (pictured, an Optus store in Sydney)

Ms Evans and Mr Phair criticized the fines that could be imposed on Australian companies for major security breaches.

The maximum fine that can be imposed by the Australian Information Commissioner, also known as the Privacy Commissioner, is $2 million, which Ms Evans described as a ‘slap on the wrist’.

Privacy legislation in the EU is much stricter and has been in place since 2016.

Under those laws, the maximum fines for privacy violations are €20 million ($29 million) or 4 percent of a company’s worldwide revenue from the previous year, whichever is greater.

Mr Phair, a former AFP officer who helped set up the agency’s High-Tech Crimes Unit, agreed that Australia’s fines are “very low compared to international ones for data breaches”, but may have said more worrying is that they have never been used.

“We’ve had data breach fines for three or four years now and the data protection commissioner has yet to hand out one,” said Mr Phair.

“We can talk about ‘yes, we need higher fines,’ but what about using the fines we have first?”

Many may not appreciate that the most sensitive piece of personal information sought by hackers is a date of birth, Ms Evans said.

Once that falls into evil hands, it can be years before it is used.

“If your date of birth is compromised, you are subject to identity theft – period,” Ms Evans said.

Shara’s 10 tips for staying safe online

Shara Evans is a technology futurist and online security expert. Here are her tips for protecting against hackers

1. Provide basic IT security on devices including antivirus, malware checkers, ransomware checkers, VPN, firewalls.

2. Use different passwords for each website and app. Make them long and complex – uppercase plus lowercase letters, numbers, special characters. Store your passwords in an encrypted password vault.

3. Use two-factor authentication whenever possible (ie: logging into a secure banking portal requires you to provide an authentication code sent to you via SMS or email or requires a SecureID token number)

4. Use multiple email addresses. If you own a domain, it’s easy to set up an email alias (“forwarder”) that mentions a specific site or type of activity. If compromised, you can disable an email alias address without affecting everything you do. And it will help you identify the source of the leak.

5. Check your credit reports for signs of fraudulent activity – or misinformation.

6. Sign up for a credit/ID protection plan and enter a credit report ban if you have reason to suspect that your ID has been compromised.

7. NEVER click on text or email hyperlinks that you are not absolutely sure are legitimate. Many people get into trouble this way. You can check a compressed link by copying it and entering it into the SEARCH BAR to see what appears. If it is malware, you may see a notification. At the very least check if the source domain looks suspicious, in that case don’t click on it!

8. When uploading sensitive information to a website portal, check for the lock icon (https) – this means that your data is encrypted ‘in transit’ when uploaded to the website. The cybersecurity practices of companies vary widely.

9. If someone calls you and says they are from company X, NEVER give them any information unless you know them and are already expecting a call from a specific phone number or person.

10. NEVER publish your date of birth online! If you have it on social media, REMOVE it now. Unless you’re making an official financial transaction, there are very few good reasons for any party to know your real date of birth, let alone record it.

“Once your data is compromised, it often takes years for someone to harm you, so you have to be vigilant for the rest of your life.”

A hacker in possession of a date of birth and other personal information can open credit in the name of his victim at any time.

“I’d never know,” said Mrs. Evans.

“Once your date of birth is gone, all you can do to fix it is die.”

Mr Phair said that cyber threats are only multiplying.

“People need to be vigilant online,” he said.

“The length and breadth of scam accounts is amazing.”

Mr Phair said the Optus would probably “go down as our biggest hack, purely based on its potential impact,” but it wasn’t the end of the story.

“This is a data breach like we’ve had before,” he said.

“You know what we’ll have a lot in the future. Expect to see that and more.”