TIL. Just read that [(insert Holy Jesus Fuckkng Christ expletive)](https://www.afr.com/technology/all-optus-customers-can-do-is-hope-20220925-p5bku9)Optus had an unauthenticated API that released *all of your PII data*.
Unauthenticated.
All your data.
This is *not* a hack folks. This is a PII breach that ~~will have~~ has serious consequences.
Not only was there no authentication, there was no limit to the requests. Nothing batted an eye that 11 million requests had been made in a short period. It's beyond incompetence imo. I am sincerely hoping there are consequences for optus / the departments responsible beyond a slap on the wrist.
In this case, I would hope the employees directly responsible for it can't work in infosec again. I dont want them to suffer, but what happened is a massive issue and can't be allowed to happen again. Anywhere.
No developer with 2 brain cells is going to do that without a massive paper trail as one of the things that get drilled into us over and over (well to me anyway) is the National Privacy Principles that we all follow.
Maybe I'm lucky enough to have been doing this long enough that I can afford to have some ethics, but there is no way in hell I would would code that in the first place. I'd quit before exposing people to identity theft. I deal with medical data, so yeah, I'm super-sensitive to this shit.
Exactly. This is a big business. This means people who call themselves "senior architect" by virtue of doing the same damn thing over and over for a decade while reading blogs from posers on the internet.
This almost universally results in overly complex architecture which is difficult to reason about and fragile. You'll also see that duplicates in staging environments or local are very expensive, or difficult to spin up locally - so devs are putting in shortcuts to allow testing. Also no mid-level dev (or even senior) has the broad skillbase at that level to fully understand how a particular command or query is handled due to it passing through a whole bunch of custom services.
Fuck, I was working with some cunts that had something along the lines of haproxy (aws) -> some api gw equiv (gcp) -> nginx (gcp) - (mutual cert https) -> nginx (aws) -> api gw -> haproxy (vps bastion) -> iis on ec2. - "We're an AWS shop but we want to use some bullshit api protection thing in gcp as our architect thinks lambdas are bad so we won't use api gw for that" - and that's ignoring the ridiculously complex server-side code that was something like 20kloc for a handful of endpoints to read out a database.
Some Devs are just yes men.
We built a db that stored most PII in encrypted columns and the API required seperate requests to be made for this data...
Someone in marketing complained they wanted emails for a campaign and someone was tasked with storing the same data, unencrypted right besides the encrypted version, that someone wasn't me because they knew damn well I'd push back and insist on some form of API to either do the contacting or return appropriately sized blocks of the bare minimum info to do what marketing needed. (It probably would have been the first option unless they gave me a damn good excuse for the second one)
These days I don't think that data is stored in the encrypted fields at all any more, everything is mirrored into salesforce which is well outside of my pervue and nothing stops a malicious agent copy pasting all the contacts from salesforce that I could see so *shrug*
It’s a Swiss cheese problem.
I’m confident you won’t find that they wrote a new unsecured API and hooked it straight up to the live customer database. There were probably 10 things that were each fine in isolation - but do them all, and you end up in this situation. It’s unlikely there will be a single action from any employee that resulted in this - the issue is that the rules and procedures didn’t prevent it.
It probably is encrypted at-rest, but it’s unlikely the API outputs encrypted data. For example, if the API is used pull an address from the database in order to send out a letter, the output needs to be the address, not a block of encrypted data.
Lol what does that look like though?
No matter what the last action is it's not okay. Whether it's adding the unencrypted IDs next to the hashed ones, pulling the auth off or removing the throttle. If that code was PRed it gets turned down.. every time
This isn’t a developer issue, this is a company info sec policy issue. And given this is a company subject to the Australian Information Privacy Principles, it’s at very least a breach of the QLD Disclosure section 23B [link](https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/key-privacy-concepts/key-privacy-concepts-disclosure)
| Disclosure is defined in section 23(2) of the IP Act.
| (2) An entity (the first entity) discloses personal information to another entity (the second entity) if—
| (a) the second entity does not know the personal information, and is not in a position to be able to find it out; and
| (b) the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
Its a developer issue in the sense the portal should never have been public. But yes you're right. Somewhere, someone would have okayed this, and likely more than one someone. Those people need to be held responsible.
Rather than being approved by a hierarchy, isn’t it more likely that some developer just thought “This is a quick and dirty way to test this thing I’m working on. Not secure but it’ll be OK because no-one but me knows the address and I’ll shut it down as soon as I’m done”. Then didn’t shut it down and someone found it?
I’m not in the field but do have some experience of developers doing really stupid things. (Specifically, connecting the live website to a dummy credit card back end to briefly test something, then forgetting to switch it back so that two days of deposit transactions resulted in client accounts being credited without their cards being charged).
Even if it was some dev doing it on their own/unbeknownst to higher up, the fact they had no issue acquiring a live feed of millions of rows of sensitive data speaks a lot about how Optus manages it's data.
A developer doing this is more likely to be symptomatic of a seriously flawed development culture than one lone wolf taking shortcuts. I worked in the public service once and dealt with sensitive information, and the culture there was incredibly risk averse. There were no IS leaks because we did everything by the book. Nothing was done without approval from someone senior enough to understand and be accountable for it. Risks were identified, treated, signed off on. Of course, it slowed things down compared to the cowboy approach, but you just learned to factor that in. The culture was as much a protection as the individual accountability.
In my experience I suspect (no evidence, just working in IT experience) multiple things happened by different people.
One would have been to expose a test api environment to the world. No big deal on that, no real data in there as far as that person knows.
Another department who also uses the test environment puts a copy of the current customer database to the test environment not knowing that it is exposed to the world. They plan to use it for internal testing so no issues as far as they are aware
Opposite order could have happened as well, but this way seems more likely.
It's a failure of change control and monitoring for sure, but I doubt 1 person or the data there and exposed it. If they did they absolutely deserve to lose their job.
You do not test with unmasked PII data. This is fundamental.
There are so many things wrong with this whole situation that indicates incompetency and lack of controls that Optus deserve everything they get from this.
>
It could be, in which case that developer should be done for it. Regardless of whom it was, someone needs to be punished for this, manager or developer.
I work in a related field, and this is terrible advice.
Blaming an individual is almost never the correct thing to do.
The correct thing to do is ask:
* what policy should have stopped the developer from doing this? If it doesn't exist, why not?
* What automated tooling enforced the policy? If it didn't exist, why not? If it did, why didn't it work?
* What monitoring detected the breach and alerted someone with the ability and authority to shut it down immediately? If there was none, why not?
* Etc
Looking at root causes, gaps in policy/automation/detection/removing opportunity for human error, and institutional failures gets you continual improvement over time and a culture of openness and reflection and improvement.
Looking for an individual to blame gets to a culture of blame and fear, leading to arse-covering, papering over problems, and no improvement over time. Sure you might fix the one specific thing that went wrong in this case, but you'll get bitten over and over again and you'll never actually build security into your culture.
It's not a developer alone, it's the whole tech all the way up to their chief information security officer. Procedures and general governance of development standards when done right don't allow for this kinda shit to happen. Gateway limiting is something their netops / platform teams should be all over. Monitoring should've picked up massive spikes on requests with a minute or two at the least, and paged any software management to investigate.
None of this happened. It's not one person it's their whole engineering org and management. All of them need to feel consequences. Everyone else should do case studies on this in Uni as probably the single biggest and dumbest example of bad handling of pii in Australian history so far.
I've no doubt in my mind Telstra and the rest aren't any better, either. It's our shitty privacy standards that are lagging. GDPR for Europe and the CISPA in California have done great things. We need to catch up. Asap.
Edit: I didn't even touch on white hat red, blue, green teams they should have endlessly hammering their systems for vulnerabilities like this. Where are they?
There’s no way a single developer sets up an internet facing API in the corporate world. It needs a network path to the outside world, and that won’t be in the hands of some coder.
All infosec including chief security architects I have worked with were limited to the role of Advisors. They evaluate controls, articulate risks. But end of the day it is up to business to own and accept the risk. Only way to stop this is to give CISOs veto authority to stop project changes by law and have then report to the board and not CIO or CEO even.
This is a company that is almost certainly going to have employees dedicated to devOps/deployment. The developers could have been junior devs for all we know and just been told to "implement this API". They don't deserve any blame if they hadn't been trained appropriately or weren't responsible for the design patterns that resulted in this.
If a dev did somehow deploy a live public server with access to a prod DB, that's still fault with their architectural patterns. It simply shouldn't be possible without process where multiple people are signing off on it.
Bad high level architectural patterns would be more the fault of senior tech leads, at which point you should be starting to get up the chain a bit - probably a couple of steps down from CTO/equivalent executive member. (Not to say that member doesn't bear responsibility - they absolutely do, but they probably weren't directly responsible).
I don't often test my code, but when I do it's in Prod!
Jokes aside, I have seen someone stick a breakpoint in a prod system. Was actually quite safe, but man it was just wrong!
Hey, I've had to once, there was absolutely no way I could replicate the issue I was tracking down in Dev, random issue that'd be fine for months and suddenly a spate of problems till we poked it enough and it went away.
Ran it in parallel in Dev, same issues never cropped up. Turned out to be an environment specific issue, one tiny minute difference between Dev and prod (would have eventually showed up in UAT but this wasn't a system that was called heaps in UAT)
You would be amazed. I work for optus now, but I worked on a data migration project previously in which we had pure text access to names, addresses in some cases, bank numbers etc. We all knew what we had, we shouldn't have, but it was kind of an open secret at that point.
I've worked all over and believe me if I saw that it'd be fixed quick smart. There's a concept called blast radius that is rather important when it comes to security.
Bro. I was with electricity in a box when they had decent rates. In one of my emails, they addressed me as someone else. I questioned them on this and asked if they were accessing other people's accounts when speaking with me. They "assured" me they didn't.
Me thinks they have a txt document and copied and pasted the wrong info.
But the whole PR exercise of doing nothing at the start of the leak instead of actually helping, going to media instead of communicating to customers and overexaggurating the bad guy to lessen the blow to the company instead of accepting mistakes made, is pretty much consistent with her brand. Seems she made a good fit at Optus.
While I'm not disagreeing with you, there must be some element of duty of care there. You could make a case for entrapment too. The law is notoriously flakey when it comes to tech, and I'm not sure there's much precedent around this.
Nah, they just stretched the truth. Like stretched to the point many might believe it was something only an expert could do instead of it actually being something a bloody child could do.
To be fair, I imagine it's the engineer and hammer scenario.
You don't pay the engineer hundreds per hour because of their sick, sick, heart-surgeon-level hammering skills, you pay them because out of thousands of nails in your machine, they know exactly which 2 to test and knock back in in 10 minutes to fix it.
Similarly, it'd probably take an expert to *find* the endpoints, but only a novice programmer to extract data from them once handed some urls.
But then that's why you (ahem..) pay a different expert to make sure such endpoints don't exist in the first place.
Indeed, and more to the point you make your internal endpoints just as secure as your public ones... because one day they just might happen to be public!
WTF?! Was it a public endpoint?
Edit: answering my own question, yes, it was. Completely public API with no auth. This was not a hack or a "cyber attack", it was a free giveaway.
Yeah it would be very very easy to do. Any dev could quickly whip up a script/service/app that could scrape it in no time. I reckon I could in under half an hour, including obscuring my requests.
Depends on how good their monitoring is and if there even watching. And Assange isn't a great example, he openly published the details.
But simple requests from a client via a foreign VPN? They're probably gonna need more to catch you out.
Word I'd heard was it was a testing platform that was using a copy of live data, but because of the tests being run / someone being dumb, it was publicly exposed with no authentication over it.
Someone found it and scraped it before they realised.
Even that is a privacy problem in itself without the open api issue. If you want to use live data for testing you should really still be obfuscating identifying data. There are a myriad of tools out there specifically for this purpose, that will generate random names, dates of birth, licence numbers etc. The dev and test teams shouldn't have access to peoples actual data.
"But it's haaaaaaaarrrrdddd" the devs whing. "It'll be different to prod, our tests won't be valid, waaaahhhh"
I've seen so much prod data in dev, always run it up as an issue, but always had any progress blocked because it would put 'delivery timelines at risk' or something similar.
The easiest way to capture corner cases is to snaffle a copy of production's data. /s
Despite it possibly not containing anywhere near [all known hiccups](https://xkcd.com/327/).
There are times you do want real data for tests, because even the most thorough test suite misses reality's edge cases
But in those instances you do things with a lot of precautions, that were evidently absent here
There are two issues here:
1. The open door the attackers used
2. The fact that the PII data was not protected on disk - something like field level tokenisation of PII would mean that even in the event of (1) or any much more sophisticated attack, the exfiltrated data would be useless.
I would hope for a massive fine for Optus.
A huge fine and a huge class action. If they need liquidity let the federal gov buy the majority. These fucks have really run dry on the excuse that “tHe PRivAte mARKet is moRe EFFicieNt”.
>This is a PII breach that will have has serious consequences.
After I received Optus's email about this data breach, on my private email address, one that only Optus knew about, my inbox is now being flooded with Spam.
**I have not been an Optus customer for 14 years!**
I had a new Nokia N95 and remember watching videos for the first time on the new 3G network.
Bad enough the CEO did a lousy job (if she did anything at all) but to mislead Optus customers and all Australians by saying that they were hacked and were just victims of bad people without admitting they fought against stronger protection of individuals’ private information just to protect her sickeningly high salary is disgusting.
The data was hashed… but not salted! and the hashed data was stored right along side the raw data…. It was all delivered through an unauthenticated open API that didn’t use ANY form of encryption… they fucked up. They fucked up bigly and they should be fined into the ground and sued to a crisp. The level of incompetence is astounding!
$2m is the biggest fine they can get in the current legislation.
Class action will take years and unless there is a large impact to people it will be very little.
The company will lose some customers for a couple of years, write off some loses they had dragging them down anyway saying how much it’s affected their business, claim the tax break and move on.
If any of the data relates to citizens of the EU, they are about to get fucked, and hard. I think it’s somewhere in the order of 200,000,000 €, yes that’s Euros not Aussie dollars. They keep saying it was a sophisticated hack. *massive eye roll
I’ve not ever seen an Australian website ask about GDPR, I doubt the EU would care tbh.
I just hope it’s a learning opportunity for the Australian government that we’re a target because their regulations are piss weak.
I think the Optus CEO just doesn't have the technical foundation to understand the situation. During the videocall/press conference, you could see her glancing around at the people behind her camera, looking for their approval for what she was saying. No doubt that room had the Legal, PR and Tech heads all present. But there would have been a big push against a disembodied voice piping up from the back saying "Acktually...." when she was in the middle of her spiel.
And by Optus ensuring only one of two talking heads get in front of the press, they're declaring their scapegoats so they don't have to flush the full C-suite to try and recover some reputation.
Yeah this was a nail in the coffin for me to consider changing back to Telstra. I only went to optus because at the time Telstra didn't have the proper service in the area but later fixed that up and now have the better service and plans.
Telstra bought a company out so that they could improve regional areas and optus did a whole campaign trying to make it seem that it was to be the opposite to try and stop it (as they really don't upgrade their infastructure in regional areas anywhere near what they should)
Deletions are a HARD computational problem where the item may be consumed as a key elswhere.
ed: ... indirectly consumed ...
ed2: And why bother? Storage is cheap. Mark the record in place and move on.
No they’re not, there are organisational difficulty.
Companies often don’t *want* to support deleting data because they (think) they might want it later, or because they’re unwilling to expand the (relatively meagre) amount of dev effort to implement hard deletes.
Don’t see why, surely you get a unique customer ID that they use as a primary key, even if they need/want to keep financial records they shouldn’t need your personal data to do so, it should all be linked to your customer ID.
PII is a concept, not a specific piece of data, and you generally need (not really need, but definitely want) specific pieces of data to use as DB keys.
Also most PII isn't actually very unique until you start chaining them together. Think of your DoB - there are hundreds of people out there with the same one. There are also most likely hundreds with your first name, and hundreds with your last. Put it together and it's more unique, but not very good as a key because it's unnecessarily long and difficult to validate.
They don't. That's why they're going to end up in the shit over this.
There is zero reason why they need information like medicare and passport numbers once they've done the initial ID check. It should have been redacted. It wasn't, and that's a massive stuff up.
There will almost certainly be a class action on this. Part of the data privacy laws is a clause that you can only keep data so long as it's reasonable to do so and demands that it be deleted after that point - keeping that much PII is not going to fit that definition, and certainly not identification documents. The lawsuit bill Optus will have to front for this and other cases is quite likely to kill them as a company.
The government enforced KYC (know your customer) data retaining law is that you should keep any customer data for a minimum of 7yrs. This means from when you disconnect your Optus service they need to schedule your PII to be deleted 7yrs or more after the date of disconnection. What would be the point of the metadata collection law if they didn't have a way to connect it to a customer after the fact?
There's not a number on a specific timeframe, but there is actually a benchmark under the Australia Privacy Principles (which are the core of the Privacy Act) at which point the data must be destroyed.
IANAL, obviously, I'm linking and interpreting a document as a layman.
\---
**APP 11.2** ([source](https://www.legislation.gov.au/Details/C2020C00025)):
If:
(a) an APP entity holds personal information about an individual; and
(b) *the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and*
(c) the information is not contained in a Commonwealth record; and
(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de‑identified.
\---
a) is self-evident, b): they're not a customer, their ID does not need to be validated in an ongoing manner. c) and d) are not applicable.
As I read it, they're also probably in breach of principles 5, 6, 8 and 9 for what it's worth.
Seems that *"very sophisticated cyber attack"* is the obligatory statement that needs to be said by a spokesperson, no matter the evidence to the contrary.
What is the thinking behind this? That a person whose data has been compromised will think *"oh, I guess it's OK then, it was a* ***very sophisticated*** *cyber attack!"*
Helps when your cyber defense is so unsophisticated. It's akin to someone looking at round wheels as sophisticated when all they've been using are squares.
Same as "Upon discovering the cyberattack, we immediately took action to shut it down to protect your information".
Immediately taking action after the fact is completely irrelevant, and any actions taken to protect our information after it was compromised is nothing but a moot point.
Oh. Guess it’s time to write up a resume to apply for a job there.
Interviewer: But you have no knowledge in the field, transferrable skills or industry exposure?
Me: *apparently, neither do you, and you are working here*
> Interviewer: But you have no knowledge in the field, transferrable skills or industry exposure?
I know not to upload millions of pieces of personal identity information to an unsecured API.
It would be nice if Visa/Mastercard & Banks expanded on their data security requirements to ensure their clients not only protected payment card info but personally identifiable information that can be used to access those accounts...
If optus faced Visa/Mastercard denying them access to payment services they may have put more effort into securing their shit.
**PLEASE NO**.
Visa / Mastercard have enough private control over basically the majority of the world's financial transactions, only allowing businesses to conduct themselves according to their own vaguely defined morals. They DO NOT need more.
I get the idea, but 100% awful vector for execution.
Have to wonder if Visa/Mastercard and Banks are even allowed to do that in Australia. Labor and the coalition have been very clear on the issue of data retention in which they want as much data accessible to government agencies and themselves as possible regardless of consequences such as this massive Optus failure and damage to consumers/Australian citizens.
Visa and Mastercard dont want to police other companies use of private information and governments probably dont want Visa and Mastercard to take over that policing role either.
More likely is that the privacy act will be amended so that there is some increased minimum level of cyber security protections.
https://www.abc.net.au/news/2022-09-27/online-account-claims-to-have-released-optus-customer-data/101476232
> "We have seen that there is a post like that on the dark web and the Australian Federal Police is all over that."
"Dark web" now means a well-known website where the perpetrator posts everything in public.
> Assistant Commissioner Cyber Command Justine Gough said the investigation was going to be complex and lengthy.
I'll save them the trouble. Here's the report:
A user called 'Optusdata' crawled http://api.optus.com.au and Optus happily supplied all their customer data.
Some dumb broad from Optus found out, got on tv and spouted bullsh!te.
The site where 'Optusdata' shows a website forum registered in Tonga, and there is zero change the admins will help. The website resolves to 172.67.75.105 which is Cloudflare in San Francisco. You can ask Cloudflare but that wont get you far.
Everybody and his dog used VPNs which means you can't locate Jack Sh!t.
Optus paid the $1 million ransom to an untraceable coin and now Optusdata has backed down and wil never be found.
The End.
They'll never admit it, but it certainly was in their best interests to do so if they have enough evidence the "attacker" was legit. They would have been advised on this by Government as well.
I have 2 work phones and 1 personal one. One of those work numbers is from Optus. That's the only phone I get constantly harassed on by scammers and telemarketers. I had only given that number to very few corporate customers when the calls began (5+ years ago). I'd be surprised if there are no connections to their data security management practices.
Cute cartoon, although ‘honeypot’ does have a specific meaning in security, which (that I’ve heard) certainly doesn’t apply whatsoever here.
But that’s just nit picking!
So a few things of interest.
Firstly, the software development industry has adopted a practice of blameless postmortems (post-incident reviews, loosely based on the medical field's Morbidity and Mortality conference).
I wonder how that practice of blamelessness in post-incident review can possibly be reconciled with the public's need for retribution against some part of the business though.
Not that I can say whether or not Optus has adopted this particular practice. But if they model their software development methods and practices off companies like Google / Atlassian / Microsoft (and a lot of companies do) then they probably have adopted it.
Secondly, software development as a profession is not licenced, accredited, and gatekept in the same way as the more traditional engineering disciplines, law, medicine, etc. There's virtually no legal recourse to be had against an individual for incompetence like this. If that individual is already safely in their next job, or even the job after that, then they merely keep their mouth shut and don't use any former Optus colleagues / managers as a professional reference.
But frankly, the real question is: How much of this is incompetence attributable to software developers, and how much of this is attributable to the middle management layer of the company who directs their work? Because oftentimes middle management directives lead to slipshod work from the individual contributors at the company, and it's only when a reckoning like this takes place that a company decides to revisit just how they go about directing what does and doesn't get done in the tech space in the name of saving a dollar.
> how much of this is attributable to the middle management layer of the company who directs their work?
ex-CTO/CIO here
Software development (and IT work in general) is treated as a cost centre in business. Its far too easy for management to improve the bottom line by restricting the very important work being done.
Worse, any IT professional or leader in an organisation who ethically stands their ground and demands sane data security (among other pesky standards) will often be treated as a 'difficult' employee or stakeholder and marginalised.
e: a snafu
Yeah I had a big list of security concerns with the test environment at a previous workplace. I sent arse covering emails. Years later the items on the list hadn’t been sorted. Yes it included using production data in test. Somehow I was the difficult person trying to be a roadblock ??? They clearly lied to auditors about it too.
Yes, that is more or less it.
I've worked for both kinds of employers: Those who regard software development as an undesirable expense (cost centre), and those who regard software development as the means with which they grow their competitive edge or golden goose (profit centre).
The former are always fussy about how you spend every minute of your day. As soon as they see something working 'well enough' they like to cut bait and move on to the next thing.
An old boss of mine used to say 'make it work, make it right, make it fast' - and software development treated as a cost centre is often characterised by its tendency to stop at the 'make it work' bit.
Also, now more than ever the IT organisation is set up so that it's as challenging as possible for developers to go 'off the reservation'.
Agile development, often Scrum, can make it hard for you as a professional to ensure that you get to follow through and actually finish things.
For example: You get asked to build some kind of prototype, and then you do your 'daily stand-up' (essentially a daily status meeting).
Two things happen with this:
1. You hold out on them, and make up some story as to why you haven't finished the task which is to just build a 'minimum viable product'. Perversely, you're trying to do a proper job and this makes you look like an under-performer.
2. You disclose that you've got the prototype working, but it should really have features X, Y, and Z before you declare it production-ready and operationalise it in a production environment. Someone tells you that those features aren't 'the priority', and to just ship it as it is and put a ticket in the backlog so that the work can be prioritised in the future.
I suspect everyone can intuit how this Optus SNAFU might have played out.
Ultimately it needs to be the shareholders and mgmt of Optus who shoulder the blame and financial consequences of this incident.
No problem in capitalism gets fixed unless there are consequences for shareholders.
The government should also shoulder some blame for letting Optus (and all other companies) collect so much data in such a cavalier way. They need to put in place fines that bankrupt business that do not protect data they collect, and also put in place systems that allow business to verify customer info in order to comply with legal requirements that governments place on them.
Software engineer here.
Blameless postmortems are meant as a learning tool, so the issue can be either prevented or mitigated faster in the future. We're essentially blaming systems that allowed for the mistake to happen, rather than people making the mistake. This culture allows people to be honest and transparent with what has happened. The extreme opposite would be how USSR dealt with the Chernobyl disaster.
Blameless postmortems have nothing to do with legal consequences. They will provide the details of the incident (since people can freely recall the timeline), and details on how something like that can be prevented and mitigated. However, this doesn't mean there are no legal consequences. There are. They would usually depend on the agreement a company has with its customers, and the laws a company must follow.
I don't believe "incompetence attribution" would do anything else but make people scared to make mistakes. Why is that important? It's important shit like this never happens, and sadly, yes it's moments like this when a company would shift its focus a little to prevent this in the future. At the end of the day, no single software engineer has much say in what gets built and what doesn't, especially in large corps. If a company is willing to take risks to get higher velocity, or is poorly run from eng best practices pov, the company/system would be at fault, if you really wanted to attribute incompetence to something.
Blameless post mortens aren't the issue here. They are simply in place to prevent a single person being blamed or scapegoated for an issue, instead, the entire company takes the blame and suffers. Internally everyone may know who caused the issue, but pointing fingers won't solve anything. The person will likely still be talked to and likely loose a lot of respect and trust for future projects, but this way they can at least be upfront if something goes wrong without fear of repercussion. If people were shamed or blamed for their mistakes they would simply keep them hidden.
Sorry for the Daily Mail link but yes they are.
https://www.dailymail.co.uk/news/article-11253117/Optus-data-hack-extinction-level-event-says-tech-analyst-Shara-Evans.html
Funny how the Mail isn't shitting all over the EU this time:
"Optus is liable under EU law for all EU citizens impacted by the breach.'
The maximum fines under the GDPR is €20 million ($29million) or 4 per cent of a firm's global revenue of the preceding year, if that is higher. "
There ought to be some kind of Logie / Golden Globe type of award for IT-related fuck-ups.
I thought Atlassian had it in the bag after their April incident, but not so.
* [Optus appoints Gladys Berejiklian to its Executive Team in a new role as Managing Director, Enterprise, Business and Institutional](https://www.optus.com.au/about/media-centre/media-releases/2022/02/optus-appoints-gladys-berejiklian)
* [World-champion tennis player, Australian icon and proud Ngarigo woman, Ash Barty has said ‘yes’ to joining Optus as our new Chief of Inspiration.](https://www.optus.com.au/connected/news/ash-barty-becomes-chief-inspiration-officer-optus)
So I still havent received an email from optus. I've used their online chat system a few times with no confirmation. Just got on again to find that their identification form they use has changed from asking you your optus account number, to asking you your drivers license numbers.
Previously I had been able to work out that the teir 1 workers were just checking your account to see if an email was sent. If their system said yes email then you were effected, no email you were ok.
Are they now literally just searching the data already publicly released for my drivers license to see if it's included?
I am lucky I live in South Australia and they let me change my ID with no issues unlike other states so there is some saving grace there to this bullshit but there still is a solid chunk of my information bundled which I don't like and I can't do fuck all and have no recourse about.
As someone who works in I.T as well I just cannot fathom HOW a company as large as Optus can fuck up in such a way, even the SMB I work for has to always deal with cyber security threats and are always adapting and there is NO WAY we would ever let a client fuck up in such a way Optus had done!
I dead ass been getting scam calls on my galaxy watch for the past 6 months, what cyber attack! Optus has been selling personal information to data centers for years, they probably went short on payment and they leaked data.
Fucking guy on TV put chrome on dark mode and opened a random forum with a picture of a furry names 'optusleakguy" and called it dark Web, and the blond bimbo melted her brain all over it.
Fucking joke, the whole fucking shibang is a God damn joke.
We urgently need digital privacy laws and government audits of these to ensure companies are in compliance in the same way we require audits for financials.
I heard of OAuth and JSON Web Token as new industry standard authentication protocols for REST API requests.
Never heard of NOAuth authentication until today.
TIL. Just read that [(insert Holy Jesus Fuckkng Christ expletive)](https://www.afr.com/technology/all-optus-customers-can-do-is-hope-20220925-p5bku9)Optus had an unauthenticated API that released *all of your PII data*. Unauthenticated. All your data. This is *not* a hack folks. This is a PII breach that ~~will have~~ has serious consequences.
Not only was there no authentication, there was no limit to the requests. Nothing batted an eye that 11 million requests had been made in a short period. It's beyond incompetence imo. I am sincerely hoping there are consequences for optus / the departments responsible beyond a slap on the wrist.
[удалено]
In this case, I would hope the employees directly responsible for it can't work in infosec again. I dont want them to suffer, but what happened is a massive issue and can't be allowed to happen again. Anywhere.
[удалено]
No developer with 2 brain cells is going to do that without a massive paper trail as one of the things that get drilled into us over and over (well to me anyway) is the National Privacy Principles that we all follow. Maybe I'm lucky enough to have been doing this long enough that I can afford to have some ethics, but there is no way in hell I would would code that in the first place. I'd quit before exposing people to identity theft. I deal with medical data, so yeah, I'm super-sensitive to this shit.
Dev pushes code to api gw, which is supposed to handle auth/auth.
[удалено]
>API Gonewild Hmm code insertion and back doors.
Exactly. This is a big business. This means people who call themselves "senior architect" by virtue of doing the same damn thing over and over for a decade while reading blogs from posers on the internet. This almost universally results in overly complex architecture which is difficult to reason about and fragile. You'll also see that duplicates in staging environments or local are very expensive, or difficult to spin up locally - so devs are putting in shortcuts to allow testing. Also no mid-level dev (or even senior) has the broad skillbase at that level to fully understand how a particular command or query is handled due to it passing through a whole bunch of custom services. Fuck, I was working with some cunts that had something along the lines of haproxy (aws) -> some api gw equiv (gcp) -> nginx (gcp) - (mutual cert https) -> nginx (aws) -> api gw -> haproxy (vps bastion) -> iis on ec2. - "We're an AWS shop but we want to use some bullshit api protection thing in gcp as our architect thinks lambdas are bad so we won't use api gw for that" - and that's ignoring the ridiculously complex server-side code that was something like 20kloc for a handful of endpoints to read out a database.
Some Devs are just yes men. We built a db that stored most PII in encrypted columns and the API required seperate requests to be made for this data... Someone in marketing complained they wanted emails for a campaign and someone was tasked with storing the same data, unencrypted right besides the encrypted version, that someone wasn't me because they knew damn well I'd push back and insist on some form of API to either do the contacting or return appropriately sized blocks of the bare minimum info to do what marketing needed. (It probably would have been the first option unless they gave me a damn good excuse for the second one) These days I don't think that data is stored in the encrypted fields at all any more, everything is mirrored into salesforce which is well outside of my pervue and nothing stops a malicious agent copy pasting all the contacts from salesforce that I could see so *shrug*
It’s a Swiss cheese problem. I’m confident you won’t find that they wrote a new unsecured API and hooked it straight up to the live customer database. There were probably 10 things that were each fine in isolation - but do them all, and you end up in this situation. It’s unlikely there will be a single action from any employee that resulted in this - the issue is that the rules and procedures didn’t prevent it.
Layman me just thinks: Would you not want to encrypt the exposed data though?
It probably is encrypted at-rest, but it’s unlikely the API outputs encrypted data. For example, if the API is used pull an address from the database in order to send out a letter, the output needs to be the address, not a block of encrypted data.
Lol what does that look like though? No matter what the last action is it's not okay. Whether it's adding the unencrypted IDs next to the hashed ones, pulling the auth off or removing the throttle. If that code was PRed it gets turned down.. every time
This isn’t a developer issue, this is a company info sec policy issue. And given this is a company subject to the Australian Information Privacy Principles, it’s at very least a breach of the QLD Disclosure section 23B [link](https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/key-privacy-concepts/key-privacy-concepts-disclosure) | Disclosure is defined in section 23(2) of the IP Act. | (2) An entity (the first entity) discloses personal information to another entity (the second entity) if— | (a) the second entity does not know the personal information, and is not in a position to be able to find it out; and | (b) the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
Its a developer issue in the sense the portal should never have been public. But yes you're right. Somewhere, someone would have okayed this, and likely more than one someone. Those people need to be held responsible.
Rather than being approved by a hierarchy, isn’t it more likely that some developer just thought “This is a quick and dirty way to test this thing I’m working on. Not secure but it’ll be OK because no-one but me knows the address and I’ll shut it down as soon as I’m done”. Then didn’t shut it down and someone found it? I’m not in the field but do have some experience of developers doing really stupid things. (Specifically, connecting the live website to a dummy credit card back end to briefly test something, then forgetting to switch it back so that two days of deposit transactions resulted in client accounts being credited without their cards being charged).
Even if it was some dev doing it on their own/unbeknownst to higher up, the fact they had no issue acquiring a live feed of millions of rows of sensitive data speaks a lot about how Optus manages it's data.
A developer doing this is more likely to be symptomatic of a seriously flawed development culture than one lone wolf taking shortcuts. I worked in the public service once and dealt with sensitive information, and the culture there was incredibly risk averse. There were no IS leaks because we did everything by the book. Nothing was done without approval from someone senior enough to understand and be accountable for it. Risks were identified, treated, signed off on. Of course, it slowed things down compared to the cowboy approach, but you just learned to factor that in. The culture was as much a protection as the individual accountability.
In my experience I suspect (no evidence, just working in IT experience) multiple things happened by different people. One would have been to expose a test api environment to the world. No big deal on that, no real data in there as far as that person knows. Another department who also uses the test environment puts a copy of the current customer database to the test environment not knowing that it is exposed to the world. They plan to use it for internal testing so no issues as far as they are aware Opposite order could have happened as well, but this way seems more likely. It's a failure of change control and monitoring for sure, but I doubt 1 person or the data there and exposed it. If they did they absolutely deserve to lose their job.
You do not test with unmasked PII data. This is fundamental. There are so many things wrong with this whole situation that indicates incompetency and lack of controls that Optus deserve everything they get from this. >
It could be, in which case that developer should be done for it. Regardless of whom it was, someone needs to be punished for this, manager or developer.
I work in a related field, and this is terrible advice. Blaming an individual is almost never the correct thing to do. The correct thing to do is ask: * what policy should have stopped the developer from doing this? If it doesn't exist, why not? * What automated tooling enforced the policy? If it didn't exist, why not? If it did, why didn't it work? * What monitoring detected the breach and alerted someone with the ability and authority to shut it down immediately? If there was none, why not? * Etc Looking at root causes, gaps in policy/automation/detection/removing opportunity for human error, and institutional failures gets you continual improvement over time and a culture of openness and reflection and improvement. Looking for an individual to blame gets to a culture of blame and fear, leading to arse-covering, papering over problems, and no improvement over time. Sure you might fix the one specific thing that went wrong in this case, but you'll get bitten over and over again and you'll never actually build security into your culture.
It's not a developer alone, it's the whole tech all the way up to their chief information security officer. Procedures and general governance of development standards when done right don't allow for this kinda shit to happen. Gateway limiting is something their netops / platform teams should be all over. Monitoring should've picked up massive spikes on requests with a minute or two at the least, and paged any software management to investigate. None of this happened. It's not one person it's their whole engineering org and management. All of them need to feel consequences. Everyone else should do case studies on this in Uni as probably the single biggest and dumbest example of bad handling of pii in Australian history so far. I've no doubt in my mind Telstra and the rest aren't any better, either. It's our shitty privacy standards that are lagging. GDPR for Europe and the CISPA in California have done great things. We need to catch up. Asap. Edit: I didn't even touch on white hat red, blue, green teams they should have endlessly hammering their systems for vulnerabilities like this. Where are they?
There’s no way a single developer sets up an internet facing API in the corporate world. It needs a network path to the outside world, and that won’t be in the hands of some coder.
It's already an issue for devs to be testing their shit with real PII info.
No, not unless Optus is run like 2 person garage shop. (Which I know it isn't.)
Nothing goes to prod without approval somewhere
If you can do this at a company there are lots of problems.
Internal audits should have locked down controls and access management for the data to eliminate the risk of this scenario
Most of the Telcos use offshore IT staff so they may not fwce any consequences.
Someone spec'd it, someone built it, someone tested it, someone signed off on the whole shebang. Failures right up the line.
It has before, repeatedly, and it will happen again, repeatedly.
All infosec including chief security architects I have worked with were limited to the role of Advisors. They evaluate controls, articulate risks. But end of the day it is up to business to own and accept the risk. Only way to stop this is to give CISOs veto authority to stop project changes by law and have then report to the board and not CIO or CEO even.
This is a company that is almost certainly going to have employees dedicated to devOps/deployment. The developers could have been junior devs for all we know and just been told to "implement this API". They don't deserve any blame if they hadn't been trained appropriately or weren't responsible for the design patterns that resulted in this. If a dev did somehow deploy a live public server with access to a prod DB, that's still fault with their architectural patterns. It simply shouldn't be possible without process where multiple people are signing off on it. Bad high level architectural patterns would be more the fault of senior tech leads, at which point you should be starting to get up the chain a bit - probably a couple of steps down from CTO/equivalent executive member. (Not to say that member doesn't bear responsibility - they absolutely do, but they probably weren't directly responsible).
Jesus Christ, Gladys is getting efficient at this… next place she’ll be out before the welcome morning tea
I heard she personally approved the pull request that puttthe api into production
I heard she closed the git issue and updated the jira ticket too.
“Contractors” get fired. Most of their tech workers are contractors
I believe it was a test system too, so why the hell was the data not obfuscated? Do all there techies need to have access to it?
Everyone has a test system, not everyone is lucky enough to have a separate production system. 😉
I don't often test my code, but when I do it's in Prod! Jokes aside, I have seen someone stick a breakpoint in a prod system. Was actually quite safe, but man it was just wrong!
Hey, I've had to once, there was absolutely no way I could replicate the issue I was tracking down in Dev, random issue that'd be fine for months and suddenly a spate of problems till we poked it enough and it went away. Ran it in parallel in Dev, same issues never cropped up. Turned out to be an environment specific issue, one tiny minute difference between Dev and prod (would have eventually showed up in UAT but this wasn't a system that was called heaps in UAT)
You would be amazed. I work for optus now, but I worked on a data migration project previously in which we had pure text access to names, addresses in some cases, bank numbers etc. We all knew what we had, we shouldn't have, but it was kind of an open secret at that point.
I've worked all over and believe me if I saw that it'd be fixed quick smart. There's a concept called blast radius that is rather important when it comes to security.
Bro. I was with electricity in a box when they had decent rates. In one of my emails, they addressed me as someone else. I questioned them on this and asked if they were accessing other people's accounts when speaking with me. They "assured" me they didn't. Me thinks they have a txt document and copied and pasted the wrong info.
It's very likely. The amount of information stored as plain text in these companies is astounding.
[удалено]
This was an issue long before she was ever with Optus. As much as I dislike her, she has nothing to do with what happened.
But the whole PR exercise of doing nothing at the start of the leak instead of actually helping, going to media instead of communicating to customers and overexaggurating the bad guy to lessen the blow to the company instead of accepting mistakes made, is pretty much consistent with her brand. Seems she made a good fit at Optus.
A few sources are now, correctly, describing it as data harvesting rather than hacking which is good.
It was data harvesting indeed. Hacking involves compromising some sort of security which it appears they did not.
[удалено]
While I'm not disagreeing with you, there must be some element of duty of care there. You could make a case for entrapment too. The law is notoriously flakey when it comes to tech, and I'm not sure there's much precedent around this.
The tech equivalent of leaving an apple pie to cool on a windowsill.
Hmm warm apple PII
and I like how their first communication to customers about it was a lie
Still haven't had a word from them. Everything I know about it is from media or Reddit.
Nah, they just stretched the truth. Like stretched to the point many might believe it was something only an expert could do instead of it actually being something a bloody child could do.
To be fair, I imagine it's the engineer and hammer scenario. You don't pay the engineer hundreds per hour because of their sick, sick, heart-surgeon-level hammering skills, you pay them because out of thousands of nails in your machine, they know exactly which 2 to test and knock back in in 10 minutes to fix it. Similarly, it'd probably take an expert to *find* the endpoints, but only a novice programmer to extract data from them once handed some urls. But then that's why you (ahem..) pay a different expert to make sure such endpoints don't exist in the first place.
Indeed, and more to the point you make your internal endpoints just as secure as your public ones... because one day they just might happen to be public!
"Good news" no fuck you optus
WTF?! Was it a public endpoint? Edit: answering my own question, yes, it was. Completely public API with no auth. This was not a hack or a "cyber attack", it was a free giveaway.
[удалено]
Yeah it would be very very easy to do. Any dev could quickly whip up a script/service/app that could scrape it in no time. I reckon I could in under half an hour, including obscuring my requests.
[удалено]
Depends on how good their monitoring is and if there even watching. And Assange isn't a great example, he openly published the details. But simple requests from a client via a foreign VPN? They're probably gonna need more to catch you out.
My programming skills are limited to some python and excel scripts. I could've figured this out in a weekend.
SELECT * FROM plzdontsteal.sensitivecustomerdata
You wouldn't need code even. Tools like Postman would probably do the job.
Yes, they have a duty of care for our data. You can't just print it out and leave it on a park bench which is effectively what they did.
Word I'd heard was it was a testing platform that was using a copy of live data, but because of the tests being run / someone being dumb, it was publicly exposed with no authentication over it. Someone found it and scraped it before they realised.
Even that is a privacy problem in itself without the open api issue. If you want to use live data for testing you should really still be obfuscating identifying data. There are a myriad of tools out there specifically for this purpose, that will generate random names, dates of birth, licence numbers etc. The dev and test teams shouldn't have access to peoples actual data.
"But it's haaaaaaaarrrrdddd" the devs whing. "It'll be different to prod, our tests won't be valid, waaaahhhh" I've seen so much prod data in dev, always run it up as an issue, but always had any progress blocked because it would put 'delivery timelines at risk' or something similar.
Ops fucked up. Prod data should never have been handed over to a test environment
Also you'd think a test API would be fenced off and not publicly accessible.
QA will always be pushed back if it's allowed to be. And that's how mishaps occur.
The easiest way to capture corner cases is to snaffle a copy of production's data. /s Despite it possibly not containing anywhere near [all known hiccups](https://xkcd.com/327/).
Oh for sure. It's a special case only situation to want to use a copy of real data for testing purposes.
Yes, I'm reading it was the test system. Which begs the bloody obvious question - why wasn't it obfuscated?
There are times you do want real data for tests, because even the most thorough test suite misses reality's edge cases But in those instances you do things with a lot of precautions, that were evidently absent here
There are two issues here: 1. The open door the attackers used 2. The fact that the PII data was not protected on disk - something like field level tokenisation of PII would mean that even in the event of (1) or any much more sophisticated attack, the exfiltrated data would be useless. I would hope for a massive fine for Optus.
A huge fine and a huge class action. If they need liquidity let the federal gov buy the majority. These fucks have really run dry on the excuse that “tHe PRivAte mARKet is moRe EFFicieNt”.
If you've ever heard the phrase "Security through obscurity", this is pretty much the poster child of why it doesn't work.
And the CEO is denying it so she’s a complete and utter liar. She claimed the data was encrypted. Total bullshit.
Yep. One `curl` and it's out the door. A national fucking embarrassment.
>has serious consequences Ha ha ha ha ha. About 30 seconds of revenue in fines then?
>This is a PII breach that will have has serious consequences. After I received Optus's email about this data breach, on my private email address, one that only Optus knew about, my inbox is now being flooded with Spam. **I have not been an Optus customer for 14 years!** I had a new Nokia N95 and remember watching videos for the first time on the new 3G network.
And we will be gaslighted until this all blows over. Fucking disgusting
Can someone ELI5 this?
Bad enough the CEO did a lousy job (if she did anything at all) but to mislead Optus customers and all Australians by saying that they were hacked and were just victims of bad people without admitting they fought against stronger protection of individuals’ private information just to protect her sickeningly high salary is disgusting.
Didn’t she say the data was encrypted? So the “hacker” got the private key somehow to decrypt the data ? I don’t think so.
The data was hashed… but not salted! and the hashed data was stored right along side the raw data…. It was all delivered through an unauthenticated open API that didn’t use ANY form of encryption… they fucked up. They fucked up bigly and they should be fined into the ground and sued to a crisp. The level of incompetence is astounding!
$2m is the biggest fine they can get in the current legislation. Class action will take years and unless there is a large impact to people it will be very little. The company will lose some customers for a couple of years, write off some loses they had dragging them down anyway saying how much it’s affected their business, claim the tax break and move on.
If any of the data relates to citizens of the EU, they are about to get fucked, and hard. I think it’s somewhere in the order of 200,000,000 €, yes that’s Euros not Aussie dollars. They keep saying it was a sophisticated hack. *massive eye roll
I think we're yet to see the EU follow through with fining someone outside of the EU. I don't know how that still go
I’ve not ever seen an Australian website ask about GDPR, I doubt the EU would care tbh. I just hope it’s a learning opportunity for the Australian government that we’re a target because their regulations are piss weak.
Just a citizen, or a resident? I'm a dual citizen of Ireland/Australia but I've lived here for 10 years.
This is what happens when you treat IT as a cost centre
[удалено]
I think the Optus CEO just doesn't have the technical foundation to understand the situation. During the videocall/press conference, you could see her glancing around at the people behind her camera, looking for their approval for what she was saying. No doubt that room had the Legal, PR and Tech heads all present. But there would have been a big push against a disembodied voice piping up from the back saying "Acktually...." when she was in the middle of her spiel. And by Optus ensuring only one of two talking heads get in front of the press, they're declaring their scapegoats so they don't have to flush the full C-suite to try and recover some reputation.
[удалено]
I heard her say the data was encrypted and I nearly choked. Yet, not a single journalist questioned it.
Yeah this was a nail in the coffin for me to consider changing back to Telstra. I only went to optus because at the time Telstra didn't have the proper service in the area but later fixed that up and now have the better service and plans. Telstra bought a company out so that they could improve regional areas and optus did a whole campaign trying to make it seem that it was to be the opposite to try and stop it (as they really don't upgrade their infastructure in regional areas anywhere near what they should)
He made the cop Piglet lol
All Cops Are Piglets
[удалено]
Oh, bother.
Data is now in the Pooh.
Oh that's just too much. Someone's going to hell, haha!
Surely (the) Pope can't go to hell?
I was an Optus customer over 3 years ago and was told my data was also stolen, why do they even need my information several years later ?
[удалено]
Deletions are a HARD computational problem where the item may be consumed as a key elswhere. ed: ... indirectly consumed ... ed2: And why bother? Storage is cheap. Mark the record in place and move on.
No they’re not, there are organisational difficulty. Companies often don’t *want* to support deleting data because they (think) they might want it later, or because they’re unwilling to expand the (relatively meagre) amount of dev effort to implement hard deletes.
Not only that, but solutions exists where deletion happens automatically when the resource is no longer referenced anywhere.
Don’t see why, surely you get a unique customer ID that they use as a primary key, even if they need/want to keep financial records they shouldn’t need your personal data to do so, it should all be linked to your customer ID.
It's not a hard problem if the implementation is properly executed.
[удалено]
PII is a concept, not a specific piece of data, and you generally need (not really need, but definitely want) specific pieces of data to use as DB keys. Also most PII isn't actually very unique until you start chaining them together. Think of your DoB - there are hundreds of people out there with the same one. There are also most likely hundreds with your first name, and hundreds with your last. Put it together and it's more unique, but not very good as a key because it's unnecessarily long and difficult to validate.
[удалено]
Oh I get you, I think we're actually saying the exact same thing, apologies!
And backups/archives. Tough to delete every log row associated with a user.
They don't. That's why they're going to end up in the shit over this. There is zero reason why they need information like medicare and passport numbers once they've done the initial ID check. It should have been redacted. It wasn't, and that's a massive stuff up.
There will almost certainly be a class action on this. Part of the data privacy laws is a clause that you can only keep data so long as it's reasonable to do so and demands that it be deleted after that point - keeping that much PII is not going to fit that definition, and certainly not identification documents. The lawsuit bill Optus will have to front for this and other cases is quite likely to kill them as a company.
The government enforced KYC (know your customer) data retaining law is that you should keep any customer data for a minimum of 7yrs. This means from when you disconnect your Optus service they need to schedule your PII to be deleted 7yrs or more after the date of disconnection. What would be the point of the metadata collection law if they didn't have a way to connect it to a customer after the fact?
Optus is already arguing that, while there is a requirement to delete the data, there's no timeframe requirement.
There's not a number on a specific timeframe, but there is actually a benchmark under the Australia Privacy Principles (which are the core of the Privacy Act) at which point the data must be destroyed. IANAL, obviously, I'm linking and interpreting a document as a layman. \--- **APP 11.2** ([source](https://www.legislation.gov.au/Details/C2020C00025)): If: (a) an APP entity holds personal information about an individual; and (b) *the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and* (c) the information is not contained in a Commonwealth record; and (d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information; the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de‑identified. \--- a) is self-evident, b): they're not a customer, their ID does not need to be validated in an ongoing manner. c) and d) are not applicable. As I read it, they're also probably in breach of principles 5, 6, 8 and 9 for what it's worth.
[удалено]
7*
Seems that *"very sophisticated cyber attack"* is the obligatory statement that needs to be said by a spokesperson, no matter the evidence to the contrary. What is the thinking behind this? That a person whose data has been compromised will think *"oh, I guess it's OK then, it was a* ***very sophisticated*** *cyber attack!"*
Helps when your cyber defense is so unsophisticated. It's akin to someone looking at round wheels as sophisticated when all they've been using are squares.
Very unsophisticated data scraping.
Same as "Upon discovering the cyberattack, we immediately took action to shut it down to protect your information". Immediately taking action after the fact is completely irrelevant, and any actions taken to protect our information after it was compromised is nothing but a moot point.
Wanna see something hilarious? https://www.optus.com.au/enterprise/security/security-consulting
Oh. Guess it’s time to write up a resume to apply for a job there. Interviewer: But you have no knowledge in the field, transferrable skills or industry exposure? Me: *apparently, neither do you, and you are working here*
> Interviewer: But you have no knowledge in the field, transferrable skills or industry exposure? I know not to upload millions of pieces of personal identity information to an unsecured API.
Show off.
Even funnier https://m.youtube.com/watch?v=7E-cTq6AxvE
It would be nice if Visa/Mastercard & Banks expanded on their data security requirements to ensure their clients not only protected payment card info but personally identifiable information that can be used to access those accounts... If optus faced Visa/Mastercard denying them access to payment services they may have put more effort into securing their shit.
Securing “our” shit*
**PLEASE NO**. Visa / Mastercard have enough private control over basically the majority of the world's financial transactions, only allowing businesses to conduct themselves according to their own vaguely defined morals. They DO NOT need more. I get the idea, but 100% awful vector for execution.
Have to wonder if Visa/Mastercard and Banks are even allowed to do that in Australia. Labor and the coalition have been very clear on the issue of data retention in which they want as much data accessible to government agencies and themselves as possible regardless of consequences such as this massive Optus failure and damage to consumers/Australian citizens.
Visa and Mastercard dont want to police other companies use of private information and governments probably dont want Visa and Mastercard to take over that policing role either. More likely is that the privacy act will be amended so that there is some increased minimum level of cyber security protections.
The already do indirectly in the form of the PCI DSS.
It's a honeypot, get it?
https://www.abc.net.au/news/2022-09-27/online-account-claims-to-have-released-optus-customer-data/101476232 > "We have seen that there is a post like that on the dark web and the Australian Federal Police is all over that." "Dark web" now means a well-known website where the perpetrator posts everything in public. > Assistant Commissioner Cyber Command Justine Gough said the investigation was going to be complex and lengthy. I'll save them the trouble. Here's the report: A user called 'Optusdata' crawled http://api.optus.com.au and Optus happily supplied all their customer data. Some dumb broad from Optus found out, got on tv and spouted bullsh!te. The site where 'Optusdata' shows a website forum registered in Tonga, and there is zero change the admins will help. The website resolves to 172.67.75.105 which is Cloudflare in San Francisco. You can ask Cloudflare but that wont get you far. Everybody and his dog used VPNs which means you can't locate Jack Sh!t. Optus paid the $1 million ransom to an untraceable coin and now Optusdata has backed down and wil never be found. The End.
Wait, optus paid the ransom?
They'll never admit it, but it certainly was in their best interests to do so if they have enough evidence the "attacker" was legit. They would have been advised on this by Government as well.
Peanuts. Small change. De nada.
It's days like this that I miss *Clarke and Dawe*.
I have 2 work phones and 1 personal one. One of those work numbers is from Optus. That's the only phone I get constantly harassed on by scammers and telemarketers. I had only given that number to very few corporate customers when the calls began (5+ years ago). I'd be surprised if there are no connections to their data security management practices.
Funnily enough, I had a mobile number that only started to get spammed hard _after_ I ported it away from Optus. I assumed it was their parting gift.
Cute cartoon, although ‘honeypot’ does have a specific meaning in security, which (that I’ve heard) certainly doesn’t apply whatsoever here. But that’s just nit picking!
I think the point is that it may as well have been a honeypot because it was laughably (un)protected
They used their production servers as a honeypot!
So a few things of interest. Firstly, the software development industry has adopted a practice of blameless postmortems (post-incident reviews, loosely based on the medical field's Morbidity and Mortality conference). I wonder how that practice of blamelessness in post-incident review can possibly be reconciled with the public's need for retribution against some part of the business though. Not that I can say whether or not Optus has adopted this particular practice. But if they model their software development methods and practices off companies like Google / Atlassian / Microsoft (and a lot of companies do) then they probably have adopted it. Secondly, software development as a profession is not licenced, accredited, and gatekept in the same way as the more traditional engineering disciplines, law, medicine, etc. There's virtually no legal recourse to be had against an individual for incompetence like this. If that individual is already safely in their next job, or even the job after that, then they merely keep their mouth shut and don't use any former Optus colleagues / managers as a professional reference. But frankly, the real question is: How much of this is incompetence attributable to software developers, and how much of this is attributable to the middle management layer of the company who directs their work? Because oftentimes middle management directives lead to slipshod work from the individual contributors at the company, and it's only when a reckoning like this takes place that a company decides to revisit just how they go about directing what does and doesn't get done in the tech space in the name of saving a dollar.
> how much of this is attributable to the middle management layer of the company who directs their work? ex-CTO/CIO here Software development (and IT work in general) is treated as a cost centre in business. Its far too easy for management to improve the bottom line by restricting the very important work being done. Worse, any IT professional or leader in an organisation who ethically stands their ground and demands sane data security (among other pesky standards) will often be treated as a 'difficult' employee or stakeholder and marginalised. e: a snafu
Yeah I had a big list of security concerns with the test environment at a previous workplace. I sent arse covering emails. Years later the items on the list hadn’t been sorted. Yes it included using production data in test. Somehow I was the difficult person trying to be a roadblock ??? They clearly lied to auditors about it too.
Yes, that is more or less it. I've worked for both kinds of employers: Those who regard software development as an undesirable expense (cost centre), and those who regard software development as the means with which they grow their competitive edge or golden goose (profit centre). The former are always fussy about how you spend every minute of your day. As soon as they see something working 'well enough' they like to cut bait and move on to the next thing. An old boss of mine used to say 'make it work, make it right, make it fast' - and software development treated as a cost centre is often characterised by its tendency to stop at the 'make it work' bit.
Also, now more than ever the IT organisation is set up so that it's as challenging as possible for developers to go 'off the reservation'. Agile development, often Scrum, can make it hard for you as a professional to ensure that you get to follow through and actually finish things. For example: You get asked to build some kind of prototype, and then you do your 'daily stand-up' (essentially a daily status meeting). Two things happen with this: 1. You hold out on them, and make up some story as to why you haven't finished the task which is to just build a 'minimum viable product'. Perversely, you're trying to do a proper job and this makes you look like an under-performer. 2. You disclose that you've got the prototype working, but it should really have features X, Y, and Z before you declare it production-ready and operationalise it in a production environment. Someone tells you that those features aren't 'the priority', and to just ship it as it is and put a ticket in the backlog so that the work can be prioritised in the future. I suspect everyone can intuit how this Optus SNAFU might have played out.
Ultimately it needs to be the shareholders and mgmt of Optus who shoulder the blame and financial consequences of this incident. No problem in capitalism gets fixed unless there are consequences for shareholders. The government should also shoulder some blame for letting Optus (and all other companies) collect so much data in such a cavalier way. They need to put in place fines that bankrupt business that do not protect data they collect, and also put in place systems that allow business to verify customer info in order to comply with legal requirements that governments place on them.
Software engineer here. Blameless postmortems are meant as a learning tool, so the issue can be either prevented or mitigated faster in the future. We're essentially blaming systems that allowed for the mistake to happen, rather than people making the mistake. This culture allows people to be honest and transparent with what has happened. The extreme opposite would be how USSR dealt with the Chernobyl disaster. Blameless postmortems have nothing to do with legal consequences. They will provide the details of the incident (since people can freely recall the timeline), and details on how something like that can be prevented and mitigated. However, this doesn't mean there are no legal consequences. There are. They would usually depend on the agreement a company has with its customers, and the laws a company must follow. I don't believe "incompetence attribution" would do anything else but make people scared to make mistakes. Why is that important? It's important shit like this never happens, and sadly, yes it's moments like this when a company would shift its focus a little to prevent this in the future. At the end of the day, no single software engineer has much say in what gets built and what doesn't, especially in large corps. If a company is willing to take risks to get higher velocity, or is poorly run from eng best practices pov, the company/system would be at fault, if you really wanted to attribute incompetence to something.
Blameless post mortens aren't the issue here. They are simply in place to prevent a single person being blamed or scapegoated for an issue, instead, the entire company takes the blame and suffers. Internally everyone may know who caused the issue, but pointing fingers won't solve anything. The person will likely still be talked to and likely loose a lot of respect and trust for future projects, but this way they can at least be upfront if something goes wrong without fear of repercussion. If people were shamed or blamed for their mistakes they would simply keep them hidden.
Blaming China? Brave…
My understanding is EU Citizens impacted will still be protected under GDPR as residency doesn’t impact status?
Sorry for the Daily Mail link but yes they are. https://www.dailymail.co.uk/news/article-11253117/Optus-data-hack-extinction-level-event-says-tech-analyst-Shara-Evans.html Funny how the Mail isn't shitting all over the EU this time: "Optus is liable under EU law for all EU citizens impacted by the breach.' The maximum fines under the GDPR is €20 million ($29million) or 4 per cent of a firm's global revenue of the preceding year, if that is higher. "
There ought to be some kind of Logie / Golden Globe type of award for IT-related fuck-ups. I thought Atlassian had it in the bag after their April incident, but not so.
Was anyone else amused by all the stock "hacker" footage on TV? Guy in hoodie, Linux terminals galore. I say amused but it was more annoying.
[удалено]
class action
[удалено]
[удалено]
* [Optus appoints Gladys Berejiklian to its Executive Team in a new role as Managing Director, Enterprise, Business and Institutional](https://www.optus.com.au/about/media-centre/media-releases/2022/02/optus-appoints-gladys-berejiklian) * [World-champion tennis player, Australian icon and proud Ngarigo woman, Ash Barty has said ‘yes’ to joining Optus as our new Chief of Inspiration.](https://www.optus.com.au/connected/news/ash-barty-becomes-chief-inspiration-officer-optus)
[удалено]
Wait until you find out Daniel Riccardo has been appointed Chief of Optimism
An unfortunately relevant title given the season he's been having this year :(
Gladdy and Ash both have newly appointed Optus sinecures. Only Gladdy fits.
So I still havent received an email from optus. I've used their online chat system a few times with no confirmation. Just got on again to find that their identification form they use has changed from asking you your optus account number, to asking you your drivers license numbers. Previously I had been able to work out that the teir 1 workers were just checking your account to see if an email was sent. If their system said yes email then you were effected, no email you were ok. Are they now literally just searching the data already publicly released for my drivers license to see if it's included?
Executives will get a massive bonus and can "resign". They can then join Qantas
Gladys Berejiklian has such an agile career
I am lucky I live in South Australia and they let me change my ID with no issues unlike other states so there is some saving grace there to this bullshit but there still is a solid chunk of my information bundled which I don't like and I can't do fuck all and have no recourse about. As someone who works in I.T as well I just cannot fathom HOW a company as large as Optus can fuck up in such a way, even the SMB I work for has to always deal with cyber security threats and are always adapting and there is NO WAY we would ever let a client fuck up in such a way Optus had done!
"Oh bother"
"Some say nothing is impossible, but I do nothing everyday". Optus staff.
It is negligence on the part of Optus. The 'we not the villian' shtick from Optus is laugh-able, they absolutely are.
I dead ass been getting scam calls on my galaxy watch for the past 6 months, what cyber attack! Optus has been selling personal information to data centers for years, they probably went short on payment and they leaked data. Fucking guy on TV put chrome on dark mode and opened a random forum with a picture of a furry names 'optusleakguy" and called it dark Web, and the blond bimbo melted her brain all over it. Fucking joke, the whole fucking shibang is a God damn joke.
I’m guessing their Tech teams are mainly outsourced contractors. Who would have thought they don’t give a shit
Time to change my gender for security reasons
It was your gender all along. You don't have to lie to others. :P
Where do I sign up for the class action?
We urgently need digital privacy laws and government audits of these to ensure companies are in compliance in the same way we require audits for financials.
Optus is fucking terrible anyway
I heard of OAuth and JSON Web Token as new industry standard authentication protocols for REST API requests. Never heard of NOAuth authentication until today.