Published Oct 13, 2022 by Xiph
The recent Optus data breach debacle has put the personal information of millions of Australians at risk. Although the data spill was the direct result of a sophisticated cyber attack that culminated in a hefty ransomware demand, the breach raises the question of how to best protect people's personal and customer data.
What’s the Optus data breach?
Australia’s second-largest telco Optus revealed the personal information of about 10 million customers − about 40% of the population – had been compromised in a recent cyber attack. This included names, birthdates, home addresses, phone and email contacts, passport, and driver’s licence numbers. Alongside existing Optus customers, the hack exposed the details of ex-Optus subscribers dating back to 2017, as well as customers from former Optus subsidiary Virgin Mobile.
Optus immediately notified affected customers and relevant authorities, and began an immediate investigation. The data breach was soon followed by ransom threats, with hackers asking for $1.5 million in cryptocurrency not to publish customer information on the dark web. When Optus refused to pay the ransom, the hackers uploaded a text file of 10,000 records to a data breach forum and promised to leak more records if the telco didn’t pay up. Telstra then became embroiled in a data breach of its own (through a third party) in which 30,000 past and present employees’ personal and contact details were posted in the same data breach forum.
How did the Optus breach happen?
Several theories are swirling about how the Optus data breach happened. The first theory is that Optus was using outdated encryption methods, or an Application Programming Interface (API) that didn’t have restricted access to stored information. This is likely some part true − Optus even confirmed it received an exemption to keep its legacy systems free from encryption when complying with Australia's data retention scheme in 2015. The second theory is that the data was not encrypted on the API, which Optus denies. A criminal investigation by the Australian Federal Police is currently underway looking into the origins of the Optus cyber attack and the methods used by the telco hackers. The latest Optus data breach raises questions about how best to protect people's personal data and more broadly how customer information is managed.
How much of your personal information does your telco provider keep?
Your telco provider surprisingly stores a lot more information about you than you’d expect. This information (including your metadata) is used to verify your identity to access those services and products required under the Privacy Act 1988 and the Telecommunications Act 1997. Metadata is the data surrounding your communications, not the communications themselves. The information your telco provider collects depends on whether you’re a customer, a job applicant, or a member of the public. It may include:
- Names, addresses & contact details (phone numbers & emails)
- Billing information (bank account & credit card details)
- Account details (including your password and username)
- Personal identification documents (passport & driver’s licence)
- Bandwidth usage such as the amount of data uploaded and downloaded
- Websites visited and online searches
- Time, date, type (i.e. phone, emails) & duration of communications
- The details of whom you’re communicating with
- IP addresses
- The location of the communication equipment used like the closest cell towers
The content of your emails, phone calls, and text messages, and your web browsing history should not be stored by your telco provider.
Telco industry security vulnerabilities
An Infosys study revealed the top three vulnerabilities telco and internet providers reported were a lack of security in enterprise IT architecture (74%), inadequate management support (64%), and keeping pace with fast-changing cyber technologies (61%). The study looked at cyber security initiatives for telco industries across the US, Europe, Australia, and New Zealand (ANZ).
How does your telco provider store & manage your data?
Telco companies remain very vague about how customer data is stored and managed, which is a red flag itself considering the sheer amount of information they deal with every day. Current metadata legislation simply states that telecommunications and internet service providers must encrypt retained data and protect it from unauthorised interference and access.
What we know is that telco companies use a combination of Customer Data Management (CDM) systems and cloud-based applications to store and process data remotely in data processing centres. These third-party service providers process, manage and store your personal information on behalf of telco companies, which poses a risk of a data leak should those service providers not comply with strict requirements about the use and protection of your details. Metadata legislation requires telco and internet service providers to encrypt all stored information. This should include some level of end-point security and end-to-end encryption. Telco providers don’t share your personal information online and your financial information should be encrypted both at rest and in transit.
3 questions to ask your telco provider
If you’re worried about how your customer and personal information is stored and managed, contact your telco and internet service provider and ask them the following questions:
1. What encryption protocol(s) do you use to secure my personal information?
Your personal information and classified communications should be encrypted with an Advanced Encryption Standard (AES) protocol which is used by governments and big businesses. AES 256-bit encryption is the most robust encryption standard commercially available today. Encrypted information is safe in transit, on the network, and even in the cloud.
2. Where is my personal information stored?
Telco providers store huge amounts of data including Personally Identifiable Information (PII), and likely use third-party cloud storage providers to manage and process it. This means your digital data is stored in logical pools and spans multiple servers in multiple locations managed by a hosting company. Keep in mind that you have the right to request access to your personal information and metadata at any time. Your telco company will just ask you to confirm your identity before giving you access to your personal information. They may require further information from you about your request. You won’t be given access to information that could interfere with the privacy of others or that would result in a breach of confidentiality.
3. What is your network security like?
Telco companies should have multi-layered network security protocols to protect the usability and integrity of their network and data (including your customer data). This should include endpoint protection, application protection, automatic security patching, firewalls, data encryption, multi-factor authentication (MFA), email and web filtering, etc. Security layers should protect IT structures, data communication networks, authentication, remote access, internet/intranet/extranet configurations, etc.
How to protect yourself from identity theft & data breach
To protect yourself from identity theft and data breaches, there are simple security practices you can implement right now. These include:
Enabling multi-factor authentication wherever possible. This is especially important for your banking apps, investment apps, or any application or software you use where your financial information is stored. MFA requires users to provide two or more verification factors to gain access to online accounts. This means that even if a hacker got your username and password, they wouldn’t be able to access your accounts without another method of authentication.
Change your passwords regularly: Update your passwords every three months to keep your online accounts secure. Make sure it’s something unique, with a combination of lower and upper case letters, numbers, and symbols if possible. Make sure passwords are different across all devices and accounts.
Opt for additional security where possible: You can enable extra security measures on some online accounts such as facial or voice recognition.
Beware of suspicious emails, texts, or calls. Always be on the lookout for any suspicious or unexpected activity on your online accounts and emails. Refrain from clicking on any links that look suspicious and never give out your passwords or personal information to anyone.
A final word
Telecommunications and internet service providers represent high-value targets for cyber criminals because they store and transmit large amounts of private and sensitive data. Keeping pace with fast-changing cyber technologies and implementing multi-layered cyber security measures are important to keep customer data and operations safe. For more information, contact us via email: [email protected].
Posted in: Security