Optus Under $1 Million Extortion Threat in Data BreachExclusive: Optus Attacker Says Unauthenticated API Endpoint Led to Breach
Australia’s second-largest telecommunications company is facing a US$1 million extortion demand to prevent the sale of what an attacker says are up to 11.2 million sensitive customer records.
Also, in an exclusive, the attacker has revealed to ISMG how Optus's network was hacked. ISMG has also confirmed that the stolen data belongs to Optus.
The data breach, which ranks as one of the country's largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 21.
Early Saturday, a person going by the nickname "Optusdata" published two samples of the stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
Optusdata writes that Optus has one week to pay otherwise the data will be put up for sale.
The two data samples contain around 100 records each and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
An Optus spokesperson said on Saturday, "We are investigating the legitimacy of this" data.
Leaked Data Appears Legitimate
Information Security Media Group found strong signs that the data originated with Optus.
One way to figure out if a breach came from an organization is to enter the leaked email addresses into Have I Been Pwned. HIPB is a data breach notification service. Subscribers are alerted if their email address appears in a new breach. An email addresses can also be entered into HIBP to see if it has appeared in a past breach.
ISMG tested 23 email addresses that appeared in the Optus sample data. Most had appeared in previous breaches, but six had not. That is an indication that the Optus sample data is real.
Also, some personal records do not have a recognizable email address from major providers. Instead, there are email addresses that appear to have been assigned by Optus. For example "firstname.lastname@example.org." Those addresses also do not appear in HIBP, suggesting that this is the first time those have been breached.
In looking at one of the sample data sets, this reporter also recognized a local street address. This reporter went to the residence on Saturday morning and found the woman whose data had been exposed. She was working in her yard.
When handed a printout of the data, she confirmed it belonged to her. She was an Optus customer until around 2018. Optus has said it believes the leaked data may date back to 2017.
Breach Source: Unauthenticated API
The Australian broadcaster ABC reported on Friday a possible cause for the breach.
The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet. Optus declined to comment on the explanation and disputed that "human error" may have played a role.
ISMG made contact with Optusdata on the forum where the data samples were released and asked how the data had been stolen. The person confirmed the data had been exfiltrated from an unauthenticated API. To put it another way, the API did not require anyone to log in in order to access its functionality.
Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."
The API endpoint was "api.www[dot]optus.com.au." It’s an odd URL, but Optusdata says it could be exploited to extract Optus's customer database. The API is now offline, so there is no more risk for Optus. The API was used in part to let Optus customers access their own data.
That same API endpoint was also passed to ISMG on Saturday by a separate anonymous source. That person says the API was hosted in Google Cloud/Apigee. When Optusdata started frequently accessing that API, it triggered a security alert. A suspiciously high volume of data was coming from that API, which was a signal to Optus of malicious behavior.
Optusdata says they enumerated the customer records via the
contactid - a field that appears in the leaked data samples. It's unclear how Optus used the
contactid. By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
Contacted on Saturday night with this information, an Optus spokeswoman said the company did not have an immediate comment.
Optus is in the process of notifying those affected. Not all of those affected had the same amount of data exposed. Optus said on Friday it will offer "expert third-party monitoring services" for those at heightened risk. It has also warned customers to be wary of potentially fraudulent emails and text messages.
Optus will face a range of regulatory inquiries about its data handling practices, including from the Office of the Australian Information Commissioner, which is the country's data protection agency.
The Guardian reported that Australia's Attorney-General's Department is seeking an "urgent" meeting with Optus to hear of the company's plan to mitigate the effects of the breach for those affected.
In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country's Privacy Act.
Optus opposed giving consumers a right to erase their personal information, citing "significant technical hurdles," it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.