In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Earlier this month Optus fell victim to a major cyberattack, here is everything you need to know about it, as well as nine steps every business around the world and in Australia needs to take to avoid being next.
Optus Data Breach - Everything you need to know
Optus has suffered a massive cyberattack, the sensitive information of nearly 10 million customers has been exposed by cybercriminals and data has been stolen from 2.8 million of those customers. The details, dating back to 2017, include names, birth dates, phone numbers, email addresses, and – for some customers – addresses and driver’s licence, and passport numbers.
How did the attack happen?
Based on the initial investigation, the cybercriminals could access Optus’s customer identity database through an API, or Application Programming Interface. Optus had an API that didn’t require any authentication to access the customer data within. The fact the API was exposed to a test network that could be accessed by the internet, meant that anyone with knowledge of its existence could access the customer database.
Although Optus are adamant that they were the victim of a sophisticated cyberattack, the Home Affairs minister Claire O’Neil has compared the vulnerability that allowed Optus to be attacked, to an individual leaving a window open in their home.
Download our full guide on the Optus data breach
Learn everything you need to know about the Optus Data Breach and the nine steps your business should take to avoid succumbing to a similar cyberattack.
Who is responsible?
From the time the Optus data breach went public, an individual has come forward on a data breach forum claiming they have the data stolen from Optus. The individual otherwise known as ‘Optusdata’ did initially threaten to sell the sensitive data unless Optus paid them a ransom of US$1M. The user then went on to post 10,000 customer records on the forum, however recently they deleted their post and apologised.
What is the impact on Optus?
A cyberattack of this scale is devastating to any company. Optus will face financial implications as well as immense reputational damage. They will lose profits to competitors, as existing and potential customers go elsewhere and will need to cover the cost of fixing their cybersecurity and compensating customers.
If we are to draw from cyberattacks in the past:
T-Mobile (2021) - the US telecommunication company faced a class action lawsuit that led to a settlement for the data breach of $US500 million, which was split between their customers ($US350 million) and the cost of repairing IT infrastructure ($US150 million).
Sony (2015) - suffered a cyberattack that led to the company paying nearly $US8 million to 800 of its employees to cover the cost of identity theft.
What is the impact on Optus’ customers?
As for the impact on its current and former customers, the sensitive data exposed by the data breach is likely to be distributed on the dark web, allowing cybercriminals to use this data to commit identity theft and fraudulent credit applications or to carry out more targeted phishing campaigns.
Former and current customers of Optus need to stay vigilant and avoid clicking on any links in emails unless their legitimacy has been validated. They need to also keep an eye out for signs that their data has been compromised.
9 Steps Australian Businesses Need To Take Now
Now that you have an overview of the Optus data breach, here are nine steps your business needs to take to avoid being a victim of a similar cyberattack:
1. Understand and assess your cyber risk
One of the first steps Australian businesses need to take is to understand their cyber risk. In simple terms, cyber risk is the risk of potentially negative consequences due to your business’s information systems failing or being disrupted, damaged or destroyed by a malicious individual via unauthorised access.
By understanding cyber risk, businesses can gain better knowledge on how to protect all of their assets, as well as their sensitive and protected data. In addition, it also helps with compliance, as many standards require a level of cyber risk management. Understanding where you have cyber risks is also essential in determining how to best prepare your business in the event of a cyberattack or data breach.
It is important to note that assessing cyber risk is not something that should be performed once, your Information Security teams need to continuously monitor and assess cyber risk as your business grows and cyber threats evolve.
2. Ensure your APIs are secured
An API is an application programming interface, which means an interface to exchange information from one application to another. It has been widely used since the advent of web-based applications to avoid the need for manually pulling data from one application to another. These interfaces sit within the application’s architecture and should be designed to give access only to authorised users to interface and exchange information.
In the instance of the Optus Data breach, it appears the Optus API was open to anyone who knew the address. These individuals would then be able to access the customer data stored within without any kind of authentication or authorisation. It is unknown whether this API was left unsecured due to negligence or purposely by an insider. Australian businesses need to learn from this and ensure that APIs are secured appropriately e.g. with access controls for authentication and authorisation, data encryption, firewalls and the application of rate limiting.
3. Train and build awareness around cybersecurity
Humans are the weakest link in a business' defences, one click of a link in an email by an employee can give cybercriminals access to your entire critical systems and networks. Security awareness training is a strategy that should be implemented by all businesses to prevent and mitigate risk when it comes to compromising their information security. These programs are specifically designed to provide employees with clarity regarding their roles and responsibilities when it comes to upholding information security.
A successful security awareness program, helps employees understand proper cyber etiquette, and the security risks associated with their actions and to identify cyberattacks they may encounter during their day-to-day operations. Human error continues to be the biggest threat to a business's information security. By providing employees with thorough and regular training and awareness when it comes to information security, businesses can greatly reduce the chance of cyberattacks and instil a strong cybersecurity culture within their organisation.
4. Implement access controls
All Australian businesses need to implement access controls, to ensure that only authorised employees can access sensitive data and systems. By strategically assigning employees the correct level of access depending on their role and responsibilities in the business, the overall risk of suffering extensive damage from a cyberattack is effectively mitigated, irrespective if it is from an external actor or due to internal errors. It is also essential to have appropriate steps in place to revoke access when an employee leaves the business.
An effective method of implementing access control is by following the concept of least privilege. Least privilege is defined as the strict assignment of access rights and permissions for users, accounts, applications, systems, devices and computing processes, to the absolute minimum so that assigned organisational activities can be carried out. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.
5. Ensure your software is regularly updated
Cybercriminals take advantage of known vulnerabilities to hack your devices. Regular system updates have comprehensive security upgrades to patch these vulnerabilities. Ensuring that employees are installing the latest patches and updates to the software can help reduce the chance that a cybercriminal exploits a known weakness to gain access to your system or network. A good way to stay on top of updates is to turn on the automatic update function on software and systems, however, if this isn’t available it is the employee’s responsibility to check for updates regularly.
6. Evaluate third-party risk
Third-party risk refers to the potential threat presented to a business’s employees and customer data, financial information and operations, from third-party vendors e.g. suppliers, and other outside parties that provide products and/or services and have access to your systems. It is essential for businesses to do their due diligence when partnering with a vendor e.g. ensuring that they have adequate information security policies in place and to continue to monitor that these standards are upheld when handling their valuable data.
7. Maintain data backups
A backup is a digital copy of your business's most important information e.g. customer details and financial records. This can be saved to an external storage device or to the cloud. An automatic backup is the default or ‘set and forget system that backs up your data automatically, without human intervention. Backups are important because data losses can occur in many forms, from hard drive failures to ransomware attacks and even human error or physical theft. Regardless of the incident, a data backup could enable you to restore the data stored on your devices. Data backups can greatly reduce the downtime a business could face in the event of a ransomware attack.
8. Enforce Multi-factor Authentication & Password Management
Businesses should ensure that employees implement two or multi-factor authentication on their devices. Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, can increase the chances of preventing endpoint access.
Businesses also need to encourage strong password management practices amongst employees, ensuring that passwords are being updated regularly, are unique and not shared amongst accounts. Strong password management is an essential part of endpoint security, if an attacker gets access to login credentials, strong password management can lessen the impact e.g. if passwords are unique and not reused, attacker access can be restricted to a single account.
9. Ensure you have an Incident Response plan
Organisations that suffer a cyberattack usually are not aware of the presence of a malicious actor until it is too late or security teams within organisations don’t take appropriate action as soon as a threat is identified, either downplaying the severity of the attack or ignoring it entirely.
Incident Response plans help organisations and their various departments and employees aptly respond to threats. Strong IR plans include guidelines for roles and responsibilities, communication plans, and standardised response protocols. These factors help establish a clear procedure for responding to cyber incidents, effectively reducing their negative effects, such as reducing downtime, financial impacts as well as reputational damage.
How can StickmanCyber help?
We know that cybersecurity can be an overwhelming prospect for business owners, especially ones that own small to medium businesses with a limited budget. There are many things to consider when building a cybersecurity strategy, like which framework to follow and what to prioritise when it comes to implementation. At StickmanCyber we are here to help you with your cybersecurity journey.
With growing cybersecurity attacks, most businesses lack the skills and time to mitigate their risks; we provide a comprehensive fully managed service that protects and certifies your business, resulting in mitigating your risks, building trust, winning and retaining clients. Speak to an expert today, to learn more about how you can protect your business.
The First Step is Crucial. Start with a Cybersecurity Assessment
Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.