OK, first off, “It wasn’t me !!!” Even though the title may indicate otherwise.

Just in case you’re not in Australia and have no idea what this is about. Optus is Australia’s second-largest Telco, with around 11 million subscribers. On September 22nd 2022 they suffered a major data breach where it was announced that PII (Personal Identifiable Information) data of almost all their customers was stolen. Now, we’re not talking about the phone number and the name, nooo, basically everything that is required to really disrupt someone’s life. This included names, addresses, date of birth, drivers-licence details, passport details, banking and payment information, other identity verifiers like Medicare numbers, and potentially other grade two1 or three details that would allow a person to accrue enough points for online or phone identity verification. Let me be clear here, NO OPTUS CUSTOMER IS SAFE FOR YEARS TO COME !!.

In order to have most of these details changed, it would take you at least 1 to 2 years. Details like your name and date of birth are pretty much ingrained in your personality and thus as a combination should never be trusted anymore as identity flags. Your drivers licence number stays with you for as long as you have it in a particular state and thus, unless you move interstate, is also tied to you indefinitely. Unless you move, your address is also pretty much stuck. Your passport would be easy to replace however the backend verification of passport details is often lacking. So even when you have replaced your passport, the company you’re dealing with may not actually verify the validity of the details themselves. That could cause the problem that any sort of financial contracts may still be closed with expired data and it may take time for companies to deal with the fallout.

How could this happen

Optus claims this was a sophisticated attack. Given the fact they have not shared any technical details, I find this hard to believe. In a general sense, any form of sophistication would also have secondary fall-outs where hackers would try to gain access to other parts of the infrastructure so that more strenuous demands could be made. Obtaining almost all data of every customer you have is about as bad as you can get, however, when hackers then also gain access to the operational side of the fence where large parts of the infrastructure could be held at ransom, would basically mean that the entire company has to shut down and start a major cleaning operation. That could take months if not years depending on the size of the infrastructure. That would then also entail that the entire phone and digital business is untrustworthy and no customer (private or business) would be able to make calls and would lose their connectivity. Optus then, would basically cease to exist.

My view is that due to lack of security procedures, someone found a backdoor to this information. It was most likely not the real “production” data, but a copy which often gets used in software development and test environments to be able to produce software that is programmed against a known set of data. Unfortunately, these copies and environments are most often not treated with the same sense of security as their production source. This makes them more vulnerable for leaks, mistakes, unchecked copies and may also end up in locations like software version control repositories.

Optus would even be in a more dangerous situation if someone found a key to the front-door and would’ve had access to the actual production data. Obviously the above is currently speculation, but as long Optus does not provide more details, this is the most viable explanation.

Furthermore, as the below was posted on the 27th of September, would contribute to the fact that we’re not dealing with an group of people that is well organised and has multiple levels of penetration methodologies in organisations. This is someone who has become very scared of the attention it received and with multiple government agencies now chasing him/her is now withdrawing demands. This does not mean that what he/she claims is actually true. He/she may still keep the data and still put it up for sale when things have cooled off. Very likely when customer help from Optus has stopped via the various credit companies like Equifax. This will then surface on other parts of the dark web in subsets of the data, and Optus would not even be contacted or mentioned. This is then even a more frightning scenario as hacking atempts can then come from a multitude of locations with various intervals.

How to prevent this from happening?

If anyone had the answer to this, he/she would be a billionaire and this wouldn’t have happened at all. As in many things in life, a lot depends on humans and humans make mistakes. Whether this is related to technical, procedural or any other decision that is made, at some stage there is a chance that someone drops the ball.

There are basically two side to this problem. First is the legal requirement for identity verification and secondly the technical methodology that sits behind this.

The first is something that policy maker should handle. These are the people that determine that companies have to fulfill a number of requirements to be able to do business. In many sectors, such as the telecoms and financial businesses, that has to do with trust. “Am I really dealing with the person who he/she claims he/she is“.  That needs to be verified across a variety of methods like documents, legal declarations etc. As soon as that trust is established, this needs to be verifiable, and this is where is most often goes wrong as now we’re going into the technical side of the fence

What happens is that the data that is used for verification purposes gets stored and is then accessed by software via various functions. The authorisation and methodology of retrieval of the data itself results in someone’s ability to check this data at a later data to see if person X is really the same one that got the details verified at a prior date. You would’ve had many questions when you call a service provider, like a bank, and you need to provide your details. That is where the flaw begins.

Even though the data itself may be stored on an encrypted medium, this does not mean that there is functionality in the software that is able to decrypt that data for exactly this purpose. That also means that when copies are made from any production version, this is done in unencrypted format, as otherwise there would not be any possibility for the developers or testers, to test against. As I mentioned earlier, these copies could end up anywhere.

Obviously, companies need to maintain a set of customer details in order to contact them, send them invoices and provide services. Your date-of-birth may need to be stored to verify if you’re allowed to buy a product or service legally. None of these details should be used as any form of identity verification.

There are mathematical option which are used in computer science for a long time which allow a one-way encoding of data, which is called hashing. This means that a certain piece of data gets mangled through a mathematical equation which returns an encoded value.

For example, a hashing method is SHA (Secure Hashing Algorithm). When I enter my name into this algorithm, you get the following output

echo erwin | sha256sum
e82165cdc03827ced61cfa9fc46ea2e497f921529d610e600dfd320eded7b51e –

The bold output cannot be reversed into the original input. That is the entire idea of the hashing methodology. A second example is my date of birth

echo 29-02-1963 | sha256sum
b979b10e85d3bf3303d81eca58e58f9c114b1b75cf173ee7e980a3c77494e8f5 –

I can even use a combination of the two

echo erwin-29-02-1963 | sha256sum
fdf4d5c27e085737d789dfe2f72fac94cb00f0ceb4ecc6973d128b6698e475e2 –

As you can see the size of the output does not change. This makes it impossible to determine what the actual input was. (I could send and entire book through this algorithm and it would still show an output with the same length.) Companies could use any form of PII data, hash this through an algorithm like this, store the output and discard the original input. When customer service representatives need to verify the person on the phone they only need to enter the details the person provides, the software will encode this in the same way and subsequently compares the output with the value that was stored. When these match, it can be safely assumed that the person you’re dealing with is the same that provided the details earlier. At least in the same way it does now with a representative checking your actual details.

When this data is leaked the hacker would only end up with a set of hashes which is of no use as he or she does not know what the original input was. (If he/she already knew, what would be the point of hacking after all.)

A second benefit is that employees of the company also have no incentive of stealing the data. There are numerous examples where grumbled ex-employees put company confidential data on the internet. If this data is as useless as the output of the hash itself there is no value that can be associated to the data and therefore would not serve any purpose.

So what about encryption?

The counterpart of encryption is decryption. This means there is a method of mathematically calculating the source back into the original value. This happens with various methods of cryptography but the underlying thought is that it requires a key that will then allow the reverse calculation to occur. It still would not solve the issue for the PII data when copied/exported via the same software that encrypted it.

Now, software developers are smart people, and they know the hashing methodology for a long time. It’s been around for decades. The problem is that businesses, as well as some legislation, require them to write the software in such a way that much of this data can be used for other purposes than identification verifiers. One obvious thing is marketing. If you know your customer base and are able to churn that data into all sort of groups, it is very beneficial to target these groups based on certain characteristics, and increase your sales to that certain demographic.

That data is so enormously useful for companies up to the point they become an “Optus” and all this is played out in public.

Much of the problem can also be attributed to legislation. If governments require companies to store data for any purpose they seem fit (national security comes to mind) and for a period that would not make much sense, it becomes a burden as well as a major hassle for companies to handle this. When demands for profits then increase, you see that the actuall handling of the data is done in a way that fulfils the legal demands but it not further assessed. This leads to stale information and exponentially increases a security risk.

There is a task for both legislators and businesses to provide a framework where PII data is handled in a way it is intended. Currently, there are too many loose ends that allow incidents like this Optus nightmare, to happen.

To CEO’s, CIO’s, CISO’s

I’m fairly sure you know the tightrope you’re walking when handling customer data. Be aware the information you have does not belong to you. Handle it accordingly. You cannot wiggle your way out of an Optus scenario with 50 pages of Terms & Conditions and, so called, Privacy exclusions. Your company is likely next and you will be the next Kelly Bayer Rosemarin looking at a class action to handle.

To legislators

Optus is not the only one, and most issues they currently encounter is a direct result of what has gone through parliament based on requirements you thought was needed for whatever reason. You are also not technical nor experienced enough to make decisions on this level. In short you are as responsible for what happend with Optus as they are.

Regards

Erwin