How to build a safer data future after the Optus breach

Optus has announced that it has appointed Deloitte to conduct an independent external review of the recent cyber attack, and its security systems, controls and processes on the recommendation of Optus chief executive officer Kelly Bayer Rosmarin, with the unanimous support of the Singtel board.

With the situation being closely monitored since the security incident came to light, on Thursday, 22 September. As part of the review, Deloitte will undertake a forensic assessment of the cyber attack and the circumstances surrounding it after the major data breach on Australia's second-largest telecoms company had compromised sensitive customer information of around 10 million customers.

In a University of Melbourne blog post, Defence Science Institute Associate Professor Toby Murray outlined what customers can do and suggested preventative measures to avoid a similar breach in future.

First, don’t panic, according to Associate Professor Murray, and advised that it's important to be alert, but not alarmed.

"The stolen data might be used by scammers who want to target Optus customers directly.

"So be on the lookout for texts and emails purporting to be addressed to Optus customers impacted by this breach, especially ones that ask for sensitive information or payment," Associate Professor Murray explained.

"The second thing consumers can do is to strengthen their online digital security, especially for financially sensitive accounts.

"If your bank offers two-factor authentication, but you haven’t yet enabled it, do so.

VIEW ALL

"If it offers a physical authentication token like a UbiKey or RSA SecureID, then you should opt in for that too," Associate Professor Murray added.

"The third thing is to strengthen accounts that you access over the phone.

"Call up your bank and ask them to put in place additional verification methods on your account.

"That way, if somebody phones the bank claiming to be you, they need to answer an additional security question or provide a one-time code sent by SMS to your mobile phone, or similar," Associate Professor Murray said.

Last week, aiming to take a further step to help reduce the risk of identity theft, Optus announced that it would offer the most affected current and former customers, whose information was compromised because of a cyber attack, the option to take up a 12-month subscription to Equifax Protect at no cost.

Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft. No passwords or financial details have been compromised.

The most affected customers will be receiving direct communications from Optus over the coming days on how to start their subscription at no cost. Please note that no communications from Optus relating to this incident will include any links as we recognise there are criminals who will be using this incident to conduct phishing scams.

To help reduce the risk that the stolen identity information will be used to successfully impersonate you, Associate Professor Murray added, consumers can also try to have their driver’s license or passport reissued. Passports can be reissued with new numbers by lodging an ordinary passport renewal application.

"Some states like Victoria and Queensland are currently refusing to reissue new driver’s license numbers to victims of data breaches, unless they can demonstrate that they have been victims of identity theft or fraud.

"However, this option may be worth trying if you live elsewhere," Associate Professor Murray said.

Consumers may also consider taking up commercial identity theft prevention services, such as those offered by companies like Norton and Equifax.

"These services include, for instance, monitoring to detect when your personal information has been exposed online, plus insurance cover to help cover the costs you suffer if your identity is stolen.

"Free services that are widely used also include HaveIBeenPwned, which will notify you when your email address has been detected in a public data breach," Associate Professor Murray added.

Consumers should also consider contacting the three major credit bureaus in Australia: Equifax, Experian and illion, to request regular credit reports, Associate Professor Murray added. These include information about when somebody has applied for credit in your name, allowing you to detect when you may be a victim of identity theft. Customers can also request a credit ban, which will prevent anyone from applying for credit in your name for 21 days, and if you are the victim of fraud, such bans can be extended beyond that period.

The Optus breach reportedly occurred because of a simple — yet common — problem with its website, which allowed anyone to request the sensitive information of arbitrary Optus customers without first having to log-in, or authenticate themselves, and even though the details of one customer should not be made available to any other, for example without any access control.

According to Associate Professor Murray, companies deploying web sites that handle sensitive data can reduce the risk of these kinds of problems by ensuring that new features are heavily tested — including via security penetration testing, and automated security fuzz testing — to weed out these kinds of bugs before the site goes live and has the potential to harm customers.

"Bug bounty programs can also help to ensure that bugs missed during testing before deployment are more likely to be safely found and fixed even after a site goes live.

"The Optus breach was dangerous because Optus’ systems retained sensitive customer information like driver’s license and passport numbers.

"Indeed, telecoms companies like Optus regularly collect and retain a lot of sensitive customer information as part of their business operations," Associate Professor Murray explained, "telecoms companies are required by law to do so, including retaining sensitive metadata.

"Companies should collect as little information as required to operate their businesses.

"Governments should pass laws with sufficient penalties for violations of this basic principle," Associate Professor Murray added.

"Governments should not pass laws that require or incentivise companies to collect more information than is necessary, and existing laws that do so should be repealed or rewritten."

In the USA, Associate Professor Murray further explains, companies that suffer data breaches are required in some states to offer free identity theft protection services like credit monitoring to their impacted customers.

"Australia should impose similar requirements on companies like Optus, to ensure that the cost of breaches is not placed on consumers who are not at fault, but rather on the companies.

"In situations where a company has been negligent, civil remedies might also be made available to its consumers."

Finally, Associate Professor Murray noted that it remains to be seen whether the Optus breach will see a shift in the Australian landscape surrounding data breaches.

"The government and opposition have each already proposed legislation in response to this breach, but many of the remedies proposed so far would not have helped in this case.

"As always when designing legislation, knee-jerk reactions are rarely productive in the long term and many competing interests need to be carefully balanced, which requires careful, sober analysis, informed by expert advice.

"Let’s hope that the ultimate outcome of this data breach is that consumers will be better protected in future, with better access to remedies if or when their data is compromised," Associate Professor Murray concluded.

[Related: How Aussies can avoid identity theft amid Optus data breach fallout]