There’s been two major data breaches in Australia this year which have attracted plenty of media attention and customer outrage. The first was Optus in September, followed a month later by Medibank. In both cases the breaches impacted around 10 million customers for each company. For Medibank, this included exposing the private data of the Prime Minister.
The ransoms demanded were reportedly $US10m from Medibank and $US1m from Optus. The estimated cost to the organisations could be as high as $140m each.
Two points are clear from the ransomware hacks of Medibank and Optus. The first is that their cybersecurity was inadequate to keep out professional cybercriminals. The second is that it would have been a lot cheaper and less damaging for them to have paid the ransoms – which many companies silently do.
Below, we’ll take a look at what happened in each case and discuss ways you can protect your business and your own personal data, should you be a victim of a data breach.
How the Optus breach occurred
Optus reportedly made the mistake of storing the sensitive data of millions of customers all in one place. The masses of data were not taken in a cyber attack per se, but by an unprotected and publicly exposed Application Programming Interface (API) – the cyber equivalent of leaving the front door open.
The API didn’t require user authentication before facilitating a connection. A lack of an authentication policy meant anyone that discovered the API on the internet could connect to it without submitting a username or password.
According to Upguard, a US-based cybersecurity company, this was one of three major security flaws in the way Optus managed their data.
- Public-facing API
An API should never be public-facing if it facilitates access to sensitive internal data or permits interactions with core business operations. An example of an open API that follows best API security practices is the Google Maps API. Any data that’s available through this API is completely isolated from core business processes, so it’s impossible to cause a data breach.
- Open API facilitated access to very sensitive data
To understand the level of sensitive data the API was granting access to, whenever an Optus customer loads their account information either via the Optus mobile app or the Optus website, an API such as the one that facilitated the data breach is used to complete the request. Optus backend processes called upon sensitive customer records to load a customer profile which meant that the breach resulted in the compromise of Driver’s License numbers, phone numbers, dates of birth and home addresses.
- Use of incrementing customer identifiers
Digital programs tend to identify customers by a unique sequence of numbers and letters. These are the identifiers that are called upon when a customer loads their account. According to best cybersecurity practices, each customer identifier, or contactID, should be completely unique and unrelated to other identifiers to prevent hackers from discovering the formula that determines each customer ID. In Optus’s case, all customer identifiers differed by an increment of 1. For example, if one customer had the unique identifier 5565, the next customer in the database could be found with the identifier 5566. This made the process of stealing data much easier, allowing the hackers to write a script that requested every customer record in the database by simply incrementing each contactID index by one.
How the Medibank breach occurred
According to The Guardian, the Medibank data breach began with the theft of credentials belonging to an individual with privileged access to Medibank’s internal systems. The credentials were then sold and purchased on the dark web by an unconfirmed buyer who used them to gain access to Medibank’s internal system.
Once they were able to access the internal system, the threat actor found the location of a customer database and was able to use the stolen privileged credentials to write a script to automate the customer data exfiltration process. The stolen data was placed into a zip file and extracted through two established backdoors. Although Medibank’s security team allegedly detected suspicious activity at this point, it was not before 200GB worth of customer data was stolen.
Internal credential theft is one of the first objectives of almost every cyberattack and usually occurs by phishing. Phishing refers to an attempt to steal sensitive information, typically in the form of usernames, passwords, credit card numbers, bank account information or other important data in order to use or sell the stolen information.
Some ways that Medibank could have avoided the data breach include:
- Educating employees: cyber threat awareness training can teach employees how to recognise and correctly respond to corporate credential theft attempts from phishing attacks.
- Implementing the Principle of Least Privilege (POLP): the principle of least privilege, also known as “least privilege access,” is the concept that a user should only have access to what they absolutely need in order to perform their responsibilities, and no more. This should be a standard security policy for all Australian businesses since excessive privileges present a significant security risk.
For more on this see: 10 ways to protect your business from phishing attacks
What to do if your business has a data breach
As a business, it’s vital to understand your privacy and data obligations and to develop an appropriate plan to ensure effective responses to potential data breaches. The Notifiable Data Breach Scheme (NDB) sets out mandatory reporting requirements for organisations in case of a data breach involving personal information. The Scheme applies to entities covered under the Australian Privacy Act 1998 (‘Privacy Act’).
It’s becoming clearer everyday that data breaches can happen to any business. However companies can let down their customers not only by allowing their data to be taken in the first place, but also taking days to let those customers know.
For example, the pain associated with the Optus data breach could have been somewhat eased had the company been quick to contact its 10 million or so affected customers. It didn’t, instead it notified the media.
In addition, they provided very little information to customers about what they should now do to protect themselves from fraud.
What to do if your personal data has been compromised
You may hear about a data breach directly from an affected organisation, or read about a breach in the media. Details of publicly-known breaches may also be available at Have I Been Pwned. You can input your email address or phone number to find out if you’ve been implicated in a known breach.
If your personal data has been stolen as part of a data breach it’s important to monitor your emails, bank statements and transaction history for any suspicious or irregular activity. This includes:
- Any unfamiliar banking transactions or direct debits
- Emails requesting confirmation of purchases or subscriptions
- Unauthorised credit enquiries appearing on your credit history
- Text messages or emails regarding account logins from a new device
- Invoices for accounts you never opened
- Expected mail, statements, invoices no longer being received
You should also consider:
- Implementing Strong Password Management: There are effective online tools available that can assist you with your password management, including 1Password and LastPass.
- Setting up multi-factor authentication (MFA): this is a security measure that requires two or more proofs of identity to grant you access to an account.
It’s also worth checking out the Australian Cyber Security Centre’s online tool called Have you been hacked which takes you through what you should do, based on the type of data that was breached.
The risk to reputation and business of a data breach
According to The Australian, tens of thousands of customers left Optus in the month after its data breach and its churn rate (customers ending business) jumped 50% higher than normal. New sales also decreased by 25%.
The Australian Financial Review reported that Medibank shares plummeted in late October after the company stated it couldn’t give an assurance that a criminal who accessed health records of more than 4 million past and present customers had actually left the company’s systems. About $1.75 billion was wiped off their market value.
In both cases it’s clear that the companies’ IT security systems were not up to scratch and this has cost them both dearly. Using a Managed Services Provider (MSP), such as Neo Technologies, who offer the latest cybersecurity services such as email and spam filtering, anti-virus solutions could help more businesses remain secure and counter phishing attempts.
Boosting your cybersecurity
With over 25 years of industry experience, Neo Technologies can keep your company secure, connected and compliant, allowing you to focus on achieving your current and future business goals. We offer end to end IT services, solutions, support and advisory with a depth and breadth of specialised knowledge that sets us apart from our competitors. Contact us on 1300 661 832 to learn more about ways we can help protect your business from phishing and cybersecurity attacks.