Optus hack could affect 10 million Australians
A massive cyberattack has exposed the details of a “significant” number of Optus’s 10 million Australian subscribers. Customer names, dates of birth, phone numbers and email addresses have been accessed, as well some physical addresses and driving licence or passport numbers.
The breach affects both current and former customers. Optus, the second largest telecom company in Australia after Telstra, stressed that payment details and passwords were not compromised and that mobile and internet services were not affected. The company has alerted customers it believes are at particular risk of follow-up incidents such as identity theft and phishing attacks. Optus is working with the Australian Cyber Security Centre to investigate the incident (which could cost the company millions) and has rejected suggestions that the attack stemmed from human error.
People who believe they have been affected should ensure they have Multi-Factor Authentication (MFA) enabled, change online passwords and monitor their accounts for unusual activitiy. The incident is also a useful prompt for companies to remind employees of the importance of online safety.
Uber and Rockstar may have been hacked by the same teenager
Separate breaches of ride-sharing app Uber and gaming colossus Rockstar Games may have been coordinated by the same teenager. On 15 September, Uber’s servers were breached. Less than a week later, unsanctioned videos of Rockstar’s highly anticipated Grand Theft Auto VI were shared on an online forum.
The poster, known as “teapotuberhacker”, claims to be 18 years old and to have gained access via social engineering attacks using messaging service Slack. The hacker allegedly compromised an Uber employee’s account and then persuaded them to hand over a password, while the Rockstar breach apparently came after the hacker bombarded an employee with push notifications until they were given access. It is not believed that the hacker gained access to confidential user information on Uber, but the Rockstar breach may have exposed Grand Theft Auto source code, which could be used to pirate the game or blackmail the company.
Uber has suggested the hacker may be associated with the Lapsus$ group, and British police later arrested a 17-year-old man on “suspicion of hacking”. But whoever the perpetrator, a clear message for organisations emerges from the hack: train your staff to recognise social engineering attacks and protect your data with better access controls or zero-trust frameworks.
Agencies’ data management must improve, warns ombudsman
A report from the Commonwealth Ombudsman has highlighted compliance lapses across a number of government agencies. Bodies including the Australian Competition and Consumer Commission (ACCC) and the Department of Home Affairs were found to have gaps in their record keeping and room for improvement in the way they store and erase data.
The Interception and Access Act regulates access to data by government departments and law enforcement agencies. These agencies are allowed to store personal data used in investigations, but must weigh the value of the data and the level of intrusion against an individual’s privacy. “The individual generally does not know the agency has accessed their communications or data,” explained Commonwealth Ombudsman Iain Anderson. “This means the individual cannot access complaints or other review mechanisms that would ordinarily be available where they consider an agency has acted unreasonably.” The report has made multiple suggestions for improvements and best practice, with some observers questioning whether some agency powers should be limited.
Bathers left exposed by Christchurch hot pools breach
The personal data of up to 20,000 people has been exposed in a data breach in Christchurch. Items such as drivers' licences, passports, tenancy agreements and utility bills – used as proofs of residence by bathers at the He Puna Taimoana pools – were all discovered to be unsecured.
Some initial reports suggested the information had been stolen by a hacker, but it now appears that the breach was noticed by a researcher, who informed Christchurch City Council that the data had been left unsecured in a Microsoft Azure cloud container. But while the data appears not to have ended up in the hands of criminals, it shows the danger of both storing data longer than is required (there’s no real need for the council to keep the proof of residence documentation once individuals are registered) and of storing assets where they can be discovered by specialist search engines. As more and more data and services are hosted in the cloud, companies must stay alert for threats .
Impersonation exploit discovered in Okta authentication
A research team has found a flaw in the Identity and Access Management (IAM) app Okta. The exploit allows administrators to give themselves or a third party the same access as an existing user that has already passed multi-factor authentication (MFA).
The exploit, discovered by a threat hunting team, involves the administrator completing their own MFA check before changing their details to those of their victim. They are then able to access the victim’s services without having to enter a password or go through another MFA check. The researchers said that the exploit had already been used by cybercriminals.
Okta is used for cloud-based authentication and identity control by millions of people around the world, but has been hit by several breaches. In March, the hacking group LAPSUS$ used a contractor’s laptop to access customer data. The latest news comes weeks after password manager LastPass announced that it had suffered a breach. Yet while these high-profile problems suggest MFA apps have problems to iron out, they remain far safer than systems secured with straightforward passwords and credentials, and more and more of us will move beyond passwords in the years to come.
Australian customers may have been affected by DoorDash breach
Food delivery company DoorDash, which reaches 80% of the Australian population, has suffered a breach. The company says that one of its partners was hit by a “sophisticated phishing campaign” and that “certain personal information maintained by DoorDash was affected”.
The breach occurred after an employee at the partner organisation had their credentials stolen. These were then used to access some of DoorDash's internal tools, which allowed the attackers to access personal details. The stolen data includes names, email addresses, delivery addresses, and the last four digits of payment card numbers. Doordash is working with external security experts and law enforcement, and is notifying affected parties.
It’s not uncommon for data held by third parties to get compromised – as online assets become more widely distributed, organisations must work closely with partners and supply chains to ensure cyber resilience.