Sunday, September 25, 2022

The Biggest IT News Of The Week Has Real Implications For Digital Health I Believe.

As they say, “You Would Have To Have Been Living Under A Rock” not to have noticed that Optus appears to have suffered the largest breach of personal information in Australian History!

As a reminder here is a pretty recent article that covers a lot of the ground.

Hacked Optus data goes back five years

David Swan

David Ross

6:15AM September 24, 2022

Hackers have obtained personal customer data dating back as far as five years, the Optus chief executive has revealed, as she delivered an emotional mea culpa for a massive data breach that has affected up to 10 million customers.

Kelly Bayer Rosmarin said on Friday that current and former customers from 2017 have been caught up in the cyber attack, which has been linked to hackers using European IP addresses.

The hackers have stolen the passport, driver’s licence and phone numbers of up to 2.8 million customers – most of whom are yet to be contacted – in one of the largest data breaches in the nation’s history. Up to another seven million Optus users had their dates of birth and email addresses stolen.

The executive was on the verge of tears when asked how she felt about the data breach occurring under her leadership.

“[I feel] terrible,” Ms Bayer Rosmarin said. “It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers.

“And I’m very sorry, and it should not have happened.”

She said early signs were that the attack originated from Europe and could have been the work of either a professional crime gang or a nation state. The company has hosed down speculation that the breach was possible due to human error by an employee, describing the ABC’s reporting as inaccurate.

Ms Bayer Rosmarin said customers should have heightened awareness and look out for any suspicious or unexpected activity across online accounts and bank accounts. Most affected customers would be contacted in coming days.

“Unfortunately, because this is not the most vulnerable information like financial detail and passwords, we don’t have a simple message of ‘just change your password’,” she said.

“Really what customers can do is just be vigilant. If they receive a notification that a password has been changed on one of their online services or their bank, and they did not initiate that, then assume that they need to report that and get on top of it straight away.”

It is understood that some Optus phone numbers have been sold online via the dark web, as early as a week ago.

Optus chief executive Kelly Bayer Rosmarin has offered an emotional apology to customers for the company's data… breach. It follows a colossal cyberattack affecting over nine million Optus customers. "We have strong cyber security controls in place. We thwart… thousands of attacks every year, every day," she said. More

The University of Sydney Law School lecturer Derwent Coshott said the stolen information could be used to open a bank account or secure a loan from an online lender.

“The usual customer due diligence requirements (for an online lender) requires 100 points of ID and if it’s being done on ID it’s usually satisfied by providing driver’s licence or passport numbers,” he said. “Even if you don’t have a sufficient amount of information you could get around that.”

Dr Coshott said the kind of data leaked suggested hackers may have accessed Optus’s own customer validation records, noting the customer data stolen fit the bill for the same data demanded by other companies to validate a customer’s ID.

“When that kind of information is held by so many organisations, as a requirement to identify whether a person is a real customer, then there’s always the risk of that information being stolen by someone,” he said.

He said the issue for many ­people who’d had their records hacked was the difficulty in correcting or changing that data.

“Passport numbers don’t change, drivers licence don’t change,” he said.

Here is the link for more:

https://www.theaustralian.com.au/business/technology/hacked-optus-data-goes-back-five-years/news-story/8528e08701c90e7d466c1a180699bae4

So it basically looks like a well - organised  hack on what seems to be a giant but presently undefined scale

Now I am a simple soul but what is clear is that there are only a few customer data-bases of this scale and what happened here needs to be figured out and passed on to them ASAP!. Think Centrelink, the myHealthRecord, the ABC etc, in the public sector, data-bases in the various states and then the big private sector systems who hold customer databases (Telstra, Westfarmers andso on).

What is don’t understand is why the data was not encrypted, as well s being carefully secmented and how the access to the data went on from 2017 (as is reported) and no one apparently noticed?

It is likely that hack was based on some human error or disclosure and it will be interesting to understand just how the authorised user was persuaded to pass the access on. Most with the access to cause this scale of leak are well aware of the care they need to take with the access information.

I am sure there is more to come and learn from this by all. ADHA alert +++ I reckon!

What do you think is/are the likely mistake(s) here and what do you think are the key lessons for Digital Health?

David

 

No comments:

Post a Comment