API Security
,
Geo-Specific
,
Legislation & Litigation
Hackers Exploited Coding Error, Says Australian Communications and Media Authority
Hackers behind the leak of 10 million records from Australia’s second-largest telecommunications carrier Optus exploited a vulnerability the company unwittingly inserted four years earlier into a web portal access control.
See Also: What GDPR Means for Cybersecurity
An investigation by the Australian telecoms regulator said hackers in September 2022 found a “coding error” in the access control shielding an application programming interface connecting the Optus customer portal with a back-end database. The watchdog said the API URL – api.www.optus.com.au
– hadn’t been actively used since 2017.
The data breach at the Singtel-owned company “was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge,” said the Australian Communications and Media Authority in a court filing that became public Wednesday.
“It was carried out through a simple process of trial and error.”
The regulator sued Optus in May, alleging the telecom company failed to protect sensitive customer data from unauthorized access (see: Australian Telecom Watchdog Sues Optus Over 2022 Data Breach). It’s seeking penalties on behalf of leaked records belonging to 3.6 million Optus active subscribers.
The regulator said a developer in September 2018 made an access control coding error that left both the API URL and the main portal domain open to hacking. Optus fixed the vulnerability in August 2021 so hackers couldn’t access the main portal but “did not detect or fix that same issue” for the API domain.
A hacker who later apparently went by the moniker “Optusdata” on a criminal breach forum exploited the coding error between Sept. 17, 2022, and Sept. 20, 2022 (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).
The data breach included including full names, telephone numbers, birthdates and email addresses of active subscribers. The physical addresses of most active subscribers were also included in the data leak, and identifiers such as driver’s license number or birth certificate information also were leaked for a majority of active subscribers.
Interim Optus CEO Michael Venter said the incident significantly dented customers’ trust and the company continues to provide credit monitoring services to affected customers and reimburse the costs of replacing identity documents.