In 2022, Optus faced a massive cyberbreach that compromised the personal information of millions of customers.
Recent details revealed as outlined in ACMA filing, have revealed that the breach was allegedly enabled by an access control coding error.
This incident has sparked widespread concern and criticism over Optus’s cybersecurity protocols.
Experts now suggest several measures that could have prevented the breach, highlighting the importance of robust cybersecurity for the biggest companies in the world.
The Incident
The breach exposed sensitive customer data, including names, addresses, and contact details, due to a flaw in Optus’s access control coding.
This error enabled unauthorised individuals to bypass security restrictions and access protected information.
The repercussions were severe, shaking customer confidence, with thousands of customers cancelling their Optus plans, and prompting a detailed examination of Optus’s security measures.
Fast forward two years, and Optus are now the most distrusted brand in Australia, despite recent efforts to win back the trust of the Australian consumers.
Potential Preventative Measures
Interim CEO Michael Venter acknowledged the need for ongoing efforts to restore customer trust. “Optus recognises that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” Venter stated.
Venter also acknowledged how the system was exploited, with many cybersecurity experts giving their opinions.
Cybersecurity experts have identified several steps that Optus could have taken to avert the breach:
- Rigorous Code Review and Testing: Industry standards emphasize regularly and thoroughly reviewing code to identify and fix errors. A robust testing regime, combining both automated and manual reviews, could have caught the access control flaw before exploitation.
- Enhanced Access Control Mechanisms: Adopting more sophisticated access control methods, such as role-based access control (RBAC) or attribute-based access control (ABAC), could provide finer control over data access permissions and reduce the risk of misconfiguration.
- Penetration Testing: Conducting regular penetration tests to simulate cyber-attacks can uncover vulnerabilities within a system. Such tests might have exposed the access control issue, enabling Optus to address it before it became a target.
- Security Audits: Periodic security audits by independent experts offer an impartial assessment of a company’s security framework. These audits could have detected the coding error and suggested necessary improvements.
- Employee Training and Awareness: Continuous cybersecurity training for developers and IT staff is critical. Educating personnel on best practices in secure coding and access control could help prevent such errors.
- Multi-Factor Authentication (MFA): Implementing MFA also known as 2FA, adds an additional security layer, requiring multiple verification methods before granting access. This measure could have mitigated risks even if access control errors were present.
- Incident Response Planning: Having a comprehensive incident response plan is vital to minimise the impact of breaches. Such a plan should include protocols for swiftly identifying, containing, and mitigating the effects of a breach.
What You Can Do To Protect Your Information
In the wake of this breach, millions of customers anxiously awaited to see if they were affected.
To help minimise stress and better protect your information in case of future incidents, here are some proactive measures you can take.
Hide My Email
Many email providers offer a feature called “Hide My Email,” which allows you to create unique, random email addresses that forward messages to your personal inbox.
This helps protect your real email address from being exposed and reduces the risk of your email being compromised in a data breach.
Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) adds an extra layer of security to your online accounts.
By requiring a second form of verification, such as a text message code or authentication app, 2FA makes it significantly harder for hackers to gain access to your accounts, even if they have your password.
Authenticator apps such as Microsoft, also alert you when someone signs into your account, or even tries to access it.
Back-Up Phone Numbers
Consider using an inexpensive back-up phone number for account verification purposes.
You can use pre-paid mobile numbers solely for security verification, keeping your primary contact number private and less vulnerable to attacks.
For instance, I use a cheap $10 SIM per year for all my 2FA codes and back-up contact information, ensuring my personal number remains protected.
Requesting Data Deletion
In some cases, you can request your telecommunications provider to delete your personal information.
To do this, contact your provider directly, as details are typically available in their privacy policy.
However, your personal information cannot always be deleted, especially if legal obligations require the provider to retain it.
For instance, the Telecommunications Interception and Access Act 1979 may require your service provider to keep certain personal data for a specified period.
Looking Forward For Optus
The Optus cyberbreach serves as a important lesson on the importance of robust cybersecurity practices from our Telco providers.
As cyber threats become increasingly sophisticated, it is imperative for companies to adopt proactive and comprehensive security measures.
That said, it’s becoming more and more hard with the advancement of technology, and we are seeing multiple data breaches across countries and telecommunication providers.