Not even two weeks have passed since Uber was hacked, and now Optus, one of Australia’s leading telecommunications companies, has suffered a similar, much more public fate.
In the recent Optus breach, 9 million Australians who had never actually been Optus customers have had their data compromised. Anyone who has ever shared an email address with Optus or their partners is now part of the breach, which means it’s not just existing, active customers who are at risk.
The cost to recover brand reputation at this stage is incalculable. A quick Google search on ‘Optus Data Leak’ will pull up a whopping 6.06 million results (in just under 42 seconds) and an array of mainstream news headlines. The journey to washing off this dirt will be long and expensive.
Business leaders should be taking time to dissect the two hacks, how they have occurred, and to understand if their business is at risk. While the Uber hack can be drawn down to a mistake or misfortune, rumours of an ‘open API’ that enabled the Optus breach can hardly be deemed a hack, but rather, a gross example of security negligence on the company’s behalf.
Businesses need to observe these methods, and look at ways of protecting their own patch.
Uber vs Optus: What went down?
While Uber and Optus are currently centre stage, there are thousands of hacks happening to businesses of all sizes, every day. Twilio, a US-based SMS B2B communications service was also hacked shortly before Uber in a similar fashion.
It is important to notice the difference between Uber and Optus breaches, both of which are as a result of internal negligence but in very different ways.
The Uber (and Twilio) hacks were actually savvier from a hacker’s perspective, albeit being less damaging. These hacks have been made achievable through the process of password mishandling and multi-factor authentication, and are both likely to have been at the hands of an internal member of staff who shared the wrong information with the wrong link, which then fell into the wrong hands.
These types of hacks are very convincing, and in this instance you might even pity that something this unfortunate has happened to that member of staff. But it happens.
Optus, on the other hand, is a little more shocking. Not only because of the volume of data exposed, but because the hack itself was so simple — if what we are reading turns out to be true.
What is being speculated is that the hacker was able to take this data via an open Application Programming Interface (API). APIs are commonly used by companies to share data between two systems. We operate one at Zoom2u which allows customers to send us bookings, for example.
Optus allegedly had an API that was open to the world, allowing anyone with a development background or understanding to access customer data. Not the savviest of solutions.
It’s the tech equivalent of leaving your front door wide open and expecting nothing to be stolen.
This isn’t just about one or two big hacks
Regardless of how the hacks happened, both have resulted in millions of Australians’ personal data being compromised. In Optus’ case, everything from Medicare details to drivers’ licences. Uber and Optus are not only household names, they are brands that consumers flock to in their millions for the very reason that they are safe, secure and reliable. Not today.
The problem with hacks of this scale is that they continue to evolve, domino style. The stolen data can later be used to recreate accounts for other services, including applying for credit cards, which will result in even more cases of individual theft for months to come.
Plus, there is no telling how long the allegedly open API has been accessible for, and how long it has been jeopardised.
While this one hacker has openly said that they have taken a large volume of data, what proof do we have that other hackers haven’t already accessed this API and taken a smaller amount of data — which may have gone unnoticed — prior to this point?
Optus were only made aware of this hack due to its scale, but a theft of 100,000 data records, as an example, may have gone unnoticed. While the hype and media attention is on this one big hack, it is likely that it has been happening for months.
Shifting focus to solutions
As whispers of class actions surface and fingers are pointed, businesses of all sizes should immediately shift their focus to what solutions are available to protect your own backs, and your customer’s data.
It is time to accept that hackers have become much more intelligent. It is very easy for an employee or colleague to receive an email or SMS that looks legit, so there’s no point playing a blame game.
In the instance of strengthening your multi factor authentication processes (where the likes of Uber and Twilio have dropped the ball), solutions like Yubico can be explored.
These USB-style authentication tools offer powerful protection against cybercriminals by reducing the points of infiltration from cyber criminals that are so prevalent in favoured methods today, as demonstrated by Uber and Twilio.
Instead of SMS or virtual multi-factor authentication, the USB device is plugged into the user’s computer, and they can only log into that physical device once the USB is connected. This essentially permits password details from falling into any hands but the users, and not into the wrong hands.
Businesses should be looking at rolling out physical USB devices to all of their users who need to authenticate to a network. Is it more expensive? Yes. Will the implementation and rollout of physical devices be easy? No. But I guarantee that both Uber and Optus would jump at the chance of additional hardware costs in comparison to the costs of their recent data breach scandals.
Security next steps for all
The moral of the story is not rocket science: simple security processes need to be reconsidered and need to evolve with the rapidly changing landscape. For almost two years we have repeated the mantra ‘the world is online’ — so why are these hacks coming as such a shock?
Hackers are more intelligent that we give them credit for, and businesses — especially those as big as Optus — should never underestimate how simple data intervention is, to someone with a sound development background.
Assess your current situation. Ensure any third-party security software you’re using is up to date, onboard a third-party company to run security tests on your business and teams, and implement penetration testing on server infrastructures to identify vulnerabilities.
Make security a priority, even when developing your product. This is something that should be considered at board and CEO level, especially for organisations where the potential fallout could be the nail in the coffin of an $8-12 billion dollar brand.
We will be seeing the fallout of the Optus leak for weeks and months to come. Cut up your bank cards, refresh your passwords and if you’re a business owner, start the transition to a USB structure, because this isn’t the last time we see businesses like Optus and Uber ‘tapped into’.
Comments