Full Report
A hacker reportedly stole ~11mil records of customer PII (dated 2017) from Optus, an Australian telco company. The data was disclosed and put on sale in late September 22’. According to information obtained by a reporter who claimed to be in contact with the hacker, the root c...
Analysis Summary
# Incident Report: Optus Customer Data Breach
## Executive Summary
In September 2022, Australian telecommunications provider Optus suffered a major data breach involving the exfiltration of personally identifiable information (PII) belonging to approximately 11 million current and former customers. The breach was facilitated by an unauthenticated API endpoint that allowed the attacker to programmatically scrape sensitive data. Optus faced significant regulatory scrutiny, a $1 million USD ransom demand, and massive reputational damage following the incident.
## Incident Details
- **Discovery Date:** September 21, 2022
- **Incident Date:** Mid-September 2022
- **Affected Organization:** Optus (Singtel subsidiary)
- **Sector:** Telecommunications
- **Geography:** Australia
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately September 2022
- **Vector:** Vulnerable API Endpoint
- **Details:** The attacker identified a publicly accessible, unauthenticated API (api\[.\]optus\[.\]com\[.\]au). This endpoint was reportedly a legacy testing interface that was inadvertently exposed to the internet.
### Lateral Movement
- **Details:** Minimal lateral movement was required. The attacker leveraged the exposed API to query internal databases directly via the web interface.
### Data Exfiltration/Impact
- **Details:** The attacker used an automated script to iterate through internal customer IDs. Over several days, the attacker exfiltrated records for ~9.8 to 11 million customers. Data included names, dates of birth, phone numbers, email addresses, and for a subset, driver's license or passport numbers.
### Detection & Response
- **Sept 21, 2022:** Optus detected unusual activity on its network.
- **Sept 22, 2022:** Optus publicly announced the breach.
- **Sept 23, 2022:** An individual using the alias "optusdata" posted a sample of the data on a hacking forum, demanding $1 million USD in Monero (XMR).
- **Sept 27, 2022:** The attacker purportedly deleted the data and withdrew the ransom demand due to excessive media and law enforcement attention, but not before leaking 10,000 records.
## Attack Methodology
- **Initial Access:** Exploitation of an unauthenticated API endpoint.
- **Persistence:** Not applicable (direct API scraping).
- **Privilege Escalation:** Not required due to lack of authentication on the "test" endpoint.
- **Defense Evasion:** Use of multiple rotated IP addresses to bypass basic rate limiting.
- **Credential Access:** None needed; the endpoint did not require a login.
- **Discovery:** Web reconnaissance/fuzzing of subdomains.
- **Lateral Movement:** Internal API requests to the customer database.
- **Collection:** Automated scripts to scrape PII data.
- **Exfiltration:** Standard HTTPS requests to pull data through the exposed API.
- **Impact:** Massive data theft and attempted extortion.
## Impact Assessment
- **Financial:** Estimated costs exceeded $140 million AUD (remediation, customer notification, and replacement of government IDs).
- **Data Breach:** ~11 million records containing PII (Names, DOB, IDs).
- **Operational:** Significant diversion of IT and legal resources for months.
- **Reputational:** Severe loss of public trust; subject of multiple class-action lawsuits and government inquiries.
## Indicators of Compromise
- **Network indicators:** Traffic directed to hxxps\[:\]//api\[.\]optus\[.\]com\[.\]au from non-standard or residential IP ranges.
- **Behavioral indicators:** High-volume, sequential requests to customer ID endpoints; unusual data spikes on legacy/test API subdomains.
## Response Actions
- **Containment:** Immediately disabled the vulnerable API endpoint and blocked the attacker's identified IP addresses.
- **Eradication:** Conducted a comprehensive audit of all internet-facing APIs to identify similar vulnerabilities.
- **Recovery:** Partnered with government agencies (Equifax, IDCARE) to provide credit monitoring and identity protection services to affected customers.
## Lessons Learned
- **Shadow IT/Legacy Systems:** Testing environments and legacy APIs must be decommissioned or kept behind strict Access Control Lists (ACLs).
- **API Security:** "Security through obscurity" is not a defense; APIs must require authentication and authorization (OAuth2, API keys).
- **Rate Limiting:** Lack of aggressive rate limiting and anomaly detection allowed for large-scale scraping.
## Recommendations
- **Zero Trust Architecture:** Implement strict authentication for all API endpoints, regardless of whether they are "internal" or "public."
- **API Inventory:** Maintain a formal registry of all public-facing APIs and conduct regular automated vulnerability scanning.
- **Data Minimization:** Ensure legacy data (dated 2017) is purged according to a strict data retention policy if no longer required for business or legal purposes.