What You Don’t Know Can Hack You
Optus, the second largest telecom vendor in Australia was hacked and the hackers want a million dollars in exchange for not selling the data on ten plus million people that they stole.
Optus is being investigated over the breach by the Australian Federal Police.
The hacker leaked sample data that appears to validate that the breach is legit.
But here is the interesting part about how the hack occurred.
Optus appears to have an API that is used to look up customer records. So far, pretty normal.
APPARENTLY, this API does not require authentication. Possibly okay if there are compensating controls and it only works in a controlled environment.
BUT, this API was on a test network. Possibly okay.
With real data. NOT the best situation.
AND THE TEST NETWORK WAS EXPOSED TO THE INTERNET. Really, really bad.
The interesting challenge here is that companies will test systems that are supposed to be on the Internet for security, but this system should never have been on the Internet, so it likely would not have been tested in that way.
Additionally, using live data in test is very risky and there are ways to scramble that data so that it serves the purpose but doesn’t have the same risk.
Having an API that doesn’t require authentication is probably never a good idea and if there is some reason you MUST do that, you better have a plan to secure it.
You also should maintain an inventory of all systems and all assets and map all of that to detect that kind of problem. This inventory has to be maintained in real time and automation is really helpful for doing this. The alternative is a mess like Optus has on their hands right now.
I suspect that Optus is in a world of legal trouble.
If you develop, test, and host systems that can be Internet facing and you are not sure how to eat this elephant, please give us a call.