Lessons learned from the largest Australian data breach

The Optus data breach is potentially one of the biggest cybersecurity incidents to hit Australia to date. Over tens of thousands of customer records containing personally identifiable information such as names, email addresses, date of birth, and identification numbers including license, passport, and Medicare have been exposed publicly. Reports suggest Optus had an application programming interface (API) available online that did not require authorisation or authentication to access customer data. This means anyone on the internet who was knowledgeable of that endpoint or URL could use it to gather customer data. This is a common method of attack where cyber attackers scan across the internet looking for and exploiting known vulnerabilities. It could have been averted though, if there were necessary security policies in place.

Optus had to report the data breach to the Office of the Australian Information Commissioner and will soon face penalties and sanctions resulting in reputational damage and potential customer and financial loss.

What can we learn and how can you protect your business from this kind of incident?

1. Have a colleague double check if everything is in the clear. An extra pair of eyes could minimise a cyber security incident like this.
2. Consider the security repercussions of opening your ports to the public. If and when, for whatever reason, you need to do this, make sure to flag it for follow up to whitelist only those users who should have access to it.
3. Regularly review your cyber security strategy in place. With the rapidly evolving cyber threats, it should continuously evolve too, and not be set and forget.
4. Minimise your risks by incorporating industry-recommended cybersecurity risk mitigation strategy like Essential Eight in your cybersecurity plan. Recommended by the Australian Signals Directorate (ASD), Essential Eight will drastically lower your risks through these strategies:
   1. Application Whitelisting. Allow only trusted and approved applications to run on your network. This prevents execution of malicious programs from automatically running by having a set of pre-approved apps.
   2. Operating System Patching. Determine existing patching systems, patching schedules, and server/workstation patching compliance. This should allow you to mitigate vulnerabilities on operating systems that need patching.
   3. Configuration of Office Macros. Review Office macros and current policies to prevent untrusted macros with malware from automatically running.
   4. Multi-Factor Authentication. Use a second factor such as a physical token or mobile device to make it more difficult for cybercriminals to access your systems, even when the password has been breached.
   5. Application Patching. Determine patching procedures and levels for popular web browsers, Microsoft Office, Oracle Java, and PDF viewers. This helps mitigate vulnerabilities on apps that need patching.
   6. Restrictions of Administrative Privileges. Review admin privileges on specific IT systems and provide necessary permissions only for those who need them.
   7. User Application Hardening. Ensure that unauthorised applications such as Adobe Flash Player or Java applets will not be utilised in browsers that have been known to deliver malware.
   8. Review Backups. Ensure regular backups of data so you can get it back in case you suffer a cyber-attack. Determine RTO/RPO, retention period, online/offline backups, offsite storage location, and test restoration schedule.

Identify your weakest links

Most organisations think they’re fine until something like a cybersecurity incident hits them. Don’t let your organisation become the next cybersecurity statistic by learning where your vulnerabilities lie. It is key to assessing where you stand and how you can improve your security posture.

If you are not sure where to start, we’re help to help you assess your risks based on Essential Eight. Please do not hesitate to get in touch by contacting us at enquiries@pa.com.au or 1800 126 499.