by tonteldoos on 9/22/22, 5:18 AM with 100 comments
by jiggawatts on 9/22/22, 6:22 AM
There was a court-enforced order requiring them to apply security updates to their production systems. That was in response to a previous breach.
You see, until a judge made them do it… they weren’t patching anything. They would just build systems and walk away. For some software systems they had every major and minor version deployed, like a museum of software history.
They had operating system versions in production that were in my university text books… in the late 1990s.
Their interpretation of the court order was to update only production systems. Non-production on the same network was not to be touched.
And by “update” they meant simply running the system update tool, which does precisely nothing on software that has passed its end-of-extended-support before some of the IT staff on the payroll were born.
They also fired their entire IT staff recently and replaced them with a low-cost Indian outsourcer.
Most of the above is a matter of public record. I wish I could tell you all about things that are still under NDA.
by gonzo41 on 9/22/22, 9:18 AM
by robertwt7 on 9/22/22, 6:07 AM
Geez, ID document numbers is such a big thing. Now hackers can basically call most institution and impersonate victims. this is quite huge
by tonteldoos on 9/22/22, 8:29 AM
Some more information here (not my preferred source, but oh well): https://www.news.com.au/technology/online/hacking/up-to-9-mi...
It seems around 2.8m have had 'all' data stolen (including ID, address, etc), and around 7m 'just' names, DoB and numbers/e-mail addresses.
Apparently Optus is working on sending personalised details to customers.
What a monumental stuff up.
by fblp on 9/22/22, 6:15 AM
It is interesting that compared to identity theft announcements from many US corporations they are direct, apologize and state the authorities they are working with. I imagine there's less fear of the legal consequences of not having a tight response as the culture isn't as litigious.
by hestefisk on 9/22/22, 11:29 AM
by kdtsh on 9/22/22, 10:55 AM
My coworker got hit by massive targeted identity theft which started with their SIM, provided by Optus. The attackers were able to successfully port my coworker’s Optus number and then hacked their Optus email which had everything in it. It took them months to undo the damage, and more trouble was always around the corner usually while they were sleeping or the service being hit didn’t have support staff online. Do Optus even have any security checks at all for preventing fraud?
Lessons: if the service doesn’t support MFA, don’t use it; don’t put all your service eggs in one basket; don’t assume that your phone number is safe, and act accordingly.
Optus needs to pay for this and I don’t just mean dollars. Comfortable people with responsibilities they didn’t failed to keep need to see gaol time, or at the very least lose their jobs and not be allowed to walk back into the revolving door for a long time. This is outrageous.
by top_post on 9/22/22, 6:10 AM
No, just your identity is. If you're Australian, you or someone you know will be in this. What a total fuck up.
by qwery on 9/22/22, 9:52 AM
- the notification being finding a link to their quietly released press release on HN this afternoon? Thanks Optus!
- cyberattack is the word to use to encourage speculation that a nation-state was behind the breach, that there was no way to defend against this and to avoid saying "data breach"
- here "customer information" means current and former Optus customers' personal information
by popcorncowboy on 9/22/22, 10:33 AM
The story HAS to be that if you, as an exec in power, know your company has deficient safety protocols regarding its care of toxic material, the breach of which is known to cause serious damage and harms, AND you do nothing: hello personal prosection, reaching right through the corporate veil.
Until we set this kind of legal precedent for the egregious disregard for the integrity of private and personal data, this is just going to keep happening.
by Traubenfuchs on 9/22/22, 2:20 PM
The way that is implemented SHOULD be mostly unhackable, with everything server side being encrypted and inaccessible without user action and communication with MCs backend.
Still, this is not a good look for trust. Should we now go to Australian customers and say "and now you authenticate via the Optus app, it's super secure" while they immediately think of this hack?
by triggercut on 9/22/22, 2:16 PM
Well, I tried to complain... for you see after going through multiple pages/steps in the UI, when it came time to review and submit, after you press submit you are told that they can't receive complaints online at this time.
So I wrote in the web feedback form instead. At least that went through. As will, I hope, my screenshots of the process to the ombudsman.
In nearly all these microservice components, the UI has an outdated copyright year in the footer. 2016 in the feedback app, 2017 in a preference update component. The year sits right underneath a lock symbol and some text telling you how secure they are.
This tells me a number of things. Either no one has smoke-tested that component for 6 years, or picked up that the year was off, or it has been picked up and left in backlog because of other priorities leaving me to ask what else could be in the aged backlog, but really telling me they don't have the resources to do or to take software or UX seriously.
by Karupan on 9/22/22, 6:20 AM
by yieldcrv on 9/22/22, 6:40 AM
Okay so this was half the country.
I cant honestly understand how anyone thinks KYC laws make sense if anyone can make a bank account as anyone else, and it all looks like legitimate money or the human is getting framed while the criminal just rotates IDs.
by tsujp on 9/22/22, 5:49 AM
by ps-oz on 9/25/22, 12:55 PM
"Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers licence or passport number. No copies of photo IDs have been affected.
It is also important to know that Optus’ network and Optus services including mobile and home Wi-Fi aren’t affected, and no passwords were compromised, so our services remain safe to use and operate as per normal."
Effectively saying, dont change your password. Hackers dont need it.
by exodust on 9/22/22, 8:47 AM
I hated their mandatory text messages that couldn't be blocked, such as upcoming bill reminders. Spam my email as much as you want, but stay out of my text messages!
by ehPReth on 9/22/22, 5:53 AM
by YPPH on 9/22/22, 6:38 AM
by ostenning on 9/22/22, 3:34 PM
by steve_mcdougall on 9/22/22, 7:03 AM
by vertis on 9/22/22, 7:26 AM
For comparison, visit https://www.telia.ee/en and you're prompted for your smart card or associated Smart ID (which is mobile app you can bootstrap from your smart card).
No more need to do a 100 point check (and then hold that information indefinitely), it's been done.
Even if you don't like the Estonian system it's high time to get serious about digital identity and stop pretending that knowing your DoB etc (or social security number in US) is a secure mechanism of proving identity.
Aside: Highly recommend Estonia's e-residency program. Great place to run a company. Future focused.
by jeeeb on 9/22/22, 12:00 PM
Haven’t actually received any communication about the breach from them yet either.
Seems like a complete screw up. They couldn’t even notify their customers before everyone found out on the news.
I wouldn’t trust Vodafone to organise a piss up in a brewery… maybe Telstra are better (hah!)
by jaimex2 on 9/22/22, 12:11 PM
by wwfzyn on 9/22/22, 6:18 AM
by tsujamin on 9/22/22, 7:19 AM
by libpcap on 9/22/22, 6:05 AM
by samstave on 9/22/22, 6:10 AM