How did the data breach occur?

Optus' latest statement said Optus is working together with the Australian Federal Police, Australian Signals Directorate and Office of the Australian Information Commissioner to alleviate risk and find criminals who are responsible for the attack. Optus CEO Kelly Bayer Rosmarin said Optus first identified the hack after someone noticed some suspicious activity. She was informed about the cyber-attack in a phone call from Optus’ chief information officer.

Cybersecurity Minister Clare O’Neil said Optus was hit because of the company’s lax security defences “left the window open for data of this nature to be stolen”. Optus denies and says this theory of the crime is "misinformation". The complex incident is still under investigation. When questioned whether the company's unsecured API was the result of human error. Ms Bayer Rosmarin said it was unclear if this “sophisticated” attack was the work of hacker criminals or state-sponsored assault, and the IP address of the attacker “kept moving out of various countries in Europe”. She said the company understood people’s desire to know the specifics of how the attack happened, but the exact mechanics are subject to a criminal investigation and they won't be divulging any details.

Optus has very strong cyber defences and focusing on investment in cyber security, so this should be a warning to all organizations. Optus's owner, Singapore telecommunications giant Singtel, apologised to the Australians affected and support for Ms Bayer Rosmarin, but still gave no further reason for the incident.

In fact, it is not just the Opus. In recent years, data breaches have occurred frequently around the world and data security has become a hot issue that the public has paid close attention to. Telecom operator Verizon publishes a Data Breach Investigations Report every year, which provides a comprehensive analysis and summary of information security incidents in the previous year, especially those that lead to data breaches.

According to the 2022 report, this year ransomware has continued its upward trend with an almost 13% rise. It is an increase as big as the last five years combined. The number of data breaches remains high. In the digital age, the database, as the core and foundation of information technology, carries many key business systems, and is the most strategic asset in the development of an enterprise's business. At the same time, as a complex system, the database system has various management and technical risks. For enterprises, there are many security risks in the database. Once an information leakage incident occurs, the consequences will be immeasurable.

- On February 23, 2022, Nvidia was breached by threat actors Lapsus$ who reportedly stole sensitive company information totalling approximately 1 TB, including details of all latest GPUs by the company.

- On September 2, 2022, telco giant Samsung also suffered a second data breach in 2022. In a statement that provided little detail about the exact nature of the breach, the company said that personal, demographic and product registration information of unspecified customers were impacted.

- On September 15, 2022, the ride-hailing and food delivery company has suffered systems breach. According to the report, a hacker broke into Slack, an Uber employee's office messaging app, and posted threatening messages. Uber therefore took some system functions offline which brought many negative impacts to the business.

Even such tech giants are suffering from this disaster, which makes one wonder, what situation will those companies that are not as protective as them be in? In addition to the loss of property and the loss of customer trust, the diversity of hacking methods is difficult to estimate the negative impact on the corporate image. When a data breach occurs, the public will have a sense of distrust in the enterprise, and this distrust will affect the public's choice. Therefore, a data breach incident may cause the company to lose a group of customers, including potential customers, and may even directly affect the competitiveness of the company. So how was the data leaked? The following are some of the main reasons for data breach.

1. 18% cannot be identified due to insiders' misoperation and malicious damage to the database.

According to a Verizon survey, 18% of data breaches involve internal factors. On average, each employee has access to 11 million files, and 15% of companies found that with more than 1 million accessible files per employee, 17% of those employees had access to sensitive files. It can be said that employees hold a large amount of internal data information and customer personal information. Once these data are used by insiders, it becomes a fatal threat to the company. The easiest way to capture a fortress is from within. An insider or an attacker with a privileged account can abuse their privileges and steal the data.

Examples of data breaches caused by factors within the enterprise abound. You can often see news such as: a logistics employee was investigated for leaking user information to gain profits; a hotel was infiltrated by employees due to employee mishandling core data for sale online; a bank employee made profits by selling information, etc. The occurrence of such incidents is mainly due to the misoperation of the employees or the theft and destruction by the insiders for commercial purposes.

2. 80% is external hacking

External factors put more pressure on enterprises, mainly including the illegal acquisition of enterprise data by criminals for the purpose of profit. In security incidents and data breaches, external cloud assets are more commonly stolen than internal assets. Hackers obtain internal corporate data through illegal ways such as web application attacks, phishing and ransomware, ranging from account credentials, personal information, corporate emails to sensitive internal corporate data, and even use ransomware to encrypt important corporate business data then demand a high ransom for decryption. Optus, Nvidia and Samsung are among the victims.

The API being questioned may be the root cause of Optus' huge data breach. Although the full details are not yet known, initial reports suggest that the source of the problem is an unauthenticated API endpoint. As is often the case, the breach was not due to the actions of a sophisticated attacker using advanced methods. Anyone with the ability to execute the API can execute the attack.

According to the investigation, the Optus API has no rate limit, allowing attackers to leak large amounts of data:

• Clearly the API was never penetration tested prior to deployment.

• Most surprisingly, the API appears to be unauthenticated.

• Optus does not appear to classify its data based on sensitivity and does not implement any reasonable data retention policy.

• Optus does not use any form of data masking for confidential information.

• Optus networks and endpoints are not actively monitored to detect malicious activity.

Optus responded that all the data was encrypted, there was no completely exposed API and Optus was the victim of an attack that penetrated multiple layers of protection.

3. 2% is partner & multiple factor

Only some small companies will actively sell their existing user data or exchange it with their peers for their own benefit.

Edward Lee, a network security engineer of ByteDance, listed the following misunderstandings that are commonly encountered by enterprises in an interview with us.

Firstly, enterprises lack network security requirements. “81% of enterprises believe that their network security is above the average level, but many enterprises lack basic network security requirements, and most enterprises do not require complex password management and identity verification.”

Secondly, enterprises have a fluke mentality. Some enterprises think that there will be no risks if they deploy basic defences. “Even if they encounter a ransomware attack, they only need to pay the ransom.”

Lastly, enterprises are aware but do not act. Although some enterprises are aware of security threats including ransomware and list email attacks as the carrier with the highest attack risk, “they lag in actual security actions”.

It must be a long-term consideration for enterprises to find suitable protection methods. For a long time, security defence technology has been relatively fixed and passive. When the self-protection technology cannot solve the problem, choosing an excellent solution has become a thing that every enterprise needs to consider.

Under the wave of digital transformation, those security protection manufacturers who master advanced technologies such as big data and artificial intelligence are stepping up new protection methods to alleviate the urgent needs of enterprises. In addition, in response to complex protection requirements and the trend of active defence in the future, more protection manufacturers have developed their own security intelligent protection methods.

From the data point of view, since 2014, the field of enterprise security has begun to receive the attention of capital. Compared with 2013, both the number of investments and the amount of financing began to increase exponentially, the number and amount of investment have gradually increased each year after that.

Companies that have increased their investment in cyber security have gradually penetrated from key areas such as government affairs, finance, and industrial manufacturing in the early stage to technology, transportation, retail, medical care, media and other industries. As governments and financial protections getting stronger, hackers will gradually turn to industries with high demand but weak protections.

In addition, the pandemic has also increased the rise of remote working. When people work from home, criminals can also use office software to launch more attacks. For example, imitating office software applications, creating malicious domain names like remote office software such as Zoom, Microsoft Teams. It can be foreseen that in the future, industries with high demand may become the target of more cyber hackers.