{"id":75352,"date":"2022-09-23T15:15:10","date_gmt":"2022-09-23T05:15:10","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=75352"},"modified":"2022-09-23T17:24:51","modified_gmt":"2022-09-23T07:24:51","slug":"criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/","title":{"rendered":"Criminal or state actor, there are major lessons in the Optus cyber breach"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"691\" class=\"alignnone size-full wp-image-75354\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg 1024w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456-205x138.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456-768x518.jpg 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<p>Optus, Australia\u2019s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said it might be up to 9.8 million users in a \u2018worst case\u2019 scenario, while stressing the breach involved \u2018a very small subset of data\u2019.<\/p>\n<p>Customers\u2019 names, dates of birth, phone numbers, email addresses, driver\u2019s licence numbers, passport numbers and postal addresses are among the information reported to have been accessed.<\/p>\n<p>Given the scale of the breach, the nature of the\u00a0personal information and the utility of this data, a key question is whether a state or criminal actor was behind the attack.<\/p>\n<p>A state actor would be able to make very productive use of this data, especially if it included records of who people had called. It\u2019s a little unclear from Optus\u2019s <a href=\"https:\/\/www.optus.com.au\/about\/media-centre\/media-releases\/2022\/09\/optus-notifies-customers-of-cyberattack\" target=\"_blank\" rel=\"noopener\">statement<\/a> whether \u2018phone numbers\u2019 means an individual customer\u2019s phone number or the phone numbers customers have called.<\/p>\n<p>In places like the US, we\u2019ve seen China steal the records of <a href=\"https:\/\/abcnews.go.com\/US\/exclusive-25-million-affected-opm-hack-sources\/story?id=32332731\" target=\"_blank\" rel=\"noopener\">security cleared officials<\/a>, and <a href=\"https:\/\/www.nytimes.com\/2018\/12\/11\/us\/politics\/trump-china-trade.html\" target=\"_blank\" rel=\"noopener\">hotel<\/a> and <a href=\"https:\/\/www.reuters.com\/article\/cybersecurity-usa-targets-idINKBN0OL19220150605\" target=\"_blank\" rel=\"noopener\">health records<\/a>. Joining these datasets together has the <a href=\"https:\/\/www.aspistrategist.ru\/foreign-intelligence-stravas-global-heatmap\/\" target=\"_blank\" rel=\"noopener\">potential to provide rich pickings<\/a> for states, enabling them to knit together useful details about key individuals, and understand patterns of behaviour and communication across groups of interest. It requires affected countries to think carefully about how these data breaches might be used against them in future. The scale and level of detail of Optus\u2019s customer data would\u00a0make it highly valuable to a state actor.<\/p>\n<p>The other possibility is that this is the work of cyber criminals. <em>ITnews<\/em> <a href=\"https:\/\/www.itnews.com.au\/news\/optus-attack-exposes-customer-information-585567\" target=\"_blank\" rel=\"noopener\">reported<\/a> that while Optus notified the media of the breach yesterday, the data of its customers <a href=\"https:\/\/twitter.com\/BrettCallow\/status\/1573028764690575360\/photo\/1\" target=\"_blank\" rel=\"noopener\">appears to have been posted for sale<\/a> online since 17 September. That could suggest the work of a cybercriminal gang. However, Optus has <a href=\"https:\/\/www.theaustralian.com.au\/nation\/millions-hit-in-major-optus-data-breach\/news-story\/335ba2236d8f304ed447fbb325e6829f\" target=\"_blank\" rel=\"noopener\">told the media<\/a> that it hasn\u2019t received a demand for a ransom, which would be the obvious thing for a criminal group to do.<\/p>\n<p>Rosmarin said this morning that it was too early to tell whether it was a criminal or state actor, but described the attack as \u2018sophisticated\u2019. This is now <a href=\"https:\/\/youtu.be\/uklyq2cNKFU\" target=\"_blank\" rel=\"noopener\">standard language<\/a> used by anyone who is successfully penetrated, so it is difficult to read much into that remark.<\/p>\n<p>For Optus customers, the implications of the breach depend to a significant extent on which type of actor was behind the attack. If it was a criminal gang, customers are likely going to be exposed to the significant risk of identity theft, requiring them to spend many painful hours making whatever changes they can to their personal data to minimise their vulnerability\u2014which will be difficult to do entirely.\u00a0If it\u2019s a state actor, the impact on individual Australians will likely be less apparent, though it may be more pernicious for politicians, business leaders, government officials and anyone else whom the state actor deems a potential target of influence or intelligence-gathering.<\/p>\n<p>Even if this turns out to be the work of cybercriminals, they might see profit in selling the data to state actors. It would therefore be wise to prepare for both eventualities.<\/p>\n<p>So, what are the lessons from this episode?<\/p>\n<p>First, and most obviously, the incentives for businesses that hold large amounts of highly valuable personal data to keep that data safe are still not well enough aligned either to consumer protection or to the wider national interests of Australia.\u00a0In May, the Australian Securities and Investments Commission successfully challenged an Australian financial services firm in the federal court over the adequacy of the firm\u2019s cybersecurity risk management. The firm was ordered to pay $750,000.<\/p>\n<p>This was an important first in Australia. However, it raises the questions about the strength and consistency of our framework for ensuring there are consequences for cyberattacks. There should be consequences for companies if it\u2019s found that they were deficient in protecting consumers\u2019 data. When it comes to perpetrators, there has been an inclination not to name state actors. In this case, though, the data stolen is the personal information of Australians. It\u2019s reasonable to argue that we should be told who was behind the attack, regardless of the perpetrator.<\/p>\n<p>Second, there\u2019s a growing argument to create an \u2018Office of Future Threats\u2019 within the government to look at all the data that has been stolen from businesses, civil society and governments by various state actors, and to plan for scenarios in which this data might be used against Australian interests.<\/p>\n<p>Finally, there is an opportunity to look at streamlining solutions for Australians who are victims of identity fraud so that less time (and heartache) is spent fixing the mess created by these sorts of massive failures. For example, Australians who have had personal data stolen must, in many circumstances, pay for new documents including passports. This should not happen. In a world in which large-scale data breaches are an unfortunate reality, Australians should not be disadvantaged when they are forced to remediate a situation that was never within their control.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Optus, Australia\u2019s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said &#8230;<\/p>\n","protected":false},"author":685,"featured_media":75354,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[713,2175,1799,1477,3369],"class_list":["post-75352","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyberattack","tag-data","tag-data-breach","tag-identity-fraud","tag-optus"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Optus, Australia\u2019s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-23T05:15:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-23T07:24:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"691\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fergus Hanson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fergus Hanson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg\",\"width\":1024,\"height\":691,\"caption\":\"CHINA - 2021\/12\/09: In this photo illustration the second largest telecommunications company in Australia Optus logo seen displayed on a smartphone with an economic stock exchange index graph in the background. (Photo Illustration by Budrul Chukrut\/SOPA Images\/LightRocket via Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/\",\"name\":\"Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#primaryimage\"},\"datePublished\":\"2022-09-23T05:15:10+00:00\",\"dateModified\":\"2022-09-23T07:24:51+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Criminal or state actor, there are major lessons in the Optus cyber breach\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\",\"name\":\"Fergus Hanson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"caption\":\"Fergus Hanson\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/","og_locale":"en_US","og_type":"article","og_title":"Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist","og_description":"Optus, Australia\u2019s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said ...","og_url":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-09-23T05:15:10+00:00","article_modified_time":"2022-09-23T07:24:51+00:00","og_image":[{"width":1024,"height":691,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg","type":"image\/jpeg"}],"author":"Fergus Hanson","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Fergus Hanson","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1237763456.jpg","width":1024,"height":691,"caption":"CHINA - 2021\/12\/09: In this photo illustration the second largest telecommunications company in Australia Optus logo seen displayed on a smartphone with an economic stock exchange index graph in the background. (Photo Illustration by Budrul Chukrut\/SOPA Images\/LightRocket via Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/","url":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/","name":"Criminal or state actor, there are major lessons in the Optus cyber breach | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#primaryimage"},"datePublished":"2022-09-23T05:15:10+00:00","dateModified":"2022-09-23T07:24:51+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/criminal-or-state-actor-there-are-major-lessons-in-the-optus-cyber-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Criminal or state actor, there are major lessons in the Optus cyber breach"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f","name":"Fergus Hanson","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","caption":"Fergus Hanson"},"url":"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75352"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/685"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=75352"}],"version-history":[{"count":4,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75352\/revisions"}],"predecessor-version":[{"id":75379,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75352\/revisions\/75379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/75354"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=75352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=75352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=75352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}