Bungling Optus scammer was no criminal mastermind https://grahamcluley.com/bungling-optus-scammer-was-no-criminal-mastermind/ #databreach #Law&order #Dataloss #Mobile #Optus #SMS

Bungling Optus scammer was no criminal mastermind.

He gave his intended victims the bank account details… of his 15-year-old *brother*, and sent ransom demand SMS text messages from his *own* mobile phone number. D'oh!

In case you’re wondering, Australlian police didn’t have too much trouble working out who was responsible…

https://grahamcluley.com/bungling-optus-scammer-was-no-criminal-mastermind/

#cybercrime #cybersecurity #databreach #australia #sms #optus

New T-Mobile Breach Affects 37 Million Accounts https://krebsonsecurity.com/2023/01/new-t-mobile-breach-affects-37-million-accounts/ #2023T-MobileBreach #LatestWarnings #TheComingStorm #T-Mobilebreach #DataBreaches #Optus

@vt52 Problem is they might be next. I think it's better to remain with Lastpass if you have an account there and reduce your digital footprint. The fact that LP acknowledges the issues also pretty much ensures they will have a good think around their security practises and fix the issues they've identified.

If you're in a greenfield situation, you may also consider any company that has been hacked before, as the chances are they have their act together now. We've seen similar things happening here in Australia with the #medibank and #optus breaches.

https://thenewdaily.com.au/finance/finance-news/2022/12/13/data-breaches-medibank/

#Australian corporate #infosec is pathetically woeful.

There are a few reasons for this;
1) There are few penalties for breaches, so the Board often "accepts" the risk as it's cheaper than spending money.
I worked in a corporation where our locksmith budget was bigger than the InfoSec.

2) Thanks to our national focus on total destruction of privacy, companies keep all sorts of data indefinitely. Like in the latest #optus hack where everyones data was exfoliated. Few #infosec people acknowledge that one of the reasons for the severity of this was the Government mandate to KYC.

3) Up till recently, on public face the internal cybersecurity focus was pursuit of Muslim teens being radicalised on Facebook.

Until the government stops being more grabby with our data (ha!) and there are real penalties for doing nothing, this thieving will continue.

If anyone wants to read the (pre-hack) Optus submission to the Attorney-General about their thoughts on all these upcoming privacy changes.
It's a grandiose posturing by big corp towards privacy regulations. Quite eye opening at their lack of cyber security concerns or cowboy like wild-west demeanor towards new regulations.

It's free to download in the link here https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/consultation/view_respondent?show_all_questions=0&sort=submitted&order=ascending&_q__text=optus&uuId=658415295. All their words quoted below are just a small sample I copied.

"APP entity must take reasonable steps to satisfy itself that the personal information it is seeking to collect indirectly was originally collected in accordance with APP 3. Optus strongly disagrees with this proposal on the basis that it is of limited value to the protection of an individual’s personal information and will, in practice, likely amount to a box ticking exercise. "

"Optus is not of the opinion that a legislated ‘fair and reasonable’ test for handling personal information is required, and given that the current APPs are sufficient, a further test may cause unintended confusion, burden and potentially stifle innovation if misinterpreted or read too conservatively."

"Optus disagrees that “specific personal information” disclosed to overseas recipients should also be included as this is too granular. Optus notes that APP 1 currently requires APP entities to list the kinds, not specific types of information it handles. Given that privacy policies need to be clear and easy to read so that they are understandable, requiring APP entities to list specific personal information disclosed overseas could prove to be more of a nuisance than any benefit to informed consumer decision making."

"Optus recognises the importance of taking action, where possible, to identify and mitigate risks to individuals that may arise from an interference with privacy. However, Optus considers that the proposed amendment to sub-ss 52(1)(b)(ii) and 52(1A)(c) gives rise to a significant risk that APP entities will be saddled with obligations which are unclear and unduly burdensome."

#privacy #optus #privacyact #data

@rakkhi I think you are right. Probably, like #Optus using actual data to test an #API, with the known, catastrophic results.

Glad to see I'm not alone in the view that we need to regulate more accountability for corporates that could not care less about data security. #medibank #optus https://www.theguardian.com/commentisfree/2022/nov/17/australian-companies-dont-value-keeping-our-data-safe-because-they-have-little-to-lose-our-laws-need-to-change-that

And I just got an email - my passport number was compromised in the #Optus hack.

Referenced link: https://thehackernews.com/2022/10/19-year-old-hacker-arrested-for-using.html
Discuss on https://discu.eu/q/https://thehackernews.com/2022/10/19-year-old-hacker-arrested-for-using.html

Originally posted by The Hacker News / @TheHackersNews@twitter.com: https://twitter.com/TheHackersNews/status/1577938397464625152#m

A 19-year-old Sydney teenager has been arrested for allegedly using leaked #Optus telecom data to extort victims in SMS scams.

Read: https://thehackernews.com/2022/10/19-year-old-hacker-arrested-for-using.html

#infosec #hacking #cybersecurity #infosecurity

Referenced link: https://thehackernews.com/2022/10/telstra-telecom-suffers-data-breach.html
Discuss on https://discu.eu/q/https://thehackernews.com/2022/10/telstra-telecom-suffers-data-breach.html

Originally posted by The Hacker News / @TheHackersNews@twitter.com: https://twitter.com/TheHackersNews/status/1577644552235544577#m

Australian telecom company #Telstra has announced that it has been the victim of a third-party data breach, nearly two weeks after its rival #Optus reported a data breach of its own.

Read: https://thehackernews.com/2022/10/telstra-telecom-suffers-data-breach.html

#infosec #cybersecurity #databreach #hacking

Referenced link: https://thehackernews.com/2022/10/optus-hack-exposes-data-of-nearly-21.html
Discuss on https://discu.eu/q/https://thehackernews.com/2022/10/optus-hack-exposes-data-of-nearly-21.html

Originally posted by The Hacker News / @TheHackersNews@twitter.com: https://twitter.com/TheHackersNews/status/1577193642720038912#m

Australian telecom giant #Optus has confirmed that the personal information of nearly 2.1 million of its current and former customers was exposed in a recent data breach.

Read: https://thehackernews.com/2022/10/optus-hack-exposes-data-of-nearly-21.html

#infosec #hacking #cybersecurity #OptusHack #OptusDataBreach

RT @TheHackersNews
Australian telecom giant #Optus has confirmed that the personal information of nearly 2.1 million of its current and former customers was exposed in a recent data breach.

Read: https://thehackernews.com/2022/10/optus-hack-exposes-data-of-nearly-21.html

#infosec #hacking #cybersecurity #OptusHack #OptusDataBreach

The solution to the data over-collection problem (especially for documents as sensitive as passports, driving licenses or SSNs) is actually so simple that I'm appalled that no legislators have considered it so far.

The #Optus data breach was caused by an unauthenticated public API endpoint that could be used to query the database without restrictions.

While having a public unauthenticated endpoint with unrestricted access to your db is obviously as stupid as leaving the door of a bank vault open to the public, a law that enforces access control on IT systems would be an unacceptable and inefficient overreach. Developers build communication mechanisms between systems all the time, and having all of them audited and compliant would just be both impractical and inefficient.

Instead, we need a law that clearly establishes the retention policies for sensitive data.

Do you need my ID to make sure that I really am who I claim to be? Or do you need my driving license to make sure that I can actually drive a car? Fair enough. But do you still need my ID once you've ALREADY validated your use-case?

In other words, would it be ok if the airline employee at the boarding gate, after checking your passport, also made a copy of it to keep in his drawer?

If it's not ok in the physical world, why is it ok in the digital one?

If Optus had discarded sensitive data after processing it, they may still have been breached through an unauthenticated endpoint. But the breach would have simply resulted in the company prompting users to change their passwords, or some other non-sensitive information. NOT their passports!

https://www.theguardian.com/australia-news/2022/oct/04/guardian-essential-poll-one-in-two-australians-want-stronger-privacy-laws-after-optus-breach

Did some long form reporting to untangle the details surrounding Australia's massive #Optus data breach and the threat actor's subsequent retraction of his extortion scheme:
https://hothardware.com/news/hacker-behind-australias-largest-data-breach-retract-leak
#cybersecurity #datasovereignty #databreach

The #Optus hack is a wake up call to all those developers that go like "oh, there's a legacy unauthenticated endpoint there, but it's ok - we made it for a customer a while ago and probably nobody else knows about it".

https://www.protocol.com/bulletins/optus-data-breach-api-security

Referenced link: https://thehackernews.com/2022/09/hacker-behind-optus-breach-releases.html
Discuss on https://discu.eu/q/https://thehackernews.com/2022/09/hacker-behind-optus-breach-releases.html

Originally posted by The Hacker News / @TheHackersNews@twitter.com: https://twitter.com/TheHackersNews/status/1574644009930145793#m

Cybercriminals behind the #Optus data breach leaked 10,200 customer records in an attempt to force and extort $1 MILLION from the Australian telecom.

https://thehackernews.com/2022/09/hacker-behind-optus-breach-releases.html

After a few hours, however, the hacker apologized and said he had deleted the stolen data.

#hacking

Telecoms Data Breach Prompts Privacy Overhaul in Australia

https://beincrypto.com/telecoms-data-breach-prompts-privacy-overhaul-in-australia/

#AnthonyAlbanese #CryptoScams #DataBreach #Australia #Markets #Optus

People ask me why I don't like 2FA, I don't like 2FA because 99% of the time they use insecure SMS as the second factor.

"Optus did the SIM swap because the hacker got their hands on his phone number, address and date of birth which was all they needed to authorise the transaction."

https://www.news.com.au/finance/money/costs/sydney-man-wakes-up-to-find-he-had-lost-52000-in-terrifying-phone-hack/news-story/3ffd94e41142776b5ac336c55f09dd06

#australia #optus #2fa

Pretty sure the 5G rollut is non-essential, but tell that to #Optus and #Telstra, who believe this is the perfect time to begin the rollout in earnest.

5G is not proven to be safe - are we going from one health crisis to another?

#nonessential #5G #forcedNews #noNews #mediaBlackout #healthCrisis #distraction #mortality #aging #dna #fertility #health #cancer #science #telcos #privatisation #corporations #deadHandOfCEOs #tooBigToExist #australia #australian #auspol