Risks from the huge data breach go far beyond the people directly compromised, cyber security specialist says.
Optus hack puts all Australia on alert, accountants in front line
The huge hack into Optus customer details late last week will affect everyone in Australia and puts accountants in the front line of fraud prevention, says one cyber security specialist.
He said risks from the breach went far beyond individual issues for the millions of Optus users whose personal information had been spilled because those details opened doors to much larger targets.
“This is one of the biggest hacks we've ever seen,” said Eftsure marketing manager Niek Dekker. “There's been some data losses with Microsoft and Facebook, but they are technology providers and actually don’t know all that much about you.”
However the Optus attack had much more potential with crucial identifiers in the data and the dangers to the Australian economy were being understated, he said.
Optus admitted names, dates of birth, phone numbers, email addresses and in some cases addresses, driver's licence or passport numbers were compromised.
"We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” said Optus CEO Kelly Bayer Rosmarin.
The ACCC’s Scamwatch advised Optus customers to “take immediate steps to secure all of their accounts, particularly their bank and financial accounts. You should also monitor for unusual activity on your accounts and watch out for contact by scammers.”
But Mr Dekker said personal accounts were just the start for the cyber criminals.
“Every time they have these hacks they say the customers that are affected by this hack should be extra vigilant. But most of the time, accountants are the end target of these hacks,” he said.
“People are going to use all this data to try to make accounts payable managers pay the wrong bank account details – that's how they get to their money.”
He said the cyber criminals would have been ready as soon as they got into the Optus system.
“It will go pretty fast from now. Organisations will have put all the infrastructure in place already.
“They will run the names through a database like the ABR (Australian Business Register) or ABN, trying to find matches for business owners. Once you know that somebody's a director, you have their passports, you have everything, it becomes very easy to come up with some plot to get them to click on anything.
“Once they click, the fraudsters have complete access to the system via malicious software. They get into the communication they have with other businesses and those are the actual targets.”
The hackers would gain access to the emails of small businesses with minimal cyber security, and set up scams from there.
“They're going to try to intercept the email traffic between the larger customer and the small organisation that they've just got into, and then try to get in between those payments by changing invoices or by changing the bank account details in an email.
“A good example would be they go to a local plumbing business and try to defraud a big, general contractor in construction to make the wrong payment for work that has been done.”
“Banks don't name-check, so fraudsters can just change the numbers on the invoice.
“This is what the data will be used for the most because it's by far the easiest way to make this compromised data valuable. The more data they have, the more precise their attacks will be.”
Mr Dekker said some within the cyber security community were saying that
the entire database was for sale for $US300,000 four days before the breach was made public, with claims they would refrain from selling if Optus paid $US1 million ransom.
He said even if the breach involved just 10 per cent of the almost 10 million customers thought to be exposed, there was no question the criminal upside was enormous.
“These criminals are having a massive payday whoever they are,” he said. “Selling and reselling this type of data is probably more valuable than Optus can pay in ransom. This data will flow from the dark web and will be sold to as many people as want to buy it.”
“If it’s just credit card information, that's about $10 per 1,000 records. But this could be like a massive multiplier on that.”
“The scary thing about this is it's passports, ID documentation, which people usually don't change for years and years. That makes the data extremely valuable for a long time.”
People had the wrong idea about cyber crooks, he said, because they were very different from the Hollywood hoods or disgruntled teens of popular imagination.
“It’s organised businesses – they have stakeholders, they have revenue targets, they have investors, we've seen businesses with company benefits.”
“They have a lot of use for this data and they'll use it for their own specialised area. Some of them are really good at defrauding via business email compromise. Others will ask for credit on the data that they have. It's an economy on its own.”
He said Australia was a popular target because it was rich and the police and authorities responded to hacks in predictable ways. The Optus hack made all Australians more of a target, regardless of whether they were directly involved.
“People that are not affected by the hack directly feel a sense of relief [but] there's been so much data compromised, that it will affect you,” Mr Dekker said.
“Whether you’re are an Optus customer or not, there will be a need for a heightened sense of vigilance, security.”
“It's a hack that might change the way Australians do business.”
Mr Dekker, whose company Eftsure sells software to prevent payment fraud, said it was crucial for businesses to protect themselves.
First, computer systems needed to have the right protections in place, including multi-factor authentication, firewalls and virus scans.
And when came to financial controls, there were two vulnerable points: invoices from new suppliers, and changes in bank details.
He said callback controls were essential because fraudsters often called ahead, while phone numbers needed to be thoroughly checked with third parties to ensure one given in an email was genuine.