Good morning Guys and dolls,
Upon checking the spam filter for multiple clients of mine, I have found that there were over 3000 optusnet emails going to my clients containing a Remote Access Tool and a few other goodies inside of a zip file.
Every signle optusnet email being received contains this, can Optus please confirm if there has been a database breach?
If you cannot confirm, I will submit details containing all pictures, headers and the compromised addresses to the smh submission portal for investigation as well as the mail servers and their databases that the original email accounts that have been hacked.
As Optus should be aware, if there has been a breach which has not been rectified within 30 days, Optus will be required to publicly communicate the breach and follow the procedure as described in the following link;
Please visit this link for what action to take and who to contact for Optusnet spam.
Not sure this would qualify as a breach requiring notification?
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected
Emails being sent or recieved withing the Optus network are not in of themselves breaching any personal data etc. That customers might install trojans that then breach protections is not directly related in my reading?
Good morning Peter,
The actual Data Breach is the exchange server database has been comprimised.
All data has been exported and all details including your account number, your personal details, your date of birth, your full name and address.
Access to your email is a massive concern coming from a security analyst here, I can confirm that this is a serious breach and the potential for causing harm is not referring to only physical harm but the potential for exploiting an individual or organisation.
This also means that Optus security must be updated to stay inline with current and future exploitation trends, enrolling all users in MFA, actually implementing a spam filter to protect not only optus users but also forcing a mass password reset.
I can also confirm that the breach has happened twice in a matter of a month.
Please provide an address to post metadata with all headers and geolocation tracking with Actility and will gladly submit information.
If you are happy to have your email and personal information shared with the world, that is on you but when it starts to impact my clients and their company, I am more than happy to assist if I can.
@petergdownload Furthermore, as this is not my first rodeo, I will also paste the NDB page surrounding the Eligable Data Breach & in particular, the serious harm assessment.
Please keep in mind that the impact and or potential for serious harm increase depending on the number of individuals contained in the compromise. If the possibility of harm wether serious physical, psychological, emotional, financial, or reputational harm.
If any organisation with dishonest intentions had a complete list of personal details, the possibility to utilise that information to monetise and bankrupt an individual would increase the risk assemsment score surrounding the data breach.
Feel free to peruse the below for some light reading;
Identifying eligible data breaches Key points
The NDB scheme requires regulated entities to notify particular individuals and the Commissioner about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.
Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner. There are also exceptions to notifying in certain circumstances.
Eligible data breach
An eligible data breach arises when the following three criteria are satisfied:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see What is a ‘data breach’?)
this is likely to result in serious harm to one or more individuals (see Is serious harm likely?), and
the entity has not been able to prevent the likely risk of serious harm with remedial action (see Preventing serious harm with remedial action).
This document is about the threshold at which an incident is considered an ‘eligible data breach’ that will be notifiable under the scheme unless an exception applies. Assessing a suspected data breach provides guidance to entities about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’ under s 26WH.
What is a ‘data breach’?
The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act does not define these terms. The following analysis and examples draw on the ordinary meaning of these words.
Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
Examples of unauthorised access include:
Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
For example, an employee of an entity accidentally publishing a confidential data file containing the personal information of one or more individuals on the internet would be considered unauthorised disclosure
Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport. Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)). For example, if the personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.
Is serious harm likely?
The second step in deciding whether an eligible data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.
For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. In general, entities are not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach. ‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s APP Guidelines.
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm. The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm. These are set out in s 26WG as follows:
As some of these matters involve overlapping considerations, they are discussed further below, under the broader headings:
The type or types of personal information involved in the data breach
Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:
Circumstances of the data breach
The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include consideration of the following:
Whose personal information was involved in the breach? An entity could consider whose personal information was involved in the breach, as certain people may be at particular risk of serious harm. A data breach involving the names and addresses of individuals might not, in various circumstances, be likely to result in serious harm to an individual, particularly if that information is already publicly available. However, if the entity knows that the information involved primarily relates to individuals known to be vulnerable, this may increase the risk of serious harm
How many individuals were involved? If the breach involves the personal information of many individuals, the scale of the breach should affect an entity’s assessment of likely risks. Even if an entity considers that each individual will only have a small chance of suffering serious harm, if more people’s personal information is involved in the breach, it may be more likely that at least some of the individuals will experience serious harm. From a risk perspective, it may be prudent, depending on the particular circumstances, to assume a breach involving the personal information of a very large number of people is likely to result in serious harm to at least one of those individuals, unless context or circumstances would support this not being the case
Do the circumstances of the data breach affect the sensitivity of the personal information? A breach that may publicly associate an individual’s personal information with a sensitive product or service they have used may increase the risk of serious harm. For example, a data breach involving an individual’s name may involve a risk of serious harm if the entity’s name links the individual with a particular form of physical or mental health care
How long has the information been accessible? The time between when the data breach occurred and when the entity discovers the breach will be relevant to the entity’s consideration of whether serious harm is likely to occur. For example, if personal information is publically accessible for a significant period before the entity is aware of the data breach, it may be more likely that the personal information have been accessed in ways that will result in serious harm to the individuals affected
Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible? A relevant consideration is whether the information is rendered unreadable through the use of security measures to protect the stored information, or if it is stored in such a way so that it cannot be used if breached. In considering whether security measures (such as encryption) applied to compromised data are adequate, the entity should consider whether the method of encryption is an industry-recognised secure standard at the time the entity is assessing the likelihood of risk. Additionally, an entity should have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent these safeguards. For example, if an attacker holds both encrypted data and the encryption key needed to decrypt that data, the entity should not assume the data is secure
What parties have gained or may gain unauthorised access to the personal information?The unauthorised disclosure of an individual’s record to someone who knows that individual personally may increase the risk of serious reputational harm for that individual. In addition, where a third party that obtains unauthorised access to personal information, or appears to target personal information of a particular individual or group of individuals, this may increase the risk of serious harm as it may be more likely the personal information is intended for malicious purposes.
The nature of the harm
In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each. Examples may include:
The likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.
Re: Please provide an address to post metadata with all headers and geolocation tracking with Actility and will gladly submit information.
It's on the link posted above:
4.Forward the email with its headers to firstname.lastname@example.org
All data has been exported and all details including your account number, your personal details, your date of birth, your full name and address.
A direct attack like that would presumably qualify. @Ray_YC is obviously treating it seriously.
Just wondering why all that information would be sent to your clients? The hacker only needs an email address to send a RAT to so why embed all that extra info that does nothing except draw attention to the breach? That info would be put to much better use for direct fraud against Optus (or banks etc.)
I would be interested in a sample header of the data you have. Change the name or DOB etc.
So any personal information in the email or headers?
Seems pretty generaic and low tech. I do wonder if spammers just have a (justifiably?) low opinion of the human race when they send out material as shoddy as that. I get they probably don't speak English but even so I assume they have first hand knowledge that 0.002% of the population will click on just about anything.