At a glance.
- Hacker dumps Optus data, then says sorry.
- Extortionists leak stolen French hospital data.
- VPN providers continue to leave India in wake of strict new rules.
Hacker dumps Optus data, then says sorry.
The Optus data breach continues to plague the major Australian wireless carrier as it enters its second week since the incident was disclosed. As we noted yesterday, over the weekend a ransom note appeared on an online data breach forum in which a user threatened to sell millions of Optus customer details if the company failed to pay $1.53 million. Sky News reports that the hacker, known only as “OptusData,” has released 10,000 records he alleges were stolen in the breach, and has vowed to continue to publish another 10,000 records each day until Optus pays up. According to a copy of the ransom note, which was posted on Twitter by Emsisoft threat analyst Brett Callow, the hacker claims to be in possession of over 3.8 million “identity document numbers,” 3.2 million driver's license numbers, and 4 million user data records, and there are reports he has released Medicare numbers as well.
Tech expert Trevor Long has analyzed the data and says it appears legitimate. “I looked at the data and it looks as legit as the first 100 samples he left but I think it’s even more disturbing because we’re now seeing Medicare card numbers in this latest data," he stated. Upon learning that Medicare data had been exposed, Home Affairs Minister Clare O'Neil responded, "Medicare numbers were never advised to form part of compromised information from the breach. Consumers have a right to know exactly what individual personal information has been compromised in Optus' communications to them. Reports today make this a priority."
Strangely, 9News reports, a few hours after O’Neil’s statement, the hacker took to Twitter to issue an apology and promise to delete the data, despite not receiving the ransom. “Too many eyes. We will not sale (sic) data to anyone,” he wrote. “We cant (sic) if we even want to: personally deleted data from drive (Only copy).” Amidst the confusion, Optus users’ concerns and frustrations understandably continue to grow. David McShane, a five-year Optus customer, told the Financial Review, “I’m going to have to cancel the credit card I have now, order a new one, and I’m going to have to keep a close eye on my bank account.”
Yotam Segev, co-founder and CEO of Cyera, offered some thoughts on the hacker's potential motivation. "If the information about how the attackers gained access is accurate, an unprotected API left the data exposed, making this less of a hack and more of a crime of opportunity. If they choose to pay the ransom, the costs to the business will not stop there. Not surprisingly, Australia's attorney general's office is seeking an "urgent" meeting with the company. You can be sure massive fines will follow. As will a costly investigation and audit to determine what happened. Their customers are now victims, class action lawsuits could follow, as well as increased marketing costs to keep customers from leaving to a competitor."
Extortionists leak stolen French hospital data.
Speaking of data dumps, SecurityWeek reports that the threat actors behind last month’s attack on French hospital Corbeil-Essonnes have released stolen patient data including medical scans, lab analyses, and national security numbers. The attackers demanded a multimillion dollar ransom from the hospital, but the institution refused to pay. On Sunday health minister Francois Braun stated on Twitter, “I condemn in the strongest possible terms the unspeakable disclosure of hacked data.” France has been hit especially hard in the surge of medical data breaches that has impacted the world since the pandemic, with some experts last year estimating the nation’s hospitals were experiencing one attack every week, and last year President Emmanuel Macron allocated an extra one billion euros to the country’s cybersecurity.
VPN providers continue to leave India in wake of strict new rules.
This Sunday marked the deadline to comply with the Indian Computer Emergency Response Team’s (CERT-In) new data-collection rules, which, Wired explains, require VPN operators to collect user data and supply it to authorities on demand. In response VPN providers have been pulling their servers out of the country, stating that the rules defeat the purpose of VPNs, which allow users internet access without disclosing their locations or identities. HT Tech reports that Proton VPN is the latest provider to cut ties with India, the company stating on Twitter, “Today, we’re removing our VPN servers in India to protect the privacy of our community due to India’s new surveillance law. However, we’ve rolled out smart routing servers to still give you an Indian IP address.”
Proton AG Chief Executive Andy Yen explained the move, stating, “It’s going to have a chilling effect. I find it really sad that the world’s largest democracy is taking this path. On paper India is supposedly taking a different path from China and Russia.” Indeed, as TechDirt notes, this is not the first time VPN providers have pulled their services out of a country; similarly strict data collection and retention rules in Russia recently resulted in VPN providers exiting in honor of user privacy. When announcing the new rules in April, CERT claimed they would “strengthen cyber security in India” and are “in the interest of sovereignty or integrity of India.” The regulations require VPN operators to collect and maintain customer names, email addresses, and IP addresses for at least five years, even if the customer has canceled their account.