At a glance.
- The Australian government reacts to Optus data breach.
- IRS issues warning about tax-themed smishing scams.
- Phishing scam exploits targets’ concerns about data theft.
The Australian government reacts to Optus data breach.
The aftereffects of the massive cyberattack on Australian mobile service giant Optus continue to ripple through the country. A hacker who claims to be connected to the breach has released two databases-worth of information he allegedly stole during the attack, and the compromised data include 2.8 million customers’ passport or driving license numbers. Naked Security notes that the Australian government is advising victims to replace their affected documents, with such a large number of victims, and the total document renewal charges could amount to hundreds of millions of dollars.
Yahoo reports that some opposition lawmakers have been calling for the government to cover the costs, but Prime Minister Anthony Albanese disagrees. “We believe that Optus should pay, not taxpayers,” Albanese told Parliament. Yesterday Foreign Minister Penny Wong wrote to Optus CEO Kelly Bayer Rosmarin asking the company to confirm they’ll foot the bill. “There is no justification for these Australians — or for taxpayers more broadly on their behalf — to bear the cost of obtaining a new passport,” Wong wrote. Medicare data were also found in the leaked documents, and Health Minister Mark Butler says it’s unclear whether Optus customers will require new Medicare cards. “We’re very concerned … about the loss of this data and working very hard to deal with the consequences of that,” Butler stated. “But we’re particularly concerned that we were not notified earlier and consumers were not notified earlier about the breach of the Medicare data as well. Optus previously agreed to offer its “most affected” customers free credit monitoring for a year, but has not yet responded to the government’s requests for document replacement costs.
Meanwhile, iTnews reports, hundreds of public servants across several agencies have been tasked with supporting the Australian Police Force’s breach investigation, dubbed “Operation Hurricane.” Home Affairs minister Clare O’Neil explained in parliament on Monday, “For the Australian government more broadly, our focus now is doing whatever we can to help protect Australians who are affected by this breach.” O’Neil says The government is working with financial regulators and banking industry representatives to protect victims’ financial accounts, and that the government will “be providing additional protections on platforms such as myGov.” Assistant commissioner for the cyber command Justine Gough said an additional goal of the “lengthy” and “complex” investigation would be to determine who exactly was behind the attack.
Law firm G+T looks at what the breach could mean for data breach legislation going forward. The Shadow Minister for Home Affairs tabled a private member’s bill in Parliament on Monday called the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Coalition Bill). If passed, it could introduce new criminal offenses for cyberattackers, new powers for enforcement authorities, and new maximum penalties ranging from 5 to 25 years imprisonment for cybercriminals. There’s also speculation that the Labor Government might counter the Coalition Bill by reintroducing the Ransomware Payments Bill 2021 (No. 2) (Labor Bill), which sets out mandatory reporting requirements for companies hit with ransomware attacks.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented on recent developments in the Optus breach:
“The one thing always to keep in mind is that theft and profit are the desired outcomes that threat actors have in mind when carrying out cyberattacks. Methods like ransomware are simply the vehicles to get there, the tactical approach to get to those outcomes.
"To wonder if ransomware has gone too far is to wonder if crime in general has gone too far. Threat actors aren’t working within ethical boundaries or for the good of society, so they will go as far as they need to in order to create value for themselves. When the tactic—in this case, ransom request—ceases to yield the outcomes, they will abandon it for other more successful tactics. For conscientious citizens, any intrusion or breach is too far, so being aware and proactive is the first best action.
"This incident, however, serves as yet another reminder for all businesses to apply the strongest level of data-centric security to their datasets. Unlike access-based and perimeter-style defenses, which can be surmounted by experienced threat actors, data-centric security protects the data itself instead of the borders around it with methods such as tokenization and format-preserving encryption. No matter where the data goes, it remains protected even if it falls into the wrong hands. In a situation like Optus, if the data happened to be tokenized then the operation would have much less leverage over the company.”
IRS issues warning about tax-themed smishing scams.
Yesterday the Internal Revenue Service (IRS) warned taxpayers of an increase in IRS-themed texting scams. This year the IRS has identified and reported thousands of fraudulent domains tied to multiple smishing operations targeting taxpayers, and these campaigns have increased exponentially in recent weeks. "This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages," said IRS Commissioner Chuck Rettig. "In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity." In the latest operations, attackers posing as IRS officials send messages aimed at convincing taxpayers to click on a link directing them to phishing websites that harvest their private information or potentially upload malicious code to their devices. The IRS is reminding the public that it never sends emails or text messages asking for personal or financial information or account numbers, and targeted taxpayers should report such messages to firstname.lastname@example.org.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the implications of this threat for individual and organizational readiness:
“That is why it is crucial that we create a personal and organizational culture of healthy skepticism, where everyone is taught how to recognize the signs of a social engineering attack no matter how it arrives (be it email, web, social media, SMS message, or phone call), and no matter who it appears to be sent by.
"Teach yourself, your family, your friends, and your co-workers how to spot the signs of a scam message. Most scam messages have 3 traits in common. First, they arrive unexpectedly. The user wasn't expecting it to arrive. Second, the sender is asking the user to do something new and unexpected for the first time from that sender. For example, click on a URL link, download a document, log in to a website, get gift cards, send private, confidential information, etc.. Third, and this is definitely a scammy sign, the sender says or writes something that is supposed to stress the user to do that requested action right away. Examples include threats that the user's account will be suspended if they don't take action, that the user will be causing their organization to lose business or to lose a significant discount, or otherwise, something negative will happen if the user does not take action now. Any message, no matter how it arrives, if it includes these three traits, should be considered suspicious until otherwise proven legitimate. Users should be trained on how to recognize the signs of a potential social engineering scam, and how to verify its legitimacy one way or another (e.g, call the requestor directly on a known good phone number or go to the website directly at a known good, legitimate, URL, etc.), and how to treat if it is determined to be a scam. At home, you'd probably delete it and maybe tell the rest of the family and your friends so they don't become victims. At work, the scam should be reported to the Help Desk, IT, IT Security, or whatever is the appropriate way to report social engineering scams.
"You want to train people...give them awareness about the common traits of most scam messages, examples of different types of scams, and what to do when they suspect one. If done well...and most organizations ARE NOT focusing enough on security awareness training, it can prevent social engineering scams whether they are the regular, run-of-the-mill, misspelled variety, or a sophisticated, thoughtful, scam coming from a sender who the receiver might otherwise trust a whole lot. We have to communicate to everyone that they need to have a culture of healthy skepticism. The Internet, email, SMS messages, and phone calls cannot be trusted by default anymore.”
Phishing scam exploits targets’ concerns about data theft.
In another phishing scam, the FTC's Consumer Advice says they’ve received reports of an operation in which people are receiving emails supposedly warning them that their sensitive personal information is being sold on the dark web. The senders, ironically, are likely cybercriminals themselves, preying on victims’ fears of data theft in order to steal that data themselves. Recipients should refrain from clicking on any links in the emails or calling any listed phone numbers, as they could be coerced into handing over private data. As well, targets are advised to change the passwords on any associated accounts and monitor their credit reports for any suspicious activity.
NordVPN's Daniel Markuson wrote to share how quickly a threat actor can move on personal information, but recommends that consumers avoid over-reacting:
"Hackers can take as little as 6 seconds to brute-force a payment card. Afterward, they can try to use the card themselves or sell it on the dark web. If something in your bank statement seems suspicious, make sure to contact your bank to block or at least freeze your card.
“The actions you take should depend on what kind of your private information you think could be sold on the dark web. If you think some of your document information (such as passport or driving license number) has been exposed — it is better to contact police to avoid identity theft,” concludes.