Just two weeks after Australia’s second-largest telecoms company was hacked, the largest in the market has suffered a data breach. The Telstra breach appears to be relatively minor as compared to the Optus hack, however, as the company reports only a “small amount” of employee data was exposed.
Source of Telstra data breach still unknown, 30K employee files impacted
While the Telstra data breach is considered “relatively” minor given the size of the company, it nevertheless included a substantial amount of records; the company says that some 30,000 employee files dating back to 2017 were exposed. However, the information in each was apparently extremely basic with just names and email addresses contained in most of the breached files.
If that assessment holds up it compares quite favorably to the Optus hack, which exposed the customer records of millions of Australians including driver’s license and passport numbers. The hacker sought profit from the attack, pledging to publicly release the customer records of 10,000 people per day until they received $1 million in ransom. A 19 year-old Sydney man was arrested on October 5 after texting 93 of the victims demanding an individual $2,000 ransom from each, but police say that the man is likely not the breach perpetrator and simply made use of data that the attacker had already made public.
Telstra says that no customers were impacted by the more recent data breach, only current and former employees that were with the company over roughly the past five years. There is also not much detail as of yet about how the data breach happened, in contrast to quick assignment of blame by the Australian government in the case of the Optus hack. That breach is suspected to have originated from an unprotected API that was mistakenly exposed to the internet. Telstra only said that the data breach was at a “third party provider” and did not involve its internal systems, and that a little under half of the exposed records belonged to current employees.
There is no concrete connection between the two data breaches as of yet, but the Telstra attacker took to the same underground forum that the Optus hacker used to attempt to peddle their wares. The attacker was also offering similar data from National Australia Bank (NAB), which the firm said did not include customer banking or financial information. Telstra and NAB both said that the data breaches occurred via a third-party provider called Work Life NAB that is no longer in business.
Camellia Chan, CEO and Founder of X-PHY, notes that this is yet another in a long chain of vendor-originating data breaches and sees it as a call to implement zero trust: “What we know is that an intrusion of a third-party organization exposed employee data dating back to 2017. This shows even large organizations that believe they have the most robust security posture, are still at risk if businesses in their supply chain are a weak link. The lesson companies can immediately take away is that no company is safe from cyber criminals. Organizations need security measures that go above and beyond antivirus software alone, with mitigating cybersecurity infrastructure that addresses vulnerabilities created by human error. A solution with a ‘zero-trust’ framework where all requests are thoroughly scrutinized to ensure no threats can bypass and touch the precious data is needed. As an example, incredible advancements in technology mean it’s now possible to have AI-infused SSDs embedded into devices to protect against every type of attack, from ransomware and malware all the way to physical security so data is always safe.”
Telstra, Optus hacks prompt cyber defense improvements
The relatively limited information exposed by the Telstra breach is good news for Australians who are facing backlogs at government departments as much of the country lines up to have its identification numbers changed due to the scope of the Optus hack. The incident prompted the government to begin immediate work on new cyber security and reporting regulations for the country’s private businesses, starting with new requirements for banks to quickly secure customer accounts in the wake of large dumps of personal information.
Though reportedly only about 150,000 passport numbers and 50,000 Medicare numbers were leaked, the Optus hack has created something of a general panic across the country as the news reports more than 10 million records accessed and no one is sure if their personal information was among the exposed data. The Telstra data breach appears to be limited to the signup process of a third-party rewards system for company staff, but having the country’s two biggest telcos suffer cyber intrusions in a matter of weeks has prompted obvious and serious concern about the security of critical services.
The Security Legislation Amendment Bill 2022, which was passed early in the year and went into effect in April, included new cybersecurity requirements for “systems of national significance.” Communications is one of the 11 covered critical infrastructure sectors and companies in this industry can be required to implement a government-mandated Risk Management Program if there is reason to activate it due to a hazard. There are also additional security requirements for a smaller subset of critical assets, though it is not clear if the situation merits applying this standard to the telcos.
Parliament also passed laws with stronger penalties for ransomware attacks in February, which include maximum penalties of up to 25 years if critical infrastructure companies are targeted. However, these new rules may not apply in cases of data extortion where ransomware is not actually deployed; ransomware also generally comes from foreign countries from which there is no reasonable possibility of extraditing criminals.Telstra #databreach appears to be limited to the signup process of a third-party rewards system for company staff, but two telcos losing personal information in two weeks has caused serious concern. #cybersecurity #respectdataClick to Tweet
Erfan Shadabi, cybersecurity expert with comforte AG, points out that the modern threat landscape calls for a data-centric security perspective: “This breach follows a typical, but preventable pattern: a third party was compromised and mass PII data was exposed. Telecommunication companies are among the most lucrative attack targets given their cloud connectivity and sensitive data accumulation potential for theft they are in the attackers spotlight all the time. What this clearly points to is the acute need for data-centric security that goes beyond perimeter security and compliance check-lists into managing specific data threat risks, neutralizing them in the event of the inevitable breach to make it a non-event. Best of all, data-centric security travels with data, no matter where it goes. Inspecting your data security measures with an eye toward protecting the data itself is a good allocation of time and can only provide beneficial outcomes.”