Optus admits to three big data breaches

Optus has admitted to three data breaches affecting more than 300,000 customers and promised the Australian Privacy Commissioner it will complete an independent review of its IT security systems and implement any recommendations.

Privacy Commissioner Timothy Pilgrim commenced an investigation into the security breaches in July last year after Optus voluntarily notified Pilgrim of the three incidents.

Pilgrim said Optus took steps to contain the incidents after it become aware of them and co-operated with the OAIC.

‘I appreciate the positive way in which Optus worked with our office to address these incidents. I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act," Pilgrim said.

In one of the breaches, a coding error made during changes to Optus' website in February 2013 resulted in the names, addresses and mobile phone numbers of 122,000 customers who had elected to remain unlisted from the White Pages to be published in the online directory without their consent.

"The information of the majority of those customers was also published in various print editions of the White Pages," the Privacy Commissioner's report stated.

The coding error meant Optus' systems erroneously changed the White Pages listing preferences for those customers from ‘No’ to ‘Yes’ when they completed a rate plan change via Optus’s website.

Optus was notified of the issue via a customer complaint in April 2014 and informed the OAIC on June 3 of that year, the Office said.

The second incident related to a change to Netgear and Cisco modems in the telco's network - Optus "deliberately left the management ports for these models of modems open, incorrectly assuming they were only accessible for network management purposes," the OAIC said.

The telco also issued 197,000 of the Netgear modems and 111,000 of the Cisco models to customers with factory default settings, which included user default names and passwords, and additionally failed to conduct connectivity testing.

"These two issues in combination meant that Optus customers using the equipment who did not change the default user name and passwords were left vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer," the OAIC said.

Optus was made aware of the issue through media reports in early April 2014, and notified the OAIC on April 17. It closed off the vulnerability on April 4.

The OAIC said there was no evidence the security vulnerability was exploited.

The third data breach left a number of Optus customers open to spoofing attacks, the OAIC reported.

The issue stemmed from a "flaw in Optus’s security processes [which] led to certain customers not being prompted for their password when attempting to retrieve voicemail information from outside the Optus network", the OAIC said.

Optus failed to identify the issue during testing, meaning in cases where user voicemail accounts weren't password protected, attackers could potentially access the accounts and change preferences.

The telco notified the OAIC on May 14 last year after being made aware of the issue on April 28, the Office said.

More than 100,000 Optus customers were affected by each incident.

"The security measures in place were not reasonable to protect the personal information that Optus held, particularly in relation to the White Pages incident," the OAIC wrote.

"In each case, there was a failure by Optus to detect the incidents; the incidents were brought to Optus’s attention by third parties. This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals."

Optus corporate affairs boss David Epstein said Optus had resolved the issues, reviewed and enhanced its processes, and engaged external auditors.

"Optus has co-operated with the Privacy Commissioner and provided an undertaking to obtain an independent external review of its compliance with privacy laws," he said.

"Affected customers were notified in 2014 and we worked with individuals to address their concerns at that time. We will continue to review our processes and systems to prevent future mistakes."

The data breaches highlight concerns from privacy groups, industry and certain members of parliament that the Government's just-passed data retention legislation will create a honeypot for hackers.

Optus rival Telstra today pledged to secure the non-content data it is now legally required to store on customers for two years. 

The data retention bill includes a provision for mandatory data breach notification, which will require telcos and ISPs to notify the Privacy Commissioner in the event of a breach. The notification scheme is scheduled to be introduce before the end of the year.