Cybercrime , Fraud Management & Cybercrime
Examining What Went Wrong for Optus
Also: State of Code Security and Vista Equity Partners Bids for KnowBe4 Anna Delaney (annamadeline) • September 29, 2022 18 MinutesThe latest edition of the ISMG Security Report discusses what went wrong for Optus in the wake of one of Australia's biggest data breach incidents, the state of code security today and the recent trend of private equity firms pursuing take-private deals.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Jeremy Kirk explain how Optus, Australia's second-largest telecommunications company, suffered a massive knock to its reputation this week as it experienced one of the largest data breaches ever in the country's history;
- Tom Kellerman of Contrast Security discuss what concerns him the most about the state of code security today and what organizations can do to secure software development and supply chains;
- ISMG's Michael Novinson describe how Vista Equity Partners has joined Thoma Bravo in the take-private cybersecurity spree, offering to buy security awareness training behemoth KnowBe4.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Sept. 15 and Sept. 22 editions, which respectively discuss Twitter's security nightmare and financial giant Morgan Stanley's failure to invest in proper oversight in hard drive destruction.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: How an unauthenticated API got Australia's second largest telco company into trouble, and our private equity firms have their eyes on take-private deals. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. Optus - Australia's second largest telecommunications company - had a massive knock to its reputation this week, as it was revealed they experienced one of the largest data breaches ever in the country. Executive Editor Jeremy Kirk has been living and breathing the story for the past few days. Here he is sharing with me what exactly went wrong. Jeremy, you've been tracking the Optus story very closely, right from the start. Could you share a quick overview of what we know so far, including the intriguing twist to the story.
Jeremy Kirk: Optus is Australia's second largest telecommunications company. They came out and announced a data breach. Days later, they announced that it was a severe data breach - upwards of 10 million records. Days later, there was somebody on a data breach forum who said that they have the data, and that they would sell it to other cybercriminals unless Optus paid USD 1 million in Monero, which is a type of cryptocurrency. At that time, this person also released two samples of the data as well. Our question at that time was: is this the person that took this data? I had a look at the data and and basically found that yes, it was indeed legitimate. Days later, the hacker turned up the pressure and dumped more records online that looked legitimate and then said, "I'll release more records unless the ransom is paid. I'll release 10,000 records a day unless the ransom was paid." After making that threat, just hours later, completely withdrew it, apologized and indicated in rough English that it was too high pressure of a situation, there were too many people watching this and just withdrew the extortion attempt. There's still a lot of issues around can we trust this person to delete it, and it hasn't changed the calculus for Optus, which is still facing the repercussions of an absolutely massive data breach. I think even aside from all that bizarre stuff around the extortion attempt, this breach in particular has brought to just the general public's consciousness the realities around the security of personal data.
Delaney: You've written a really detailed Twitter thread of what went wrong technically. Explain to us how 10 million customer records were stolen in the first place.
Kirk: This was tough because Optus wasn't saying much. An ABC story, which is the national broadcaster here, quoted a senior Optus executive saying that this was an unauthenticated API. This was an API that was left open to the internet that you didn't have to log into that was connected to Optus' entire customer database. Optus refuted that story. Once I started writing about it, somebody reached out to me, somebody who's in Australia, who's connected with somebody else who's close to the situation, and said, "Yeah, that's exactly what happened and here's the URL for the API." I thought, this is terrific but also the source is anonymous. I thought, I'll just ask Optusdata. That's the nickname of the person who took this data and say, "How did you get in?" and this person gave me the same URL as the other separate source. Now there were kind of like three sources now to say that it was an authenticated API. Optus didn't contest my story or refute my story or anything like that. They're still doing incident response. This is still early in all of this, but I think we have a pretty clear idea as to how it happened.
Delaney: The grave mistake, of course, being that the API was connected to its customer database.
Kirk: I also asked the person, once you found it, what did you do next? This person said, I enumerated the records by customer ID. Customer ID was his little data field. Apparently these records are put into Optus' database in a sequential manner. This person just pulled them out, exfiltrated them numerically running through just a set of numbers. That was also kind of converging as well as being that's the reason. Other people said, that seems to be plausible.
Delaney: You've got extensive personal information such as a driver's license, Medicare numbers and passport numbers. Is it normal for telecom companies to keep all that data on file?
Kirk: They definitely asked for that data because oftentimes you're getting a phone on postpaid. They're billing you for it. They want to ensure that you're a good credit risk. That information is probably used against credit databases, but there's also probably a good question of why do you have to hold on to all this data this long. Optus has blamed data retention laws on the books in Australia, it's still not even clear what that law is. Telcos are required to retain certain amounts of information, but to give you an example of why this is so shocking is like when I looked at that data on Saturday morning, this was one of the initial batches of data that was done, I recognized an address that was close to my house. I printed out this woman's data, went to her house, walked up the driveway, she was out in the driveway working in her yard. I said, "Is this your data?" She said, "Yeah, that's my data." She compared it. I asked her, "Are you an Optus subscriber?" She's like, "No, but I was until 2018." Here's a former customer who hadn't even been a subscriber of Optus for four years. Her data is still sitting in this live customer database. All the principles around information security are right - don't hold on to data that you're not using for any longer than you need to. This has prompted you know, the government to look at what are the requirements for telcos. Maybe we need to change these requirements, if that's what Optus is saying is the reason for this, but I can't see any reason why you need to hold on to data that was four years old.
Delaney: As you say, this has caused a huge storm in Australia. It's been dubbed Australia's Equifax breach. It's so interesting to see the responses from the government versus Optus. What do you make of the clash?
Kirk: Yeah, absolutely. The government is absolutely furious about this, because 10 million people are furious about this. Australia's population is between 25 to 30 million. You've got 10 million customer records that are out there, three million of which have driver's license number or passport number, or Medicare number. Medicare is Australia's national health care system. There's a number that's affiliated with that. Some people have that affected too. The question right now is like, "people are worried what do we do? How could criminals use this, what do I need to do?" For some people, probably changing some of that data is probably good. But changing passports is expensive. Changing driver's license is a hassle. Several states in Australia saying "we'll replace your driver's license for free," but they want Optus to pay for it. The federal government also is pressing Optus to reimburse the costs of people who have to get reissued passport because of this breach. That's quite serious. If that comes to pass, I is is still like really under discussion. It's a really intensive situation right now. But if that comes to pass, that's certainly an interesting development of the data breach world of holding the entity responsible for, rather than people paying have to bear that cost, having a company that's responsible for that - bear that cost.
Delaney: In all of this very thorough reporting, Jeremy, what questions for you remain?
Kirk: I think one question is - are they going to get this person who did this? Law enforcement here is focused on trying to get this person. Some people said, should we call this person a hacker? People in the security field say, "No, this was really easy." That's very true. I think for the general public, this person is a hacker, so to speak. But this person who perpetrated extortion, it's caused a lot of alarm. It's very serious offenses. Like I said, the AFP and the FBI are now working together to try to find this person. I know security researchers that I've spoken to over the last few days are also very focused on this case. I think after what happened with Uber with the Lapsus$ group, which has done some quite interesting attacks that have caused alarm for corporate security. The background of the whole ransomware issue right now is that governments are fed up with this because it's hitting a high level now. It's causing a lot of harm, it's going to cost a lot of money, too. I think governments in Australia has been very aggressive about this. They said they were going to offensively go after ransomware gangs similar to what the US has said as well. I think there's just less tolerance for this stuff anymore, as it affects people, which is understandable, I think.
Delaney: What can organizations take away from this, particularly when it comes to securing APIs?
Kirk: I had a good chat with some people about APIs and what the situation is here. We don't exactly know what they made the mistake, but we know that broadly, APIs are often exposed to the internet by accident, and other people find them. That's one thing. There's also configuration issues. It looked like this particular API might have gone live on the internet as far back as June. It also looked like it was recently configured to use an Akamai, which is a sign that they were trying to hook this API up to a web application firewall to protect it. I spoke with some people who are good in API security. They usually say like in the development stage, when you're testing the functionality of an API, often they put security on last, because they want to make sure that the functionality of it works correctly. Because if you put the security on too soon, if there's a problem, you don't know if it's the security controls, or if it's just something in development that needs to be fixed. But when you don't have the security on that, it should be in a test environment, you should just be using, like dummy customer data and not live data. There's questions of like, maybe something happened in that transfer with that API when Akamai was put in front of it, or maybe it was just open for three months. We don't know, we can tell little things from the outside. This information comes because there's DNS records that show that the API changed and something happened. I stress that we don't know that this has happened. But we know that this is a broad security concern like misconfigurations. These are complicated systems.
Delaney: I'm sure more details will be revealed. As ever, superb investigative work, Jeremy. Thank you so much.
Kirk: Thanks for having me.
Delaney: Tom Kellerman is the newly appointed senior vice president of cyber strategy with Contrast Security. In an interview with our senior vice president of editorial Tom Field, he discussed what concerns him the most about the state of code security today on the cusp of quarter four.
Tom Kellermann: Scanning is ineffective. There is insufficient context, insufficient ground truth. Application security must be continuous in this feed running from inside the application itself, which allows you to see vulnerabilities without guessing. You need to be able to see vulnerabilities in development and directly measure them against attacks in production. You must treat every vulnerability as a potential attack. The velocity of change requires that you discover zero days in libraries and frameworks as well. You need to conduct continuous monitoring across those environments. I think also we shouldn't be remised to forget that we need to employ intelligence runtime protection. It's an imperative to eliminate entire classes of attacks, so that your developers can focus on what's important and be shielded from classes of attacks that are still viable.
Delaney: Vista Equity Partners has joined Thoma Bravo and the take-private cybersecurity spree offering to buy security awareness training company KnowBe4. I caught up with our business editor, Michael Novinson, to find out more. Great to see you, Michael. You have written this week that Vista Equity Partners has put in an offer to buy security awareness training firm KnowBe4 at a $4.22 billion valuation. No small price there. Could you tell us more about this bid?
Michael Novinson: We've seen this push toward take-private deals starting back in last fall, when we saw the stock market peak and then accelerating this year as the economic downturn continues and private equity firms feel like they can get companies at a discount. We've seen SailPoint, Tufin, Proofpoint and Ping Identity go private or talks on Darktrace going private. The latest coming out is this unsolicited nonbinding offer made by Vista Equity Partners to acquire KnowBe4 for $4.22 billion. KnowBe4 is the leader in the security awareness training market. One of the few standalone players. They went private just last year, so they've only been private for a shade over 15 months now. But they are the largest company that focuses just on security awareness training with about 1,500 employees. It's a good growing business, they have revenue growth in the mid-30s. They're profitable on a GAAP basis, which is very rare in the security industry. I think it's an opportunity for large private equity firm like Vista to take a position and to own a clear category leader and clear market leader at a pretty reasonable price. For that reason, I can certainly understand why it would be appealing.
Delaney: KnowBe4 security awareness training company - why the buzz about them?
Novinson: We've seen a lot of consolidation in the security awareness training market. Now if we think about security as being a combination of people, process, and technology, security awareness training gets at the people portion of the equation. In recent years, we've seen a lot of vendors looking to pair their technology, particularly in the email security space with trying to address the people issue through security awareness training capabilities. If you go back to 2018, we saw Barracuda, Proofpoint and Mimecast make acquisitions to security awareness training vendors. Barracuda bought PhishLine, Proofpoint bought Wombat and then Mimecast bought Ataata so that they can try to address the phishing issue technologically as well as to teach people what suspicious links or suspicious attachments look like. More recently, we saw Huntress buy Curricula, which is a smaller security awareness training provider for $22 million to pair with their threat intelligence and their MDR technology. If you look at the security awareness training landscape today, there are very few standalone players left. KnowBe4 is by far and away the biggest at roughly 1,500 employees and it's public. After that, you'd have to take a pretty big step down to Cofense, which used to be PhishMe. It was taken private a couple of years ago, but there are a couple of 100 employees and a significantly smaller endeavor than what KnowBe4 is doing. If you're a private equity firm and you want to stake a claim in the security awareness training market, there's very few options today and KnowBe4 is certainly the biggest way to get presence in that room.
Delaney: This reflects how private equity firms other than Thoma Bravo are now pursuing take-private deals. What are the movements you are tracking? Are we likely to see more of this trend occur?
Novinson: That's certainly something I'm keeping an eye on. Thoma Bravo historically has been very active in this take-private space recently with the deals to buy SailPoint, to buy Ping Identity. They are in discussions with Darktrace. They acquired Proofpoint and take-profit last year and then even if you go back a couple years, Barracuda, Sophos Imperva were all take-rivate deals as well. It's a very common motion for how Thoma Bravo takes a stake in the company. Outside of them. It's something we haven't seen a ton for many other private equity vendors. We did have Turn/River Capital take Tufin private but Tufin's significantly smaller than a lot of the companies we're talking about. It's always been perplexing to me. Thoma Bravo is pretty intelligent. They know how to make money. If they're doing this why don't we see other folks doing this as well? It is interesting to see Vista come to the table here and try to do this. They have stakes in a few other security companies and some startups like Menlo Security that they've invested in. They did buy Benify outright, but they were pre public. We haven't seen them do a take-private before. But I do have to wonder especially with this market downturn if others are going to start to see value as well and want to get on Thoma Bravo's party.
Delaney: Thank you so much, Michael, for this information. That's it from the ISMG Security Report. I'm Anna Delaney. Until next time.