You’re a big telecommunications company in a large country, with tens of millions of customers. In order to verify people’s identity, you collect their names, phone numbers, emails, dates of birth, and some special identifying factor such as a social citizen ID number or a driver’s license number. And hopefully that information would be under several forms of lock and key.
Unfortunately for an Australian telecommunications company in September 2022, that was not the case. A hacker, heretofore anonymous, was able to steal 11.2 million customer records through an unauthenticated API endpoint. The impact was immediate, as the attackers hit the company with a $1M (USD) ransom notice and released a subset of 10,200 records to the dark web. From there began the phishing attacks as some customers received texts demanding a $2,000 (AUD) ransom or the release of their personal data.
The story broke recently and is still developing, so not all the details can be confirmed. But from what’s been disclosed to date, here’s what happened:
Sequence enabling the breach:
- The company set up an API as part of a tool to allow customers to check and alter their accounts
- This API was publicly available on the internet.
- Apparently, the company had set up the customer records such that one of the fields, “contactid” was sequentially assigned.
- This meant that the attacker could simply query the API with the contactid, returning the PII (Personally Identifying Information) that included names, phone numbers, emails, and license numbers.
All of this was possible without any authentication checks by the API.
This is a worst-case implementation of API security. Leaving an API online that does not require authentication is just asking for trouble, no matter how innocuous it may seem, as there will often be some field that hackers can guess and iterate over. But it’s not all bad news. For one, the company did have some monitoring procedures and was able to detect that a suspiciously large amount of data was being downloaded. They shut off the endpoint, which while not preventing the initial breach of data at least closed it off for other potential attackers.
Further, the work of the Australian authorities, whom the company contacted instead of acceding to the ransom demand, seems to be progressing effectively. Reportedly, the attacker has deleted the stolen data and is no longer selling it, although this cannot be independently confirmed. It is entirely possible they have already sold the data to interested parties.
As always, the cleanup will likely be way more expensive than prevention would have been.
Updated Oct 4, 2022
The firm has now confirmed that 2.1 million personal IDs were exposed as part of the breach.