People make mistakes
or… Why the ‘Pokemon’ approach has to stop
‘I’ve been watching the unfolding disaster for Optus and more importantly its customers over the last few days.
My initial thoughts are that this seems to be a failure of governance rather than an elaborate ‘Mission Impossible’ style hack.
Assuming the initial reports are correct, the cyber equivalent of the back door of the hall was propped open. An unauthenticated API (Application Programming Interface) used to allow different systems to exchange data was exposed to the Internet. Not surprisingly, an enterprising and shady person has used this to extract data. The alleged hacker (and there may be many, because it was an open door) seems to have been able to just extract the data using standard commands and without any secret knowledge according to this article by Jeremy Kirk .
Mistakes happen, people are fallible. Cyber-defenders need to get things right all the time and the attackers only need to be right once. That’s why this event seems to indicate a failure of information security governance. There should have been a process in place to assess the risk of this action and to monitor it. It would seem that the action of one person has put a large proportion of Optus’ information at risk. It should not be possible in an organisation with good security governance for this to occur without a decision being made by ‘Top Management’.
Gotta Collect em all needs to stop
Lastly, we have to kill the Pokemon approach to information. ‘Gotta collect all information’ is not a good approach to customer data. Government agencies and large corporations are obsessed with collecting information about us because they can and there is very little cost on the face of it. The reality is, that the costs are hidden. Keeping sensitive data after you need it makes your organisation a target for foreign intelligence and makes the consequences of stuff ups bigger.
If you don’t have some sensitive information, you can’t lose it.
The irony is that we have a world beating identity verification system in Australia called the Document Verification System. The DVS allows an organisation to validate passports and licences from the source, so no fake documents. Importantly, it is designed to be privacy enhancing, so if a telco checks your ID, it doesn’t need to keep a copy of your passport/licence whatever, it just records the result of the check, which can be verified. A hacker can’t use the information to harm the customer.
The Pokemon approach needs to stop. I want to live in a world where I don’t get asked for my exact birthdate before a large telco will answer my question about which router works with the NBN.
Updated – minor edits, thanks Mark