[AusNOG] Optus Hack

Wed Sep 28 09:45:13 AEST 2022

It's within the industry's living memory that Australia's biggest telco
used to publish a physical book with everyone's personal information in it.

Most of our telco privacy legislation evolved from how things got in this
book, which was an "open by default" model.

The very first Optus retail customers were those who dialled an override
code on a Telstra phone line for cheaper STD rates. Telstra then provided
personal details for billing, even though no-one had an existing
relationship with Optus..

John

On Tue, 27 Sept 2022 at 22:59, James Murphy <jamesmurphyau at me.com> wrote:

> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws
> about a telco (or any business other than a credit reporting body) storing
> this level of information - specifically a drivers license number or date
> of birth (passport number isn't mentioned)
>
> "identification information" is the term that includes a drivers license
> number and date of birth
> "Credit information" is the term that includes "identification
> information" about an individual (therefor includes drivers license number
> and date of birth)
>
> There are only laws about how long a credit reporting body stores this
> information. A credit provider (ie Optus) doesn't need to store it, but
> does need to provide it to the credit reporting body - so they need to
> collect it and share it but they don't need to store it.
>
> For the data a telco does need to store - which looks to be added in the
> "Telecommunications (Interception and Access) Act 1979", they all talk
> about "personal information" (which doesn't specifically include date of
> birth or drivers license number, so you would be complying with that law if
> you didn't store those pieces of data - provided you can reasonably
> identify a person with the data you do store)
>
> From the Privacy Act:
>
> *personal information* means information or an opinion about an
> identified individual, or an individual who is reasonably identifiable:
> (a) whether the information or opinion is true or not; and
> (b) whether the information or opinion is recorded in a material form or
> not.
> Note: Section 187LA of the Telecommunications (Interception and Access)
> Act 1979 extends the meaning of personal information to cover information
> kept under Part 5-1A of that Act.
>
>
> So the argument that they need to store this by law - to me (a software
> developer/techy who sometimes can spend hours reading shit like this trying
> to pick holes in it - so: not a lawyer) - doesn't seem valid.
>
> If this is required by law, I would love to understand how (ie which
> laws/acts cover it)
>
>
>
> On 27 Sep 2022, at 16:46, Serge Burjak <sburjak at systech.com.au> wrote:
>
> https://www.oaic.gov.au/privacy/the-privacy-act
>
> Covers it pretty well.
>
> On Tue, 27 Sept 2022 at 16:36, James Murphy <jamesmurphyau at me.com> wrote:
>
>
> Does anyone know which laws cover the data they were keeping?
>
> Did a search for anything with "telecommunication" in the name (link),
> found 71 results and downloaded 73 PDF files (C2022C00170
> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't
> find anything that mentions keeping this level of data.
>
> The closest thing I found was in the following:
>
> C2022C00151 - Telecommunications (Interception and Access) Act 1979
> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data
> Retention) Act 2015
> C2021A00078 - Telecommunications Legislation Amendment (International
> Production Orders) Act 2021
>
> which contained the following two sections that seem to cover
> identification information - there doesn't seem to be anything that says
> they need to collect or store to the level that Optus seems to have done..
> Almost reads like you could store name and address (without DOB?) and that
> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking
> in the wrong place/at the wrong laws?
>
> 13 Identification of a particular person
> For the purposes of this Schedule, a particular person may be identified:
> (a) by the person’s full name; or
> (b) by a name by which the person is commonly known; or
> (c) as the person to whom a particular individual transmission service is
> supplied; or
> (d) as the person to whom a particular individual message/call application
> service is provided; or
> (e) as the person who has a particular account with a prescribed
> communications provider; or
> (f) as the person who has a particular telephone number; or
> (g) as the person who has a particular email address; or
> (h) as the person who has a particular internet protocol address; or
> (i) as the person who has a device that has a particular unique identifier
> (for example, an electronic serial number or a Media Access Control
> address); or
> (j) by any other unique identifying factor that is applicable to the
> person.
>
>
> and
>
> 187AA Information to be kept
> (1) The following table sets out the kinds of information that a service
> provider must keep, or cause to be kept, under subsection 187A(1):
> Item
>
> 1
>
> Topic
>
> The subscriber of, and accounts, services, telecommunications devices and
> other relevant services relating to, the relevant service
>
> Description of information
>
> The following:
>
> (a) any information that is one or both of the following:
>
> (i) any name or address information;
>
> (ii) any other information for identification purposes;
>
> relating to the relevant service, being information used by the service
> provider for the purposes of identifying the subscriber of the relevant
> service;
>
> (b) any information relating to any contract, agreement or arrangement
> relating to the relevant service, or to any related account, service or
> device;
>
> (c) any information that is one or both of the following:
>
> (i) billing or payment information;
>
> (ii) contact information;
>
> relating to the relevant service, being information used by the service
> provider in relation to the relevant service;
>
> (d) any identifiers relating to the relevant service or any related
> account, service or device, being information used by the service provider
> in relation to the relevant service or any related account, service or
> device;
>
> (e) he status of the relevant service, or any related account, service or
> device.
>
>
>
> On 27 Sep 2022, at 11:12, Nathan Brookfield <
> Nathan.Brookfield at iperium.com.au> wrote:
>
> They’re legally obligated to retain it but why it’s on the API and why
> it’s not encrypted.
>
> Looking at the data some fields are hashed and then repeated in the bloody
> clear :(
>
> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote:
>
> My understanding was that the data included the 100 points of ID info.
> Why are they retaining this? Surely after confirming the 100 points there
> only needs to be a record "100 points provided"=true and not retain the
> actual details. This goes back to only keeping the private data you need.
>
> regards,
> Glenn
>
> On 2022-09-27 10:49, Damien Gardner Jnr wrote:
>
> Personally, I find putting Authentication on my API endpoints to be a
> FANTASTIC first step towards API security.  And then not even using
> public IP addresses in test environments is a pretty good second
> step..  </onlyhalfsarcasticherewhydoesthiskeephappening>
> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <bevan at slattery.net.au>
> wrote:
>
> Hi everyone,
> Obviously a big week in telco and cybersecurity.  As part of my work
> I am on the Australian Cyber Security Industry Advisory Committee as
> an industry representative.
> I am keen to look at opening up a dialogue with more and more telco,
> DC and Cloud CISO’s on what they are doing around this issue and
> looking to take a proactive step towards best practice on customer
> data and system security.
> There will be some pretty serious consequences of this hack on the
> industry and importantly we need to make sure we are as best placed
> to help each other continually increase in security posture through
> best practice, but also working with each other as an industry.
> Are people keen on having a online/VC session sometime in the next
> few weeks where like-minded industry participants get together and
> discuss security, retention, encryption, threat detection etc.?  If
> so, just ping me directly and if there is enough interest I will
> send out an invitation to the list for a call.
> Cheers
> [b]
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net -  http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220928/561e2a70/attachment.htm>