back to article Australia asks FBI to help find attacker who stole data from millions of users

Australian authorities have asked the United States Federal Bureau of Investigation (FBI) to assist with investigations into the data breach at local telco Optus. Attorney general Mark Dreyfus yesterday revealed the FBI was asked to help identify the entities involved in the attack, which saw Optus leak data describing over …

  1. Anonymous Coward
    Anonymous Coward

    Only a matter of time

    Governments want you to ID yourself online for all manner of services.

    Everything we provide is ripe for the picking, eventually*

    * if not already

    1. john.jones.name
      Mushroom

      No...

      No we should not put up with this

      They stored these details unhashed and allowed employee's to query it

      this is exactly like passwords were stored previously before anyone with a clue started to have doubts (think 1970)

      they should have been hashed (so you can compare still easily enough) and only unencrypted by a select few i.e. legal when dealing with warrants.

      this is exceptionally bad design

      its going to cost the government (taxpayers) a lot of pain and money dealing with the fall out of a private companies failure

  2. Berny Stapleton

    Right to be forogtten

    Hey Simon,

    What do you think of the idea that there should be a one time use against a govt API to do identity verification and then the token is kept and nothing more?

    I know that there is systems in place to do online document verification (Drivers license / passport) against govt systems, why not mandate something like this instead?

    Berny

    1. ssharwood

      Re: Right to be forogtten

      I certainly welcome anything that means the likes of Optus see no need to store masses of personal data. Gov-run IDaaS could be that thing. India has done it. Whether I trust gov.au to build and run it is another matter ...

      1. Woodnag

        Gov-run IDaaS

        If it's a Gov-run IDaaS, then when (not if) it is breached, the denials and coverup will be immense.

        In any country.

    2. Dagg Silver badge

      Re: Right to be forogtten

      a govt API to do identity verification

      What do you mean! Do you actually want to trust a government! No frickin way...

  3. scottyman

    The thing that kills me here is that due to metadata retention requirements, when you close your account - these companies keep your information on file.

    I've since found out that Telstra still have my personal information after closing my account with them over 6 years ago.

    There are better ways to store this kind of data, especially since it's only used for ID checking when you initially open an account and are credit-checked.

    1. Berny Stapleton

      My personal vote is that it's all re-processed, replaced with a token, and then deleted. You can't lose what you don't have.

    2. John Brown (no body) Silver badge

      "after closing my account with them over 6 years ago."

      From what I've read here and elsewhere, they have to keep the data for 6 years. So if they still have it after 6 years, then it's time they ought to be deleting it. I don't know if they have a legal requirement to delete after the minimum retention period though. Odds are, that wasn't part of the law as written, ie minimum retention time is stated but no maximum.

      I fully agree with what Berny says above though. There's no real need to keep any data long term, just a token confirming the data has been seen, verified and then deleted. No need to store most of it any longer than it takes to verify.

  4. trindflo Silver badge
    Facepalm

    "In coming days it's expected laws will impose consumer protection"

    Now that 38% of the possible personal data in existence in Australia has been leaked, by all means assign troops to guarantee the barn door stays shut.

  5. oikos

    If only the hacker had claimed to be Chinese, the ALP would have reached out to ask them if they want the PII on the remaining 60% of the population

  6. Jan 0 Silver badge

    > "Ransom not payed"

    What bludger wrote this? Is this some bizarre attempt at parodying Aussie English? Don't Aussies use the same past tense as us?

    1. lglethal Silver badge
      Facepalm

      Clearly this is someone for whom English is not the native language (or who is faking it not being their native language). If you were to write it in proper English it would probably read "The ransom was not paid". It's not that difficult, mate.

      1. Ken Shabby Bronze badge
        Pirate

        I am reading the wonderful Aussie rag “The Daily Telegraph”, well the cartoon is usually funny. They are reporting language analysis points to the writer being a Portuguese speaker.

        They say a Brazilian vulnerability hunter looking for a bounty is their suspicion.

    2. iron

      Who said the hacker was a native English speaker? From their statements I would assume they are not.

  7. VoiceOfTruth

    Congratulations Australians

    Your data is now in the hands of the FBI to "protect" you.

    1. chivo243 Silver badge
      Coat

      Re: Congratulations Australians

      I think it's been there longer than you might think... Five Eyes and all that...

  8. Anonymous Coward
    Anonymous Coward

    If there is time

    FBI is busy doing TV shows right now. Much to busy to work on anything that involves "laptop" computers from hell.

    But, since this would make a good episode and can be PG rated comparted to laptop's X rating, ya know, they might just help, as they can make money off of it. Watch for previews of the case series this spring on CBS....

  9. Frank Bitterlich

    "... and therefore hopes very much that the company soon explains itself in a way that displays sincere regret and an intention to restore trust."

    Oh, sure, no problem. You'll probably get an email later (or maybe a post on their Facebook page or such, if individual emails are too much of a hassle), explaining that "the security of [our] customers' information is our topmost priority", that it was "a sophisticated attack", probably by "state-sponsored hackers", that "only a small number of [our] customers are affected", "there is no evidence of any actual damage" from the theft, and that you're invited to supply your data to some credit-protection company (do they have that in Australia?), so that they can lose it, too.

  10. HammerOn1024

    Here's A Thought

    If most of this information was used for initial identification, ERASE IT when you're done!

    Why would a Telco need to hold onto a Passport number or Drivers License.

    Stupid!

    1. sreynolds

      Re: Here's A Thought

      Because of the data retention laws?

      Probably something like someone gets a phone. Gives some fake ID. Say passport with real number and "biomtrrics" but fake none the less. Lets say a dew months later he is sharing in the most heinous of crimes (okay say kiddie fiddler, but more often it's not paying the bill for device and/or long term contract that is longer than some mortgages because Telcos are so freaking importatnt). Now someone has to be blamed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like