2024-06-21
2022 Breach of Australian Telecom Optus Blamed on API Coding Error
The Australian Communications and Media Authority (ACMA) has determined that a September 2022 breach affecting telecommunications firm Optus was due to an API coding error. The issue had been present for four years before the breach. ACMA says Optus failed to protect customer data of millions of individuals.
Editor's Note
The API had two entry points, each of which was secured in 2017. In 2021, a coding error broke one of the ACLs, but the defect was only detected in one of the entry points, despite both being impacted by the same flaw. While the obvious move was to make sure that the same fixes were applied to all entry points, the better move for your future self is to only have one entry point, one set of security controls and one instance to support, secure, document and implement.
Lee Neely
APIs are still untested; we see such common flaws. It's web hacking like the 2000s all over again. If you haven't dug into APIs, start. If you think they are not vulnerable to the more traditional attacks, they probably are.
Moses Frost
This is the second such determination in recent weeks by an Australian government authority that a commercial business failed in implementing reasonable cybersecurity. While CIS's guide to defining reasonable cybersecurity is specific to the United States, defining reasonable cybersecurity applies globally. Reasonable cybersecurity is becoming the bar businesses will be measured against.