It's likely that Optus just didn't know about the existence or functionality of this particular API, according to Rago. That means the API wasn't "hacked" in any sense of the word, but was just used for an unintended purpose, he said - what's sometimes referred to as an "API abuse" attack. Protocol has reached out to the company for comment.īased on the information that has come out so far, it appears that the API in question was actually "doing exactly what it was meant to do" when it called up the Optus customer records, Rago said. Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites. "This should be a wake-up call for a lot of organizations about how easy it was to get this data," said Nick Rago, field CTO at another API security vendor, Salt Security. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products. In other words, the attacker didn't even have to log in. The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. Optus “effectively left the window open” for customer data to be stolen, she said. Optus has attempted to characterize the cyberattack as "sophisticated," but according to Australian Minister for Cybersecurity Clare O'Neil, it was actually just a "basic" attack. 22, the data exposed in the breach of 9.8 million customer records includes driver's licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses. The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.įirst disclosed by Optus on Sept. Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |