The following is part of an ongoing series of API vulnerability briefs by Neosec’s threat research team to help enterprises learn from recent API attacks that affect organizations globally.
On September 29, Optus, the second largest telecommunications provider in Australia, disclosed that they were the victim of a large-scale cyberattack that resulted in the theft of personally identifiable information (PII) of nearly 10 million current and former broadband, mobile, and business customers.
To put the scale in context, Australia has a population of approximately 26 million people, of which nearly 40 percent were potentially affected. The data that the attackers exfiltrated includes sensitive information such as birth dates, home addresses, phone numbers, email addresses, passport numbers, driver’s license numbers, and even government medical program details.
The threat actor responsible published a sample of 10,200 customer records and demanded a $1 million (USD) ransom to prevent the release of the remaining customer information. They have since rescinded the threat, possibly in response to the large amount of law enforcement and media attention the incident has attracted.
What role did APIs play in the breach?
While the scale of the Optus breach is extraordinary, the methods used to perpetrate it were fairly unsophisticated and common. A REST API that was connected to the Optus customer database was found to be available at a publicly accessible URL. In addition, the API was not protected with any form of authentication.
As a result, the attacker could simply submit API requests for the customer details of a specific customer identification number. The attack was also aided by Optus’ apparent failure to adhere to API best practices such as:
- Using techniques to make data sequences (in this case, the customer identifier), more difficult to enumerate in a predictable sequence.
- Implementing rate limiting and/or throttling to prevent large-scale exfiltration of millions of records in a short period of time.
What is the business impact of the breach?
Optus generates billions of dollars in revenue annually, so the $1 million ransom, if it had been paid, would not have been material to the company’s financials. The bigger business risks arise from what other malicious parties might do with the data if it was sold or disclosed.
The stolen PII, particularly the passport and driver’s license information that was accessed for a subset of the affected customers, could be used to commit wide scale identity fraud.
The financial impact on customers, and potential liability to Optus, are difficult to calculate.
Even if the damage does not escalate beyond the current 10,200 affected customers, the incident will likely have future regulatory implications. For example, many governments have already implemented aggressive privacy protection regulations with still fines for failure to protect PII.
Perhaps the best-known example is the European Union’s General Data Protection Regulation (GDPR). GDPR, for example, carries a fine of up to 4 percent of annual revenue.
Therefore, if a company of a similar size to Optus suffered a comparable breach in Europe, it could face up to several hundred million dollars in fines.
Beyond the financial penalties, incidents of this nature have a devastating impact on corporate reputation and customer trust.
How did this issue slip past the company’s security measures?
Oversights like those that led to the Optus data breach are a common daily occurrence at organizations for years. For example, in 2017, it was discovered that medical claim provider Molina Healthcare was exposing its patient medical claim information on public URLs that could be manipulated by any unauthenticated user through simple enumeration through predictable numeric sequences.
Possible points of exposure around API configuration, authentication, and rate-limiting have also been central to the OWASP API Top 10 list of known vulnerabilities for years.
So why do organizations like Optus still get caught off guard?
The reality is that the complexity and speed of change of modern enterprise applications make it nearly impossible to avoid every possible API configuration error or vulnerability.
That doesn’t mean that API and security teams shouldn’t try.
But it is also essential to have a safety net for discovering unprotected and misconfigured APIs – ideally, before they are abused but at the very least when they are under active abuse.
What steps can be taken to mitigate risks like this?
Effective protection of APIs starts with the fundamentals such as:
- Continuous discovery and inventory management for all sanctioned APIs.
- Continuous detection and decommissioning of unsanctioned shadow APIs or zombie APIs that are no longer required by the business.
- Risk posture assessment of every API service and endpoint, particularly to understand which have sensitive PII.
- Proactive threat hunting activities, including API vulnerability discovery and remediation.
But these steps are insufficient on their own.
Just as many organizations are adopting a Zero Trust posture when it comes to their critical infrastructure, they should apply the same principles to API protection. Security teams should operate on the assumption that API protections will be circumvented – either through an implementation error or the compromise of the credentials of a trusted employee or partner. Perimeter security tools and testing are never perfect solutions and are part of a defense in depth strategy. The question security professionals must ask themselves is how would you know if your APIs were being abused?
API behavioral analytics – performed across all APIs – is the most effective way to detect and stop API abuse. By baselining normal API usage and relationships, monitoring activity over extended time periods, and detecting anomalies, security teams will be better equipped to spot and stop abuse before it escalates into a large-scale incident like the one experienced by Optus.
Innovation Insight for API Protection by Gartner
Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.DOWNLOAD NOW