Hacking risk for domestic violence victims

On 22nd September 2022, Optus Telecommunications announced that they had detected a “hack” of their systems, and revealed that 9.8 million customer records had been accessed. For Australia’s second largest mobile phone provider, this represents nearly half of all Australian’s personal details, which includes name and address and phone number records, date of birth and email address information, and for some people their identity information such as driving license numbers and passport numbers or Medicare card numbers. This article will outline the hacking risk for domestic violence victims, who may be more adversely affected than others in this “hack”.

The reason I placed the word “hack” in quotes was because this data leak was very low tech and may have been accidentally created by someone doing a little experimentation. The information was accessed through an un-authenticated API call that the attacker simply repeatedly transversed to scrape and download all records. Many have referred to this attack as something that could have been done by a teenager with little skills.

The hacker claims to have the details of 11.2 million users (notably more than the ceiling of 9.8 million users affected, according to Optus) — as well as passport and driver’s licence numbers for 4.2 million of them. 

Crikey.com 27 September 2022.

Hacking risk for domestic violence victims

In the media, it is often discussed that when data leaks and hacks of this nature occur, people are at risk of having their identity stolen (and the associated activities of financial fraud occurring) and of direct scams and accessing banking and financial systems. However, there is a more insidious threat from these data leaks. Victims of domestic violence often need to hide and keep their identity secret to prevent their attacker from finding them. DV victims can be fleeing physical violence and threats, but also psychological intimidation and financial attacks.

Accessible records of physical addresses can leave domestic violence victims at risk of violence or intimidation, and email addresses or phone numbers can leave victims open to threats of psychological harassment. With the Optus hack, the hacking risk for domestic violence victims from additional information that could lead to identity theft, opens the possibility of directed financial assault such as the attacker taking out loans and mortgages, incurring large debts and other attacks. Additionally, there are harassment techniques such as SIM swapping and subscription assault.

Prevention is better than response

Optus has been criticised for making a public announcement before specifically contacting customers, but in this case I believe it to be warranted to make it known to all of Australia, as almost half of all people are affected. However, this type of incident should never have occurred. Unauthenticated APIs with access to personal information should not be publicly available, and context-agnostic transversal attacks should not yield any results. Companies should now be reviewing all APIs and the protection of customer personal information, to ensure that it cannot be accessed through these means.

Criticism of Optus has also been raised about them requesting and storing so much information about customers – including ex-customers. There was no real need for Optus to continue to retain passport numbers, driving license details, and Medicare numbers after the customer’s identity was verified, and not in a system that was also able to be queried, and compromised. Prevention is better than response, particularly in the hacking risk for domestic violence victims.

Response for Domestic Violence victims

Unfortunately, there is some information in the Optus hack that cannot be changed easily, or at all. As with other incidents, identity theft, scams, and financial access attempts will require that the victim monitors their own identity and accounts to identify if they have been compromised – this is not an easy task for even someone who is skilled and experienced in this area. How can an average person check all banks (which they have never had any association with) to identify if a loan was taken out in their name, or an account opened to be used to launder funds?

For DV victims at risk of personal or physical attack, then they will need Police protection, or to relocate either temporarily or permanently. This is a significant impact and cost on the victim.