Optus — UnHack Yourself
What can the Optus “hack” tell us about web3?
Unless you have been living under a rock, you will have read about the recent Optus data breach in Australia. Around 10,000,000 customer accounts have been compromised by having the associated personal details stolen. Those personal details include passport information, drivers licences, dates of birth and addresses. It was later revealed, but not initially disclosed by Optus, that Medicare details had also been taken, which is a big f$%king deal. Essentially, your personality has been compromised.
Optus rolled out of bed, yawned, and decided to notify the world about this a full 24 hours after spotting suspicious activity itself. Arguably, The Australian newspaper blew the whistle, prior to Optus issuing a press release. This was last Thursday, September 21st. Optus is adamant that passwords and payment details were not compromised, but we do not definitively know this at the time of writing. We do know around 2,800,000 people are now severely exposed to the risk of identity theft. In effect, they need to reset their entire personal information library. A mammoth pain in the arse.
I think most can agree that the crisis management from Optus has been appalling. First rule of management — everything is your fault. Customers were not notified for days — indeed some are yet to receive apology or communication. There was inconsistent information given to different customers — we have seen this first hand. Paltry amounts of compensation were offered — $90 anyone? CEO Kelly Bayer Rosmarin was at least coached well enough to shed tears during a public apology address.
Given this stunning incompetence from a business owned by giant Singapore Telecom, the web3 world has renewed its calls for Digital Identity solutions, which it claims would have prevented or mitigated the outcomes. So, what might have been different?
Go Big Or Go Home
For a start, web3 hackers would have been way more gangster with the ransom. Given the size of Optus, asking for A$1.5m (as happened early Saturday 23rd) is frankly pathetic. Attackers on Defi platforms, who frequently target bridges as weak points, will often keep 10% of any stolen funds. Optus produced operating revenue of A$7,836,000,000 in FY2022. So, why don’t we start with a ransom of A$783.6m and Optus, you can walk us back from there? The paltry size of the ransom request is very suss.
Further, web3 hackers would have been a lot more stylish and sophisticated with the hack. According to tech reporter Jeremy Kirk, who contacted the purported hacker after the Saturday ransom request, the data was stolen very simply. This has been subsequently supposed by independent cyber experts too. The hacker is reported to have said “No authenticate [sic] needed… All open to internet for any one to use,” — in other words, a very simple data pull from an API it seems. When the data arrived in the hacker’s hands, it was not encrypted.
Fess Up and F$%k Off
A recent lesson from web3 is likely to be repeated here — the top dog resigns and tries to clear the decks. Just this week (Wednesday September 28th), Celsius CEO Alex Mashinsky threw in the towel after the clusterfluff of its bankruptcy. Given the financial robustness of Optus, bankruptcy is no real risk for CEO KBR (as I am now calling her). A class action though is highly likely, which typically leads to out of court settlements. Ben Zocco of law firm Slater and Gordon, and ambulance chaser Maurice Blackburn, are already rattling the sabres.
The recent incident is even more damning when considering Optus has form here. In 2019 50,000 Optus customer details were published online without their consent or knowledge, which is now being investigated by the Information and Privacy Commissioner. That incident was described as a “system error”, which as we all know means someone f$%ked up, but those culpable are being covered.
Adding to the pressure on KBR is the swift political rebuke. This provides a golden opportunity to new PM Albo to show strength, protecting the voters in the face of corporate incompetency. Unlike the more questionable Christine Holgate / Aus Post saga (would we call that Holgate-gate??), KBR’s head on a plate would seem warranted. I expect it will be offered before Christmas. Cyber Security Minister Clare O’Neil on Monday September 26th said “No, no it wasn’t…” in response to a question from ABC News about whether the attack was sophisticated. Ms O’Neil also tweeted on the topic that day, stating “We should not have a telecommunications provider in this country that has effectively left the window open for data of this nature to be stolen.”. Stern stuff!
A Digital Identity Panacea
So, would the much-discussed but not entirely defined idea of on-chain digital identity, have made a difference? The optimist would say yes.
The full vision of on-chain DID allows for each person to retain sovereignty over their personal data. People would only need to reveal information that was strictly necessary for certain functions, with all other data remaining hidden and/or obfuscated. For example, I arrive at a bar and need to show that I am 18 years or older (or 21 in the US because, you know, America). However, my name and address and drivers licence details are irrelevant to the age limitation. Therefore, I only disclose my DOB. Or better still, a simple data pull which shows my age in years, avoiding the need to reveal the DOB itself.
Similarly, for a mobile network, the breadth of information requested in Australia is far too broad for the purpose. I should not need to disclose my Medicare details to get a mobile, because that nasty UTI in 2007 is irrelevant to telephony. If I control my data with DID, I manage the data feed to the mobile provider and remove all visibility from irrelevant data, because I control its disclosure.
DID Not A Complete Solution
Now, as appealing as the above vision sounds, there are remaining practical issues. For example, how would digital ID information make its way into your possession in the first place? Who issues the information that you now wish to control and selectively disclose? Because those issuers are highly likely to be government / official entities and they will want to retain control. Thanos is real.
We will still need to prove we have passed a driving test to drive a car. And vehicle licensing and insurance will remain a thing. Therefore, the entity issuing those approvals may need to burn its instance of the information once processed, and move it into your DID ‘wallet’, in order for you to control it. Attorney General Mark Dreyfus has questioned why, after checking IDs with passports or drivers licenses, that data must be retained at all. Over two years ago, a joint parliamentary committee on intelligence and security recommended laws on metadata retention and usage be tightened. Nothing has happened. Why would DID move any quicker?
And we must be realistic that security and web3 are not always happy bedfellows. It is very easy for mainstream media to point to bridge hacks, scams, crazy gas prices, Solana outages etc (sorry SOL maxis) and question the robustness of the platforms on which DID would be run. If my full set of personal details were in DID form, and that information was stored adjacently, then the consequences of that entire treasure trove being hacked would be huge. People will not use something they do not trust, and for the average punter, that trust in web3 is not there. Yet.
Finally, we must resolve the inherent tension between public blockchains and their use case for private ID data. Defi as it operates today lacks meaningful privacy — wallet activity can be inspected by anybody. And yet to catalyse broad adoption of DID by businesses, government and individuals, proper privacy will be vital. Note that privacy is not the same as pseudonymity, which is what we have today in crypto. It is necessary to disconnect privacy considerations, from anonymity considerations, to architect a DID solution that could prevent damaging events like Optus-gate.
At NotCentralised, we are working on new regulatory and privacy protocols which could guide DID formation. Please reach out to us for more information, or to build with us.
Yours in web3,
Bish, CaptDefi, Numbers.
