Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.
The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.
First disclosed by Optus on Sept. 22, the data exposed in the breach of 9.8 million customer records includes driver's licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses.
Optus has attempted to characterize the cyberattack as "sophisticated," but according to Australian Minister for Cybersecurity Clare O'Neil, it was actually just a "basic" attack. Optus “effectively left the window open” for customer data to be stolen, she said.
The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. In other words, the attacker didn't even have to log in. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products.
"This should be a wake-up call for a lot of organizations about how easy it was to get this data," said Nick Rago, field CTO at another API security vendor, Salt Security.
The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites.
Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. Protocol has reached out to the company for comment.
Based on the information that has come out so far, it appears that the API in question was actually "doing exactly what it was meant to do" when it called up the Optus customer records, Rago said. That means the API wasn't "hacked" in any sense of the word, but was just used for an unintended purpose, he said — what's sometimes referred to as an "API abuse" attack.
It's likely that Optus just didn't know about the existence or functionality of this particular API, according to Rago. It would appear there was a "lack of visibility and a lack of governance, in terms of not knowing this API existed in the first place and why it was exposed in this manner," he said
In general, it's recommended that businesses take a "layered security" approach to protecting APIs, using a firewall or API security product, identity authentication, authorization for governing access to data, and encryption for sensitive personal data, said Yotam Segev, co-founder and CEO of data security vendor Cyera. "It appears that Optus failed on every front," Segev said.
By way of analogy, even if the front door of your house was left open or broken into, you could still have a locker inside of your house to protect your sensitive documents, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow. "Even if the bad guys get in, they won't get your [sensitive] data," he said. But it appears that Optus did not have this type of capability, either.