Optus Data Breach: Knock-on effects for CFOs & Accounts Payable

Businesses should urgently implement zero-trust systems that grant users minimum access rights, amid concerns the unprecedented Optus data breach will attract a flood of cyber criminals and fraudulent activity to Australia for years to come.

That’s the advice from payment protection and vendor management experts, eftsure, in the wake of last week’s Optus cyberattack, which led to the unauthorised access of personal information of 9.8 million customers.

Mark Chazan, Chief Executive Officer and Co-founder of eftsure, said the impact of the Optus data breach was one of the largest, if not the largest, ever seen in Australia.

“What’s especially frightening about this breach is the type of data that has been compromised. The data consists of a lot of datapoints, including passport and drivers’ licence numbers, that can be used to search for additional data in other (publicly available) databases,” Mr Chazan said.

“This makes it hugely significant because ID documents linked to addresses, emails, phone numbers etc facilitate ID theft enabling fraudsters to open accounts in the victim’s name without the victim even knowing.”

“The two moments where CFOs are at risk the most, are when they are paying new suppliers, or a supplier has requested to change bank details”

Mark Chazan, CEO | eftsure

Optus announced on September 22 that the company was investigating unauthorised access to personal information of current and former customers after a cyberattack.

The hack compromised the personal information of Optus customers, including names, date of birth, phone numbers and email addresses, as well as drivers’ licence, Medicare and passport numbers.

Optus CEO Kelly Bayer Rosmarin has apologised for the data breach, but said the company was not “the villain” and encouraged customers to be on high alert for fraud and scams.

But Mr Chazan warned that the risk was not just limited to Optus customers. CFOs, accountants and accounts payable managers should be vigilant, particularly when paying invoices from new suppliers or when suppliers request a change of bank account details.

“The advice to the general public is to be extra vigilant when clicking on emails or accepting offers that may seem too good to be true. And unfortunately, that’s the only thing people can do. Once a large amount of data is compromised, the damage is done,” he said.

“It’s a different story for finance teams. They also need to be aware that they are the end-target of these breaches and need to make sure their financial controls are up to date to the latest standards.

“Continuous training of all staff on security is essential and businesses should design their systems with a zero-trust model so if one area is breached it doesn’t give access to more restricted areas – access rights should be assigned on the principle of least privilege – each user and system only is granted the very minimum rights they need to perform their function.”

Mr Chazan said the ramifications of the Optus data breach were far-reaching and “anyone and everyone is a target”.

“Even if a given business isn’t an Optus customer, they will have many suppliers that are.

“Once those suppliers’ emails are compromised, (cyber criminals) can use the suppliers email accounts to change invoice amounts and account numbers and send the updated fraudulent info to an unsuspecting non-Optus business and defraud them into making a payment to the fraudster instead of the real supplier.

“Since the business that made the payment is responsible to pay the right supplier, they would still owe the legitimate supplier the funds.”

He said businesses should immediately rethink their financial control strategies as criminals who buy the data would attempt to infiltrate vulnerable systems, most likely via business email compromise or Malware. Smaller organisations without sophisticated IT teams would be at increased risk of ‘push-payment redirection scams’.

“The two moments where CFOs are at risk the most, are when they are paying new suppliers, or a supplier has requested to change bank details,” he said.

“They should always conduct supplier call-backs or purchase software that helps them verify suppliers’ bank details. They should also review and tighten their internal software systems, educate their staff and not trust anything arriving in email without independently verifying it.”

Unexpected phone, text and email requests should also be queried.

Founded in 2015, eftsure has been badged as “the new security standard for business payments”. It helps organisations securely pay vendors by providing automated continuous control of outgoing payments, with tools to prevent payment fraud, onboard new vendors and manage the accuracy of existing vendors’ banking and compliance data.

Mr Chazan said the Optus data breach would have long-lasting effects on the Australian economy and was not just limited to customers of the telco, but business suppliers whose identities may have been stolen for financial gain.

“There has been a lot of data that has been compromised. Which means scammers have a lot of opportunity to get into any system. They’ll match Optus’ database with publicly available databases to enrich the knowledge they have about the individual and will use that to get the biggest payday.”

Mr Chazan said similar cyberattacks would happen again and CFOs and employees responsible for making business payments needed to put measures in place for improvements in financial controls.

“Australia is in the top-5 most targeted nations by cybercrime, and a breach of 10 million people will attract more hackers… When there is blood in the water, it attracts more sharks. Very few hackers get caught and are prosecuted,” he said.

“Data breaches like the one Optus had, will occur again, and will be weaponised to defraud businesses’ payments. It’s a good time to educate accounts payable staff and invest in technology to mitigate the risks.”