What makes this incident even worse is the claim that sensitive employee information, including medical conditions and treatments, was also stolen. If the stolen data is published or sold, this is one of the worst violations of a citizen’s private information; the loss of personal health data.
Coming mere weeks after the Optus hack, both the Australian government and their second-largest mobile network provider, the Australian public, want answers. Though shocking, the answer behind how this happened, is actually simple.
Neither of these breaches involved vulnerabilities in network perimeter defenses like malware tactics, scams, phishing attacks (via phone calls, phishing emails, SMS, etc.), or other sophisticated cyber-attacks.
In both instances, the data was stolen through spoofing attacks. It appears the hackers gained this confidential information by accessing the network using the credentials of genuine employees. In the case of Optus, it is reported their worker’s account information was obtained through a simple social engineering technique, while the credentials of a Medibank employee, with high-level access, were evidently purchased from a Russian cyber-criminal forum.
Prevent Social Engineering Attacks
Once again, organizations that invest heavily in sensitive data and cybersecurity such as Zero Trust Networks, fail to understand that Zero Trust starts with the employee. If you don’t guarantee the identity of the person to gain access to the network, then everything else counts for nothing.
Relying on any form of proxy identification that can be obtained through baiting attacks or be stolen in any way offers scammers unauthorized access to their proxy identification leading to cybercrime.
Weak security measures are the cause for a cyber disaster, as Optus and Medibank now know, and as Microsoft, Okta, and Uber discovered before them via the Lapsus$ cyber threats.
Sense of Urgency for Identity Assurance
For these types of social engineering attacks, you need more than standard multi-factor authentication methods. Identity theft can only be avoided with biometric authentication. Voice biometrics offers the highest level of impersonation protection as it is inherently two factors – a person’s voice plus what the voice is saying (i.e. speaking an OTP).
Since it must be the genuine user’s voice speaking the security (proxy) credential, this means these credentials are useless to everyone but the genuine user.
Raising security awareness is key to preventing social engineering attacks. Organizations that are serious about data and network privacy and invest heavily in physical and digital protection, must understand that real information security starts with guaranteeing the identity of an individual.
Simply put – No Identity Assurance, No Zero Trust!
The good news is that the voice biometrics security layer can be added as an overlay on top of an organization’s existing security defense layers. Thereby enhancing, protecting, and further leveraging the existing security investments one has made.