Experts have two theories on how Optus’ data was breached

Is encryption effective at protecting data?

If it’s done well, yes.

“There’s a cost that the business bears because the more time you encrypt data, the more places you encrypt, the more complex it becomes to manage,” says Manuel.

In 2019, tech company Canva dealt with Australia’s biggest hack: 139 million users’ data was stolen from the company’s system. But unlike Optus, none of the data was usable.

“Yes, it was bad that Canva was breached, but the system was encrypted so they couldn’t get the information out of that stolen data,” said Treptel.

Loading

Can encrypted data ever be unencrypted?

If encrypted data falls into the hands of someone who shouldn’t have access to it, it is possible – although unlikely – that they can ‘unlock’ the encryption to make sense of the data.

This is because as technology advances, specific algorithms or techniques used to encrypt data become defunct.

“The gold standard of cryptography a decade ago is no longer acceptable. You wouldn’t even entertain using it,” said Haskell-Dowland, professor of cybersecurity practice at Edith Cowan University.

Loading

The problem is, some organisations may not have updated the encryption methods they used when they originally stored a data set, making that data easier to unlock.

Was the Optus data encrypted?

So far, there has been no concrete explanation to how the data breach occurred. Optus chief executive Kelly Bayer Rosmarin told ABC radio on Tuesday that the hack was a “sophisticated attack that penetrated multiple security layers.”

But experts have two theories on how the data was accessed: The first was that while the data was encrypted, Optus used either old and outdated encryption methods, or there were many people who had access to the interface where the data was stored.

The other alternative is that the data was not encrypted on the interface, which Optus denies.

“It is not the case of having some sort of completely exposed API sitting there”, Bayer Rosmarin said.

But before that, let’s look at where this data was stored: known as an API.

What is an API?

Loading

An API, or Application Programming Interface, is a piece of software that allows information to be sent and received between two parties. Instead of having to encrypt and then decrypt the data between those two parties, users can access the API instead.

“We might use an API between two systems where there is a level of trust between them,” Haskell-Dowland said. “This is all perfectly secure because it’s a direct connection from one system to another … They’re heavily restricted and protected – you’ve got all the security controls wrapped around it.”

But, let’s say that there’s a development team working on a new product, and are given access to this API. Suddenly, there are many groups with access to the API, which means there are more chances for the data to be left unlocked.

“The danger lies when you create an API, and then you open up to the internet and that information becomes accessible by people that you don’t want it to be accessed by.” Haskell-Dowland said.

What lessons are we taking away from how is stored?

Regardless of how the data was breached, experts in the fields say that it is in the interest of both organisations and consumers to reduce the amount of personal information that’s being stored on a company’s internal server.

“In the past, everybody used to think ‘the more data I have, the better off I am’ because you might get some insights, and even monetise that data in some way or give better customer service,” Manuel said.

“We should be thinking of the more data you have, the higher your risk,” he said. “The message should be only collect the data that you need for the purpose that you need.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.