Optus data breach: The knock-on effect for CFOs & Managers

They will use the data to improve their own fraudulent activities, and just like regular businesses, cyber-criminals who have purchased this data will want to make a profit from it.

The coming weeks and months are likely to see a major spike in phishing emails. Some of these may be sent using the stolen identification numbers, and personal details of individuals. Other phishing emails may claim to be legitimate updates from Optus. And although Optus claims no corporate information was at risk. It will only take one click from someone in your organisation, for cyber-criminals to get access to their devices and emails. So, everyone in your organisation must be extra vigilant of potential scam emails, either to their personal or business email.

Hacker claims to have deleted Optus’ data

The anonymous online account claiming to be behind the data breach has issued an apology for the hack on September 27th. Hours earlier several cybersecurity experts flagged a post by the same account that over 10,000 were published publicly and the poster intended to release another 10,000 records every day. It was the same account that claimed to have the records for sales 4 days prior the data breach.

In their most recent post, the poster has claimed that no ransom was required and the data would be deleted. Whether that will happen will remain a mystery. Optus

As more details have emerged about the hack, experts disagree with Optus’ previous statement that they fell victim to a ‘sophisticated’ hacker. The Open API that was used to acquire the data could have been found by anyone. Several experts claimed that the hack could have been conducted by a teenager and that due to the press coverage they have aborted their ransom requests.

CFOs and accountants at the frontline of databreaches

CFOs and specifically Accounts Payable staff must have an even higher degree of caution. While every organisation has at least 1 person that will click on any link in an email, so will the organisations you trade with.

Traditionally, Accounts Payable Managers have been targeted by so-called “push payment redirection scams”. Fraudsters will use a legitimate email address from one of your suppliers. They’ll hijack communication between you and that supplier, intercept an invoice, change the payment details, and redirect payments to their own bank accounts. Once the money is transferred, it’s difficult to recover the funds, and banks disclaim liability for these types of scams. It’s up to Accountants to have the right controls in place to prevent these types of scams.

Accounts Payable needs to be extra vigilant during the vulnerable moments when dealing with supplier payments; when receiving bank account change requests or paying new suppliers for the first time. One of the most effective controls are “supplier call-back controls”. Accounts Payable Managers cannot trust the information they receive in emails and must conduct call-back controls properly.

Steps to do call-back controls correctly

• Source a phone number from trusted independent sources. (ie. Google, Yellow Pages.) Don’t use the phone number on invoices, as they might be compromised.
• Don’t accept inbound verification calls. Sometimes fraudsters will call ahead of the bank account change request.
• Be aware that you can’t trust phone calls that turn into emails. When calling the landline of a supplier, you may get in touch with the receptionist, who then emails the supplier’s accountant. The fraudsters will be able to react. So, make sure to verbally speak to the right person.
• And lastly, while conducting this call-back verification. Don’t lead the witness and start the conversation with “Is 53232, your bank account number?”. Make sure to use open-ended questions: “What is your bank account & BSB number?”
• For more information on how to do call-back controls correctly, read Eftsure’s Supplier Call-back Controls checklist.

Optus’ data breach will impact the security of payments and has significantly increased the risk of identity theft. We have written an article about the essential steps to take when you’ve become a victim of Identity theft:

If you have additional questions or are concerned about the implications this data breach may have on your business, feel free to reach out to us or subscribe to the blog, where are publishing many articles around the topic of cybercrime and its implications for CFOs and accountants. For more information contact Optus customer support directly on 133 937, or visit Services Australia webpage that discusses about the current data breach.